Total
1131 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-40239 | 1 Lexmark | 164 C2132, C2132 Firmware, Cs310 and 161 more | 2024-11-21 | 7.5 High |
| Certain Lexmark devices (such as CS310) before 2023-08-25 allow XXE attacks, leading to information disclosure. The fixed firmware version is LW80.*.P246, i.e., '*' indicates that the full version specification varies across product model family, but firmware level P246 (or higher) is required to remediate the vulnerability. | ||||
| CVE-2023-3892 | 1 Mimsoftware | 2 Assistant, Client | 2024-11-21 | 5.6 Medium |
| Improper Restriction of XML External Entity Reference vulnerability in MIM Assistant and Client DICOM RTst Loading modules allows XML Entity Linking / XML External Entities Blowup. In order to take advantage of this vulnerability, an attacker must craft a malicious XML document, embed this document into specific 3rd party private RTst metadata tags, transfer the now compromised DICOM object to MIM, and force MIM to archive and load the data. Users on either version are strongly encouraged to update to an unaffected version (7.2.11+, 7.3.4+). This issue was found and analyzed by MIM Software's internal security team. We are unaware of any proof of concept or actual exploit available in the wild. For more information, visit https://www.mimsoftware.com/cve-2023-3892 https://www.mimsoftware.com/cve-2023-3892 This issue affects MIM Assistant: 7.2.10, 7.3.3; MIM Client: 7.2.10, 7.3.3. | ||||
| CVE-2023-38490 | 1 Getkirby | 1 Kirby | 2024-11-21 | 6.8 Medium |
| Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby core does not use any of the affected methods. XML External Entities (XXE) is a little used feature in the XML markup language that allows to include data from external files in an XML structure. If the name of the external file can be controlled by an attacker, this becomes a vulnerability that can be abused for various system impacts like the disclosure of internal or confidential data that is stored on the server (arbitrary file disclosure) or to perform network requests on behalf of the server (server-side request forgery, SSRF). Kirby's `Xml::parse()` method used PHP's `LIBXML_NOENT` constant, which enabled the processing of XML external entities during the parsing operation. The `Xml::parse()` method is used in the `Xml` data handler (e.g. `Data::decode($string, 'xml')`). Both the vulnerable method and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to parse RSS feeds or other XML files. If those files are of an external origin (e.g. uploaded by a user or retrieved from an external URL), attackers may be able to include an external entity in the XML file that will then be processed in the parsing process. Kirby sites that don't use XML parsing in site or plugin code are *not* affected. The problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have removed the `LIBXML_NOENT` constant as processing of external entities is out of scope of the parsing logic. This protects all uses of the method against the described vulnerability. | ||||
| CVE-2023-38343 | 1 Ivanti | 1 Endpoint Manager | 2024-11-21 | 7.5 High |
| An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery. | ||||
| CVE-2023-37942 | 1 Jenkins | 1 External Monitor Job Type | 2024-11-21 | 6.5 Medium |
| Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2023-37497 | 1 Hcltech | 1 Unica | 2024-11-21 | 8.1 High |
| The Unica application exposes an API which accepts arbitrary XML input. By manipulating the given XML, an authenticated attacker with certain rights can successfully perform XML External Entity attacks (XXE) against the backend service. | ||||
| CVE-2023-37364 | 1 Ws-inc | 1 J Wbem | 2024-11-21 | 9.1 Critical |
| In WS-Inc J WBEM Server 4.7.4 before 4.7.5, the CIM-XML protocol adapter does not disable entity resolution. This allows context-dependent attackers to read arbitrary files or cause a denial of service, a similar issue to CVE-2013-4152. | ||||
| CVE-2023-37200 | 1 Se | 1 Ecostruxure Opc Ua Server Expert | 2024-11-21 | 5.5 Medium |
| A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause loss of confidentiality when replacing a project file on the local filesystem and after manual restart of the server. | ||||
| CVE-2023-35892 | 1 Ibm | 1 Financial Transaction Manager | 2024-11-21 | 7.1 High |
| IBM Financial Transaction Manager for SWIFT Services 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 258786. | ||||
| CVE-2023-32639 | 1 Moj | 1 Applicant Programme | 2024-11-21 | 5.5 Medium |
| Applicant Programme Ver.7.06 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker. | ||||
| CVE-2023-32635 | 1 Edinet-fsa | 1 Xbrl Data Create | 2024-11-21 | 5.5 Medium |
| XBRL data create application version 7.0 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XBRL file, arbitrary files on the system may be read by an attacker. | ||||
| CVE-2023-32567 | 1 Ivanti | 1 Avalanche | 2024-11-21 | 9.8 Critical |
| Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.236 | ||||
| CVE-2023-32327 | 1 Ibm | 2 Security Verify Access, Security Verify Access Docker | 2024-11-21 | 7.1 High |
| IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 254783. | ||||
| CVE-2023-30951 | 1 Palantir | 1 Magritte-rest-source-bundle | 2024-11-21 | 6.3 Medium |
| The Foundry Magritte plugin rest-source was found to be vulnerable to an an XML external Entity attack (XXE). | ||||
| CVE-2023-26999 | 1 Netscout | 1 Ngeniusone | 2024-11-21 | 9.8 Critical |
| An issue found in NetScout nGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted file. | ||||
| CVE-2023-24620 | 1 Esotericsoftware | 1 Yamlbeans | 2024-11-21 | 5.5 Medium |
| An issue was discovered in Esoteric YamlBeans through 1.15. A crafted YAML document is able perform am XML Entity Expansion attack against YamlBeans YamlReader. By exploiting the Anchor feature in YAML, it is possible to generate a small YAML document that, when read, is expanded to a large size, causing CPU and memory consumption, such as a Java Out-of-Memory exception. | ||||
| CVE-2023-24443 | 1 Jenkins | 1 Testcomplete Support | 2024-11-21 | 9.8 Critical |
| Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2023-24441 | 1 Jenkins | 1 Mstest | 2024-11-21 | 9.8 Critical |
| Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2023-24430 | 1 Jenkins | 1 Semantic Versioning | 2024-11-21 | 9.8 Critical |
| Jenkins Semantic Versioning Plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2023-24429 | 1 Jenkins | 1 Semantic Versioning | 2024-11-21 | 9.8 Critical |
| Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. | ||||