Total
1036 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15418 | 1 Veeam | 2 One, One Firmware | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SSRSReport class. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose file contents in the context of SYSTEM. Was ZDI-CAN-10709. | |||||
| CVE-2020-15352 | 2 Ivanti, Pulsesecure | 4 Connect Secure, Policy Secure, Pulse Connect Secure and 1 more | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. | |||||
| CVE-2020-15232 | 1 Mapfish | 1 Print | 2024-11-21 | 6.4 MEDIUM | 9.3 CRITICAL |
| In mapfish-print before version 3.24, a user can do to an XML External Entity (XXE) attack with the provided SDL style. | |||||
| CVE-2020-14940 | 1 Herac | 1 Tuxguitar | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in io/gpx/GPXDocumentReader.java in TuxGuitar 1.5.4. It uses misconfigured XML parsers, leading to XXE while loading GP6 (.gpx) and GP7 (.gp) tablature files. | |||||
| CVE-2020-14478 | 1 Rockwellautomation | 1 Factorytalk Services Platform | 2024-11-21 | 5.6 MEDIUM | 7.1 HIGH |
| A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML files to access local or remote content. A successful exploit could potentially cause a denial-of-service condition and allow the attacker to arbitrarily read any local file via system-level services. | |||||
| CVE-2020-14379 | 1 Redhat | 1 Jboss A-mq | 2024-11-21 | N/A | 5.6 MEDIUM |
| A flaw was found in Red Hat AMQ Broker in a way that a XEE attack can be done via Broker's configuration files, leading to denial of service and information disclosure. | |||||
| CVE-2020-14204 | 1 Ibi | 1 Webfocus Business Intelligence | 2024-11-21 | 5.8 MEDIUM | 8.2 HIGH |
| In WebFOCUS Business Intelligence 8.0 (SP6), the administration portal allows remote attackers to read arbitrary local files or forge server-side HTTP requests via a crafted HTTP request to /ibi_apps/WFServlet.cfg because XML external entity injection is possible. This is related to making changes to the application repository configuration. | |||||
| CVE-2020-14029 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The RSS To SMS module processes XML files in an unsafe manner. This opens the application to an XML External Entity attack that can be used to perform SSRF or read arbitrary local files. | |||||
| CVE-2020-13940 | 1 Apache | 1 Nifi | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE). | |||||
| CVE-2020-13883 | 1 Wso2 | 3 Api Manager, Api Microgateway, Identity Server As Key Manager | 2024-11-21 | 6.5 MEDIUM | 6.7 MEDIUM |
| In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle. | |||||
| CVE-2020-13692 | 5 Debian, Fedoraproject, Netapp and 2 more | 5 Debian Linux, Fedora, Steelstore Cloud Integrated Storage and 2 more | 2024-11-21 | 6.8 MEDIUM | 7.7 HIGH |
| PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. | |||||
| CVE-2020-12719 | 1 Wso2 | 7 Api Manager, Api Manager Analytics, Api Microgateway and 4 more | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier. | |||||
| CVE-2020-12684 | 1 Inetsoftware | 1 I-net Clear Reports | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| XXE injection can occur in i-net Clear Reports 2019 19.0.287 (Designer), as used in i-net HelpDesk and other products, when XML input containing a reference to an external entity is processed by a weakly configured XML parser. | |||||
| CVE-2020-12642 | 1 Reportportal | 1 Service-api | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in service-api before 4.3.12 and 5.x before 5.1.1 for Report Portal. It allows XXE, with resultant secrets disclosure and SSRF, via JUnit XML launch import. | |||||
| CVE-2020-12025 | 1 Rockwellautomation | 1 Studio 5000 Logix Designer | 2024-11-21 | 4.3 MEDIUM | 3.3 LOW |
| Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XXE) vulnerability, which may allow an attacker to view hostnames or other resources from the program. | |||||
| CVE-2020-11991 | 1 Apache | 1 Cocoon | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system. | |||||
| CVE-2020-11885 | 1 Wso2 | 1 Enterprise Integrator | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to make unintended network invocations such as SSRF via an uploaded file. | |||||
| CVE-2020-11586 | 1 Cipplanner | 1 Cipace | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An XXE issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request that contains malicious XML DTD data. | |||||
| CVE-2020-11541 | 1 Techsmith | 1 Snagit | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| In TechSmith SnagIt 11.2.1 through 20.0.3, an XML External Entity (XXE) injection issue exists that would allow a local attacker to exfiltrate data under the local Administrator account. | |||||
| CVE-2020-10993 | 1 Osmand | 1 Osmand | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader.java. | |||||