Total
1034 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-46827 | 1 Jetbrains | 1 Intellij Idea | 2024-11-21 | N/A | 3.9 LOW |
| In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible. | |||||
| CVE-2022-46751 | 1 Apache | 1 Ivy | 2024-11-21 | N/A | 8.2 HIGH |
| Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used. This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways. Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed. Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide". | |||||
| CVE-2022-46682 | 1 Jenkins | 1 Plot | 2024-11-21 | N/A | 9.8 CRITICAL |
| Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-46300 | 1 Visam | 1 Vbase Automation Base | 2024-11-21 | N/A | 5.5 MEDIUM |
| Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | |||||
| CVE-2022-45876 | 1 Visam | 1 Vbase | 2024-11-21 | N/A | 5.5 MEDIUM |
| Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | |||||
| CVE-2022-45588 | 1 Talend | 1 Remote Engine Gen 2 | 2024-11-21 | N/A | 7.8 HIGH |
| All versions before R2022-09 of Talend's Remote Engine Gen 2 are potentially vulnerable to XML External Entity (XXE) type of attacks. Users should download the R2022-09 release or later and use it in place of the previous version. Talend Remote Engine Gen 1 and Talend Cloud Engine for Design are not impacted. This XXE vulnerability could only be exploited by someone with the appropriate rights to edit pipelines on the Talend platform. It could not be triggered remotely or by other user input. | |||||
| CVE-2022-45400 | 1 Jenkins | 1 Japex | 2024-11-21 | N/A | 9.8 CRITICAL |
| Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-45397 | 1 Jenkins | 1 Osf Builder Suite \ | 2024-11-21 | N/A | 9.8 CRITICAL |
| Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-45396 | 1 Jenkins | 1 Sourcemonitor | 2024-11-21 | N/A | 9.8 CRITICAL |
| Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-45395 | 1 Jenkins | 1 Cccc | 2024-11-21 | N/A | 9.8 CRITICAL |
| Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-45386 | 1 Jenkins | 1 Violations | 2024-11-21 | N/A | 5.5 MEDIUM |
| Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-45326 | 1 Kwoksys | 1 Information Server | 2024-11-21 | N/A | 4.9 MEDIUM |
| An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks. | |||||
| CVE-2022-45194 | 1 Bruhn-newtech | 1 Cbrn-analysis | 2024-11-21 | N/A | 3.8 LOW |
| CBRN-Analysis before 22 allows XXE attacks via am mws XML document, leading to NTLMv2-SSP hash disclosure. | |||||
| CVE-2022-43941 | 1 Hitachi | 1 Vantara Pentaho Business Analytics Server | 2024-11-21 | N/A | 7.1 HIGH |
| Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly protect the Post Analysis service endpoint of the data access plugin against out-of-band XML External Entity Reference. | |||||
| CVE-2022-43689 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | N/A | 5.3 MEDIUM |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure. | |||||
| CVE-2022-43570 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-11-21 | N/A | 8.8 HIGH |
| In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, an authenticated user can perform an extensible markup language (XML) external entity (XXE) injection via a custom View. The XXE injection causes Splunk Web to embed incorrect documents into an error. | |||||
| CVE-2022-43512 | 1 Visam | 1 Vbase Automation Base | 2024-11-21 | N/A | 5.5 MEDIUM |
| Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | |||||
| CVE-2022-43473 | 1 Zohocorp | 3 Manageengine Opmanager, Manageengine Opmanager Msp, Manageengine Opmanager Plus | 2024-11-21 | N/A | 5.8 MEDIUM |
| A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability. | |||||
| CVE-2022-43430 | 1 Jenkins | 1 Compuware Topaz For Total Test | 2024-11-21 | N/A | 7.5 HIGH |
| Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-43415 | 1 Jenkins | 1 Repo | 2024-11-21 | N/A | 7.5 HIGH |
| Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||