Total
1036 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-25215 | 1 Yworks | 1 Yed | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| yWorks yEd Desktop before 3.20.1 allows XXE attacks via an XML or GraphML document. | |||||
| CVE-2020-25186 | 1 We-con | 1 Levistudiou | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An XXE vulnerability exists within LeviStudioU Release Build 2019-09-21 and prior when processing parameter entities, which may allow file disclosure. | |||||
| CVE-2020-25020 | 2 Mpxj, Oracle | 2 Mpxj, Primavera Unifier | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components. | |||||
| CVE-2020-24656 | 1 Maltego | 1 Maltego | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Maltego before 4.2.12 allows XXE attacks. | |||||
| CVE-2020-24591 | 1 Wso2 | 5 Api Manager, Api Manager Analytics, Api Microgateway and 2 more | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0. | |||||
| CVE-2020-24589 | 1 Wso2 | 2 Api Manager, Api Microgateway | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks. | |||||
| CVE-2020-24454 | 1 Intel | 1 Quartus Prime | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Improper Restriction of XML External Entity Reference in subsystem forIntel(R) Quartus(R) Prime Pro Edition before version 20.3 and Intel(R) Quartus(R) Prime Standard Edition before version 20.2 may allow unauthenticated user to potentially enable information disclosure via network access. | |||||
| CVE-2020-24379 | 3 Canonical, Debian, Yaws | 3 Ubuntu Linux, Debian Linux, Yaws | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection. | |||||
| CVE-2020-24052 | 1 Moog | 4 Exvf5c-2, Exvf5c-2 Firmware, Exvp7c2-3 and 1 more | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Several XML External Entity (XXE) vulnerabilities in the Moog EXO Series EXVF5C-2 and EXVP7C2-3 units allow remote unauthenticated users to read arbitrary files via a crafted Document Type Definition (DTD) in an XML request. | |||||
| CVE-2020-21641 | 1 Zohocorp | 1 Manageengine Analytics Plus | 2024-11-21 | N/A | 7.5 HIGH |
| Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5 allows remote attackers to read arbitrary files, enumerate folders and scan internal ports via crafted XML license file. | |||||
| CVE-2020-21524 | 1 Halo | 1 Halo | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| There is a XML external entity (XXE) vulnerability in halo v1.1.3, The function of importing other blogs in the background(/api/admin/migrations/wordpress) needs to parse the xml file, but it is not used for security defense, This vulnerability can detect the intranet, read files, enable ddos attacks, etc. exp:https://github.com/halo-dev/halo/issues/423 | |||||
| CVE-2020-1975 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 6.5 MEDIUM | 6.8 MEDIUM |
| Missing XML validation vulnerability in the PAN-OS web interface on Palo Alto Networks PAN-OS software allows authenticated users to inject arbitrary XML that results in privilege escalation. This issue affects PAN-OS 8.1 versions earlier than PAN-OS 8.1.12 and PAN-OS 9.0 versions earlier than PAN-OS 9.0.6. This issue does not affect PAN-OS 7.1, PAN-OS 8.0, or PAN-OS 9.1 or later versions. | |||||
| CVE-2020-1693 | 1 Redhat | 1 Spacewalk | 2024-11-21 | 7.5 HIGH | 8.6 HIGH |
| A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute arbitrary code on the Spacewalk server. | |||||
| CVE-2020-19954 | 1 S-cms | 1 S-cms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An XML External Entity (XXE) vulnerability was discovered in /api/notify.php in S-CMS 3.0 which allows attackers to read arbitrary files. | |||||
| CVE-2020-18705 | 1 Quokka Project | 1 Quokka | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/core/content/views.py'. | |||||
| CVE-2020-18703 | 1 Quokka Project | 1 Quokka | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/utils/atom.py'. | |||||
| CVE-2020-17408 | 1 Nec | 1 Expresscluster X | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of NEC ExpressCluster 4.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the clpwebmc executable. Due to the improper restriction of XML External Entity (XXE) references, a specially-crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-10801. | |||||
| CVE-2020-17376 | 1 Openstack | 1 Nova | 2024-11-21 | 6.5 MEDIUM | 8.3 HIGH |
| An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that share the same paths as host devices previously referenced by the virtual machine on the source host. This can include block devices that map to different Cinder volumes at the destination than at the source. Only deployments allowing host-based connections (for instance, root and ephemeral devices) are affected. | |||||
| CVE-2020-15772 | 1 Gradle | 1 Enterprise | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. When configuring Gradle Enterprise to integrate with a SAML identity provider, an XML metadata file can be uploaded by an administrator. The server side processing of this file dereferences XML External Entities (XXE), allowing a remote attacker with administrative access to perform server side request forgery. | |||||
| CVE-2020-15419 | 1 Veeam | 2 One, One Firmware | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Reporter_ImportLicense class. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose file contents in the context of SYSTEM. Was ZDI-CAN-10710. | |||||