Total
1035 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-17912 | 1 Sauter-controls | 1 Case Suite | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An XXE vulnerability exists in CASE Suite Versions 3.10 and prior when processing parameter entities, which may allow remote file disclosure. | |||||
| CVE-2018-17889 | 1 We-con | 2 Pi Studio, Pi Studio Hmi | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
| In WECON Technology Co., Ltd. PI Studio HMI versions 4.1.9 and prior and PI Studio versions 4.2.34 and prior when parsing project files, the XMLParser that ships with Wecon PIStudio is vulnerable to a XML external entity injection attack, which may allow sensitive information disclosure. | |||||
| CVE-2018-17411 | 1 Informationbuilders | 1 Data Quality Suite | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An XML External Entity (XXE) vulnerability exists in iWay Data Quality Suite Web Console 10.6.1.ga-2016-11-20. | |||||
| CVE-2018-17289 | 1 Kofax | 1 Front Office Server | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An XML external entity (XXE) vulnerability in Kofax Front Office Server Administration Console version 4.1.1.11.0.5212 allows remote authenticated users to read arbitrary files via crafted XML inside an imported package configuration (.ZIP file) within the Kofax/KFS/Admin/PackageService/package/upload file parameter. | |||||
| CVE-2018-17247 | 1 Elastic | 1 Elasticsearch | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to. | |||||
| CVE-2018-17186 | 1 Apache | 1 Syncope | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution. | |||||
| CVE-2018-17169 | 1 Printeron | 1 Printeron | 2024-11-21 | 4.0 MEDIUM | 7.7 HIGH |
| An XML external entity (XXE) vulnerability in PrinterOn version 4.1.4 and lower allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. | |||||
| CVE-2018-17152 | 1 Intersystems | 1 Cache | 2024-11-21 | 5.5 MEDIUM | 6.4 MEDIUM |
| Intersystems Cache 2017.2.2.865.0 allows XXE. | |||||
| CVE-2018-16792 | 1 Solarwinds | 1 Sftp\/scp Server | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| SolarWinds SFTP/SCP server through 2018-09-10 is vulnerable to XXE via a world readable and writable configuration file that allows an attacker to exfiltrate data. | |||||
| CVE-2018-16521 | 1 Openmrs | 2 Html Form Entry, Reference Application | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An XML External Entity (XXE) vulnerability exists in HTML Form Entry 3.7.0, as distributed in OpenMRS Reference Application 2.8.0. | |||||
| CVE-2018-16303 | 1 Tracker-software | 1 Pdf-xchange Editor | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| PDF-XChange Editor through 7.0.326.1 allows remote attackers to cause a denial of service (resource consumption) via a crafted x:xmpmeta structure, a related issue to CVE-2003-1564. | |||||
| CVE-2018-16252 | 1 Fspro | 1 Event Log Explorer | 2024-11-21 | 2.1 LOW | 3.3 LOW |
| FsPro Labs Event Log Explorer 4.6.1.2115 has ".elx" FileType XML External Entity Injection. | |||||
| CVE-2018-16166 | 1 Jpcert | 1 Logontracer | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| LogonTracer 1.2.0 and earlier allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. | |||||
| CVE-2018-15805 | 1 Accusoft | 1 Prizmdoc | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML external entity (XXE) vulnerability, allowing an attacker to read arbitrary files or cause a denial of service (resource consumption). | |||||
| CVE-2018-15531 | 1 Javamelody Project | 1 Javamelody | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java. | |||||
| CVE-2018-15506 | 1 Bubblesoftapps | 1 Bubbleupnp | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In BubbleUPnP 0.9 update 30, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running BubbleUPnP, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack the cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. | |||||
| CVE-2018-15444 | 1 Cisco | 1 Energy Management Suite Software | 2024-11-21 | 4.9 MEDIUM | 6.3 MEDIUM |
| A vulnerability in the web-based user interface of Cisco Energy Management Suite Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by convincing a user of an affected system to import a crafted XML file with malicious entries, which could allow the attacker to read and write files within the affected application. | |||||
| CVE-2018-15362 | 1 Ge | 1 Cimplicity | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0 | |||||
| CVE-2018-14720 | 4 Debian, Fasterxml, Oracle and 1 more | 12 Debian Linux, Jackson-databind, Banking Platform and 9 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. | |||||
| CVE-2018-14485 | 1 Blogengine | 1 Blogengine.net | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| BlogEngine.NET 3.3 allows XXE attacks via the POST body to metaweblog.axd. | |||||