Total
1131 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-28965 | 3 Fedoraproject, Redhat, Ruby-lang | 7 Fedora, Enterprise Linux, Rhel E4s and 4 more | 2024-11-21 | 7.5 High |
| The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing. | ||||
| CVE-2021-28684 | 1 Powerarchiver | 1 Powerarchiver | 2024-11-21 | 4.3 Medium |
| The XML parser used in ConeXware PowerArchiver before 20.10.02 allows processing of external entities, which might lead to exfiltration of local files over the network (via an XXE attack). | ||||
| CVE-2021-28110 | 1 Compassplus | 1 Tranzware E-commerce Payment Gateway | 2024-11-21 | 7.5 High |
| /exec in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in its XML parser. | ||||
| CVE-2021-27931 | 1 Lumis | 1 Lumis Experience Platform | 2024-11-21 | 9.1 Critical |
| LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service. | ||||
| CVE-2021-27777 | 1 Hcltech | 1 Unica | 2024-11-21 | 7.5 High |
| XML External Entity (XXE) injection vulnerabilities occur when poorly configured XML parsers process user supplied input without sufficient validation. Attackers can exploit this vulnerability to manipulate XML content and inject malicious external entity references. | ||||
| CVE-2021-27741 | 1 Hcltechsw | 1 Hcl Commerce | 2024-11-21 | 9.1 Critical |
| " Security vulnerability in HCL Commerce Management Center allowing XML external entity (XXE) injection" | ||||
| CVE-2021-27736 | 1 Fusionauth | 1 Saml V2 | 2024-11-21 | 6.5 Medium |
| FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely. | ||||
| CVE-2021-27635 | 1 Sap | 1 Netweaver Application Server For Java | 2024-11-21 | 6.5 Medium |
| SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compromise as to integrity. | ||||
| CVE-2021-27604 | 1 Sap | 1 Netweaver Process Integration | 2024-11-21 | 6.5 Medium |
| In order to prevent XML External Entity vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Enterprise Service Repository JAVA Mappings), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SAP recommends to refer this note. | ||||
| CVE-2021-27492 | 3 Datakit, Luxion, Siemens | 6 Crosscadware, Keyshot, Solid Edge Se2020 and 3 more | 2024-11-21 | 5.5 Medium |
| When opening a specially crafted 3DXML file, the application containing Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior could disclose arbitrary files to remote attackers. This is because of the passing of specially crafted content to the underlying XML parser without taking proper restrictions such as prohibiting an external DTD. | ||||
| CVE-2021-27184 | 1 Pelco | 1 Digital Sentry Server | 2024-11-21 | 7.5 High |
| Pelco Digital Sentry Server 7.18.72.11464 has an XML External Entity vulnerability (exploitable via the DTD parameter entities technique), resulting in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the ControlPointCacheShare.xml file (in a %APPDATA%\Pelco directory) when DSControlPoint.exe is executed. | ||||
| CVE-2021-26969 | 1 Arubanetworks | 1 Airwave | 2024-11-21 | 6.5 Medium |
| A remote authenticated authenticated xml external entity (xxe) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Due to improper restrictions on XML entities a vulnerability exists in the web-based management interface of AirWave. A successful exploit could allow an authenticated attacker to retrieve files from the local system or cause the application to consume system resources, resulting in a denial of service condition. | ||||
| CVE-2021-26703 | 1 Eprints | 1 Eprints | 2024-11-21 | 9.8 Critical |
| EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted JSON/XML input to a cgi/ajax/phrase URI. | ||||
| CVE-2021-25951 | 1 Xml2dict Project | 1 Xml2dict | 2024-11-21 | 7.5 High |
| XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to cause a denial of service. | ||||
| CVE-2021-25165 | 1 Arubanetworks | 1 Airwave | 2024-11-21 | 8.1 High |
| A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. | ||||
| CVE-2021-25164 | 1 Arubanetworks | 1 Airwave | 2024-11-21 | 6.5 Medium |
| A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. | ||||
| CVE-2021-25163 | 1 Arubanetworks | 1 Airwave | 2024-11-21 | 8.1 High |
| A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. | ||||
| CVE-2021-23899 | 1 Owasp | 1 Json-sanitizer | 2024-11-21 | 9.8 Critical |
| OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents. | ||||
| CVE-2021-23792 | 1 Twelvemonkeys Project | 1 Twelvemonkeys | 2024-11-21 | 7.3 High |
| The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered. | ||||
| CVE-2021-23463 | 1 H2database | 1 H2 | 2024-11-21 | 8.1 High |
| The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability. | ||||