ReportizFlow
Filtered by vendor
Subscriptions
Total
1101 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-22832 | 1 Apache | 1 Nifi | 2024-11-21 | 7.5 High |
| The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor. | ||||
| CVE-2023-22624 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2024-11-21 | 7.5 High |
| Zoho ManageEngine Exchange Reporter Plus before 5708 allows attackers to conduct XXE attacks. | ||||
| CVE-2023-22377 | 1 Fujitsu | 2 Tsclinical Define.xml Generator, Tsclinical Metadata Desktop Tools | 2024-11-21 | 7.4 High |
| Improper restriction of XML external entity reference (XXE) vulnerability exists in tsClinical Define.xml Generator all versions (v1.0.0 to v1.4.0) and tsClinical Metadata Desktop Tools Version 1.0.3 to Version 1.1.0. If this vulnerability is exploited, an attacker may obtain an arbitrary file which meets a certain condition by reading a specially crafted XML file. | ||||
| CVE-2023-22322 | 1 Omron | 1 Cx-motion Pro | 2024-11-21 | 5.5 Medium |
| Improper restriction of XML external entity reference (XXE) vulnerability exists in OMRON CX-Motion Pro 1.4.6.013 and earlier. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Motion Pro is installed may be disclosed. | ||||
| CVE-2023-22274 | 2 Adobe, Microsoft | 2 Robohelp Server, Windows | 2024-11-21 | 7.5 High |
| Adobe RoboHelp Server versions 11.4 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to information disclosure by an unauthenticated attacker. Exploitation of this issue does not require user interaction. | ||||
| CVE-2023-21862 | 1 Oracle | 1 Web Services Manager | 2024-11-21 | 8.1 High |
| Vulnerability in the Oracle Web Services Manager product of Oracle Fusion Middleware (component: XML Security component). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Services Manager. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Web Services Manager accessible data as well as unauthorized access to critical data or complete access to all Oracle Web Services Manager accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). | ||||
| CVE-2023-20918 | 1 Google | 1 Android | 2024-11-21 | 9.8 Critical |
| In getPendingIntentLaunchFlags of ActivityOptions.java, there is a possible elevation of privilege due to a confused deputy with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2023-20855 | 1 Vmware | 2 Vrealize Automation, Vrealize Orchestrator | 2024-11-21 | 8.8 High |
| VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges. | ||||
| CVE-2023-20174 | 1 Cisco | 1 Identity Services Engine | 2024-11-21 | 4.9 Medium |
| Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side request forgery (SSRF) attack through an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. For more information about these vulnerabilities, see the Details section of this advisory. | ||||
| CVE-2023-20173 | 1 Cisco | 1 Identity Services Engine | 2024-11-21 | 4.9 Medium |
| Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side request forgery (SSRF) attack through an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. For more information about these vulnerabilities, see the Details section of this advisory. | ||||
| CVE-2023-20052 | 3 Cisco, Clamav, Stormshield | 4 Secure Endpoint, Secure Endpoint Private Cloud, Clamav and 1 more | 2024-11-21 | 5.3 Medium |
| On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process. | ||||
| CVE-2023-20030 | 1 Cisco | 1 Identity Services Engine | 2024-11-21 | 6 Medium |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information, conduct a server-side request forgery (SSRF) attack through an affected device, or negatively impact the responsiveness of the web-based management interface itself. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of confidential information. A successful exploit could also cause the web application to perform arbitrary HTTP requests on behalf of the attacker or consume memory resources to reduce the availability of the web-based management interface. To successfully exploit this vulnerability, an attacker would need valid Super Admin or Policy Admin credentials. | ||||
| CVE-2023-1288 | 1 3ds | 1 Enovia Live Collaboration | 2024-11-21 | 6.8 Medium |
| An XML External Entity injection (XXE) vulnerability in ENOVIA Live Collaboration V6R2013xE allows an attacker to read local files on the server. | ||||
| CVE-2023-0871 | 1 Opennms | 2 Horizon, Meridian | 2024-11-21 | 5.4 Medium |
| XXE injection in /rtc/post/ endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to XML external entity (XXE) injection, which can be used for instance to force Horizon to make arbitrary HTTP requests to internal and external services. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Erik Wynter and Moshe Apelbaum for reporting this issue. | ||||
| CVE-2022-4818 | 1 Talend | 1 Open Studio For Mdm | 2024-11-21 | 5.5 Medium |
| A vulnerability was found in Talend Open Studio for MDM. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file org.talend.mdm.core/src/com/amalto/core/storage/SystemStorageWrapper.java. The manipulation leads to xml external entity reference. Upgrading to version 20221220_1938 is able to address this issue. The name of the patch is 95590db2ad6a582c371273ceab1a73ad6ed47853. It is recommended to upgrade the affected component. The identifier VDB-216997 was assigned to this vulnerability. | ||||
| CVE-2022-4607 | 1 Tum | 1 Ogc Web Feature Service | 2024-11-21 | 5.5 Medium |
| A vulnerability was found in 3D City Database OGC Web Feature Service up to 5.2.0. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to xml external entity reference. Upgrading to version 5.2.1 is able to address this issue. The name of the patch is 246f4e2a97ad81491c00a7ed72ce5e7c7f75050a. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216215. | ||||
| CVE-2022-4245 | 2 Codehaus-plexus, Redhat | 23 Plexus-utils, A Mq Clients, Amq Broker and 20 more | 2024-11-21 | 4.3 Medium |
| A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection. | ||||
| CVE-2022-48565 | 3 Debian, Python, Redhat | 3 Debian Linux, Python, Enterprise Linux | 2024-11-21 | 9.8 Critical |
| An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. | ||||
| CVE-2022-47873 | 1 Netcad | 1 Keos | 2024-11-21 | 9.8 Critical |
| Netcad KEOS 1.0 is vulnerable to XML External Entity (XXE) resulting in SSRF with XXE (remote). | ||||
| CVE-2022-47514 | 1 Xml-rpc.net Project | 1 Xml-rpc.net | 2024-11-21 | 8.8 High |
| An XML external entity (XXE) injection vulnerability in XML-RPC.NET before 2.5.0 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, as demonstrated by a pingback.aspx POST request. | ||||