Total
1153 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-1308 | 2 Apache, Debian | 2 Solr, Debian Linux | 2024-11-21 | N/A |
| This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. | ||||
| CVE-2018-1307 | 1 Apache | 1 Juddi | 2024-11-21 | N/A |
| In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. Mitigation is to use 3.3.5. | ||||
| CVE-2018-1285 | 4 Apache, Fedoraproject, Netapp and 1 more | 7 Log4net, Fedora, Manageability Software Development Kit and 4 more | 2024-11-21 | 9.8 Critical |
| Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files. | ||||
| CVE-2018-1259 | 3 Pivotal Software, Redhat, Xmlbeam | 5 Spring Data Commons, Spring Data Rest, Jboss Fuse and 2 more | 2024-11-21 | N/A |
| Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system. | ||||
| CVE-2018-1247 | 1 Rsa | 1 Authentication Manager | 2024-11-21 | N/A |
| RSA Authentication Manager Security Console, version 8.3 and earlier, contains a XML External Entity (XXE) vulnerability. This could potentially allow admin users to cause a denial of service or extract server data via injecting a maliciously crafted DTD in an XML file submitted to the application. | ||||
| CVE-2018-1183 | 1 Dell | 16 Emc Smis, Emc Solutions Enabler Virtual Appliance, Emc Unisphere and 13 more | 2024-11-21 | N/A |
| In Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.8, Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.8, Dell EMC VASA Provider Virtual Appliance versions prior to 8.4.0.512, Dell EMC SMIS versions prior to 8.4.0.6, Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4.0.347, Dell EMC VNX2 Operating Environment (OE) for File versions prior to 8.1.9.231, Dell EMC VNX2 Operating Environment (OE) for Block versions prior to 05.33.009.5.231, Dell EMC VNX1 Operating Environment (OE) for File versions prior to 7.1.82.0, Dell EMC VNX1 Operating Environment (OE) for Block versions prior to 05.32.000.5.225, Dell EMC VNXe3200 Operating Environment (OE) all versions, Dell EMC VNXe1600 Operating Environment (OE) versions prior to 3.1.9.9570228, Dell EMC VNXe 3100/3150/3300 Operating Environment (OE) all versions, Dell EMC ViPR SRM versions 3.7, 3.7.1, 3.7.2 (only if using Dell EMC Host Interface for Windows), Dell EMC ViPR SRM versions 4.0, 4.0.1, 4.0.2, 4.0.3 (only if using Dell EMC Host Interface for Windows), Dell EMC XtremIO versions 4.x, Dell EMC VMAX eNAS version 8.x, Dell EMC Unity Operating Environment (OE) versions prior to 4.3.0.1522077968, ECOM is affected by a XXE injection vulnerability due to the configuration of the XML parser shipped with the product. XXE Injection attack may occur when XML input containing a reference to an external entity (defined by the attacker) is processed by an affected XML parser. XXE Injection may allow attackers to gain unauthorized access to files containing sensitive information or may be used to cause denial-of-service. | ||||
| CVE-2018-1077 | 1 Redhat | 2 Satellite, Spacewalk | 2024-11-21 | N/A |
| Spacewalk 2.6 contains an API which has an XXE flaw allowing for the disclosure of potentially sensitive information from the server. | ||||
| CVE-2018-19858 | 1 Princexml | 1 Princexml | 2024-11-21 | N/A |
| PrinceXML, versions 10 and below, is vulnerable to XXE due to the lack of protection against external entities. If an attacker passes HTML referencing an XML file (e.g., in an IFRAME element), PrinceXML will fetch the XML and parse it, thus giving an attacker file-read access and full-fledged SSRF. | ||||
| CVE-2018-19371 | 1 Sdl | 1 Web Content Manager | 2024-11-21 | N/A |
| The SaveUserSettings service in Content Manager in SDL Web 8.5.0 has an XXE Vulnerability that allows reading sensitive files from the system. | ||||
| CVE-2018-19244 | 1 Charlesproxy | 1 Charles | 2024-11-21 | N/A |
| An XML External Entity (XXE) vulnerability exists in the Charles 4.2.7 import/export setup option. If a user imports a "Charles Settings.xml" file from an attacker, an intranet network may be accessed and information may be leaked. | ||||
| CVE-2018-18980 | 1 Zohocorp | 2 Manageengine Network Configuration Manager, Manageengine Opmanager | 2024-11-21 | N/A |
| An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server. | ||||
| CVE-2018-18737 | 1 Douchat | 1 Douchat | 2024-11-21 | N/A |
| An XXE issue was discovered in Douchat 4.0.4 because Data\notify.php calls simplexml_load_string. This can also be used for SSRF. | ||||
| CVE-2018-18659 | 1 Arcserve | 1 Udp | 2024-11-21 | N/A |
| An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-19 Unauthenticated XXE in /management/UdpHttpService issue. | ||||
| CVE-2018-18471 | 4 Axentra, Medion, Netgear and 1 more | 4 Hipserv, Lifecloud, Stora and 1 more | 2024-11-21 | N/A |
| /api/2.0/rest/aggregator/xml in Axentra firmware, used by NETGEAR Stora, Seagate GoFlex Home, and MEDION LifeCloud, has an XXE vulnerability that can be chained with an SSRF bug to gain remote command execution as root. It can be triggered by anyone who knows the IP address of the affected device. | ||||
| CVE-2018-18406 | 1 Tufin | 2 Securetrack, Tufinos | 2024-11-21 | N/A |
| An issue was discovered in Tufin SecureTrack 18.1 with TufinOS 2.16 build 1179(Final). The Audit Report module is affected by a blind XXE vulnerability when a new Best Practices Report is saved using a special payload inside the xml input field. The XXE vulnerability is blind since the response doesn't directly display a requested file, but rather returns it inside the name data field when the report is saved. An attacker is able to view restricted operating system files. This issue affects all types of users: administrators or normal users. | ||||
| CVE-2018-17912 | 1 Sauter-controls | 1 Case Suite | 2024-11-21 | N/A |
| An XXE vulnerability exists in CASE Suite Versions 3.10 and prior when processing parameter entities, which may allow remote file disclosure. | ||||
| CVE-2018-17889 | 1 We-con | 2 Pi Studio, Pi Studio Hmi | 2024-11-21 | N/A |
| In WECON Technology Co., Ltd. PI Studio HMI versions 4.1.9 and prior and PI Studio versions 4.2.34 and prior when parsing project files, the XMLParser that ships with Wecon PIStudio is vulnerable to a XML external entity injection attack, which may allow sensitive information disclosure. | ||||
| CVE-2018-17411 | 1 Informationbuilders | 1 Data Quality Suite | 2024-11-21 | N/A |
| An XML External Entity (XXE) vulnerability exists in iWay Data Quality Suite Web Console 10.6.1.ga-2016-11-20. | ||||
| CVE-2018-17289 | 1 Kofax | 1 Front Office Server | 2024-11-21 | N/A |
| An XML external entity (XXE) vulnerability in Kofax Front Office Server Administration Console version 4.1.1.11.0.5212 allows remote authenticated users to read arbitrary files via crafted XML inside an imported package configuration (.ZIP file) within the Kofax/KFS/Admin/PackageService/package/upload file parameter. | ||||
| CVE-2018-17247 | 1 Elastic | 1 Elasticsearch | 2024-11-21 | N/A |
| Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to. | ||||