Total
1131 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-35389 | 1 Microsoft | 1 Dynamics 365 | 2025-02-27 | 6.5 Medium |
| Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability | ||||
| CVE-2023-26461 | 1 Sap | 1 Netweaver Enterprise Portal | 2025-02-27 | 6.8 Medium |
| SAP NetWeaver allows (SAP Enterprise Portal) - version 7.50, allows an authenticated attacker with sufficient privileges to access the XML parser which can submit a crafted XML file which when parsed will enable them to access but not modify sensitive files and data. It allows the attacker to view sensitive data which is owned by certain privileges. | ||||
| CVE-2023-28685 | 1 Jenkins | 1 Absint A3 | 2025-02-26 | 7.1 High |
| Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2023-27874 | 2 Ibm, Linux | 2 Aspera Faspex, Linux Kernel | 2025-02-26 | 9.9 Critical |
| IBM Aspera Faspex 4.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands. IBM X-Force ID: 249845. | ||||
| CVE-2018-25082 | 1 Wechat Sdk Python Project | 1 Wechat Sdk Python | 2025-02-26 | 6.3 Medium |
| A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The patch is named e54abadc777715b6dcb545c13214d1dea63df6c9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-223403. | ||||
| CVE-2023-28682 | 1 Jenkins | 1 Performance Publisher | 2025-02-25 | 8.2 High |
| Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2023-28681 | 1 Jenkins | 1 Visual Studio Code Metrics | 2025-02-25 | 8.2 High |
| Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2023-28680 | 1 Jenkins | 1 Crap4j | 2025-02-25 | 7.5 High |
| Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2023-27480 | 1 Xwiki | 1 Xwiki | 2025-02-25 | 7.7 High |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. Users unable to upgrade may apply the patch `e3527b98fd` manually. | ||||
| CVE-2023-27476 | 1 Osgeo | 1 Owslib | 2025-02-25 | 8.2 High |
| OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details. | ||||
| CVE-2019-9670 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-02-25 | 9.8 Critical |
| mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml. | ||||
| CVE-2024-54171 | 2025-02-22 | 7.1 High | ||
| IBM EntireX 11.1 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | ||||
| CVE-2024-49352 | 2025-02-22 | 7.1 High | ||
| IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | ||||
| CVE-2023-28683 | 1 Jenkins | 1 Phabricator Differential | 2025-02-21 | 8.2 High |
| Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2023-28684 | 1 Jenkins | 1 Remote-jobs-view | 2025-02-20 | 6.5 Medium |
| Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2023-28152 | 1 Independentsoft | 1 Jword | 2025-02-19 | 5.3 Medium |
| An issue was discovered in Independentsoft JWord before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. | ||||
| CVE-2023-28151 | 1 Independentsoft | 1 Jspreadsheet | 2025-02-19 | 5.3 Medium |
| An issue was discovered in Independentsoft JSpreadsheet before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. | ||||
| CVE-2023-28150 | 1 Independentsoft | 1 Jodf | 2025-02-19 | 5.3 Medium |
| An issue was discovered in Independentsoft JODF before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. | ||||
| CVE-2023-47160 | 2025-02-19 | 8.2 High | ||
| IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | ||||
| CVE-2022-36969 | 1 Aveva | 1 Aveva Edge | 2025-02-18 | 7.1 High |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of AVEVA Edge 2020 SP2 Patch 0(4201.2111.1802.0000). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the LoadImportedLibraries method. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. Was ZDI-CAN-17394. | ||||