Total
1035 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-7426 | 1 Netiq | 1 Identity Manager | 2024-11-21 | 6.4 MEDIUM | 5.4 MEDIUM |
| The NetIQ Identity Manager Plugins before 4.6.1 contained various XML External XML Entity (XXE) handling flaws that could be used by attackers to leak information or cause denial of service attacks. | |||||
| CVE-2017-7375 | 3 Debian, Google, Xmlsoft | 3 Debian Linux, Android, Libxml2 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable). | |||||
| CVE-2017-6895 | 1 Usb Pratirodh Project | 1 Usb Pratirodh | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| USB Pratirodh allows remote attackers to conduct XML External Entity (XXE) attacks via XML data in usb.xml. | |||||
| CVE-2017-6662 | 1 Cisco | 2 Evolved Programmable Network Manager, Prime Infrastructure | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
| A vulnerability in the web-based user interface of Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker read and write access to information stored in the affected system as well as perform remote code execution. The attacker must have valid user credentials. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file with malicious entries which could allow the attacker to read and write files and execute remote code within the application, aka XML Injection. Cisco Prime Infrastructure software releases 1.1 through 3.1.6 are vulnerable. Cisco EPNM software releases 1.2, 2.0, and 2.1 are vulnerable. Cisco Bug IDs: CSCvc23894 CSCvc49561. | |||||
| CVE-2017-6344 | 1 Grails | 1 Pdf Plugin | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| XML External Entity (XXE) vulnerability in Grails PDF Plugin 0.6 allows remote attackers to read arbitrary files via a crafted XML document. | |||||
| CVE-2017-6323 | 1 Symantec | 1 Management Console | 2024-11-21 | 5.2 MEDIUM | 8.0 HIGH |
| The Symantec Management Console prior to ITMS 8.1 RU1, ITMS 8.0_POST_HF6, and ITMS 7.6_POST_HF7 has an issue whereby XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. | |||||
| CVE-2017-6055 | 1 Eparaksts | 1 Eparakstitajs 3 | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| XML external entity (XXE) vulnerability in eParakstitajs 3 before 1.3.9 and eParaksts Java lib before 2.5.13 allows remote attackers to read arbitrary files or possibly have unspecified other impact via a crafted edoc file. | |||||
| CVE-2017-5992 | 1 Python | 1 Openpyxl | 2024-11-21 | 5.8 MEDIUM | 8.2 HIGH |
| Openpyxl 2.4.1 resolves external entities by default, which allows remote attackers to conduct XXE attacks via a crafted .xlsx document. | |||||
| CVE-2017-5828 | 1 Hp | 1 Aruba Clearpass Policy Manager | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| An arbitrary command execution vulnerability in HPE Aruba ClearPass Policy Manager version 6.6.x was found. | |||||
| CVE-2017-5662 | 1 Apache | 1 Batik | 2024-11-21 | 7.9 HIGH | 7.3 HIGH |
| In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack. | |||||
| CVE-2017-5661 | 1 Apache | 1 Formatting Objects Processor | 2024-11-21 | 7.9 HIGH | 7.3 HIGH |
| In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack. | |||||
| CVE-2017-3839 | 1 Cisco | 1 Secure Access Control System | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An XML External Entity vulnerability in the web-based user interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to have read access to part of the information stored in the affected system. More Information: CSCvc04845. Known Affected Releases: 5.8(2.5). | |||||
| CVE-2017-3811 | 1 Cisco | 1 Webex Meetings Server | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An XML External Entity vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to have read access to part of the information stored in the affected system. More Information: CSCvc39165. Known Affected Releases: 2.6. Known Fixed Releases: 2.7.1.2054. | |||||
| CVE-2017-3548 | 1 Oracle | 1 Peoplesoft Enterprise Peopletools | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.0 Base Score 6.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L). | |||||
| CVE-2017-3208 | 1 Themidnightcoders | 1 Weborb For Java | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery. | |||||
| CVE-2017-3206 | 1 Exadel | 1 Flamingo | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Java implementation of AMF3 deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery. | |||||
| CVE-2017-2815 | 1 Igniterealtime | 1 User Import Export | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| An exploitable XML entity injection vulnerability exists in OpenFire User Import Export Plugin 2.6.0. A specially crafted web request can cause the retrieval of arbitrary files or denial of service. An authenticated attacker can send a crafted web request to trigger this vulnerability. | |||||
| CVE-2017-2308 | 1 Juniper | 1 Junos Space | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
| An XML External Entity Injection vulnerability in Juniper Networks Junos Space versions prior to 16.1R1 may allow an authenticated user to read arbitrary files on the device. | |||||
| CVE-2017-20151 | 1 Itextpdf | 1 Rups | 2024-11-21 | 5.2 MEDIUM | 5.5 MEDIUM |
| A vulnerability classified as problematic was found in iText RUPS. This vulnerability affects unknown code of the file src/main/java/com/itextpdf/rups/model/XfaFile.java. The manipulation leads to xml external entity reference. The patch is identified as ac5590925874ef810018a6b60fec216eee54fb32. It is recommended to apply a patch to fix this issue. VDB-217054 is the identifier assigned to this vulnerability. | |||||
| CVE-2017-1758 | 1 Ibm | 3 Control Center, Financial Transaction Manager, Transformation Extender Advanced | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
| IBM Financial Transaction Manager for ACH Services for Multi-Platform (IBM Control Center 6.0 and 6.1, IBM Financial Transaction Manager 3.0.2, 3.0.3, 3.0.4, and 3.1.0, IBM Transformation Extender Advanced 9.0) is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 135859. | |||||