ReportizFlow
Filtered by vendor
Subscriptions
Total
1101 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-26999 | 1 Netscout | 1 Ngeniusone | 2024-11-21 | 9.8 Critical |
| An issue found in NetScout nGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted file. | ||||
| CVE-2023-26461 | 1 Sap | 1 Netweaver Enterprise Portal | 2024-11-21 | 6.8 Medium |
| SAP NetWeaver allows (SAP Enterprise Portal) - version 7.50, allows an authenticated attacker with sufficient privileges to access the XML parser which can submit a crafted XML file which when parsed will enable them to access but not modify sensitive files and data. It allows the attacker to view sensitive data which is owned by certain privileges. | ||||
| CVE-2023-26267 | 1 Php-saml-sp Project | 1 Php-saml-sp | 2024-11-21 | 6.5 Medium |
| php-saml-sp before 1.1.1 and 2.x before 2.1.1 allows reading arbitrary files as the webserver user because resolving XML external entities was silently enabled via \LIBXML_DTDLOAD | \LIBXML_DTDATTR. | ||||
| CVE-2023-26264 | 1 Talend | 1 Data Catalog | 2024-11-21 | 5.5 Medium |
| All versions of Talend Data Catalog before 8.0-20220907 are potentially vulnerable to XML External Entity (XXE) attacks in the license parsing code. | ||||
| CVE-2023-26263 | 1 Talend | 1 Data Catalog | 2024-11-21 | 5.5 Medium |
| All versions of Talend Data Catalog before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server. | ||||
| CVE-2023-26058 | 1 Nokia | 1 Netact | 2024-11-21 | 6.5 Medium |
| An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. | ||||
| CVE-2023-26057 | 1 Nokia | 1 Netact | 2024-11-21 | 6.5 Medium |
| An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. | ||||
| CVE-2023-26043 | 1 Geosolutionsgroup | 1 Geonode | 2024-11-21 | 6.5 Medium |
| GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read. This issue has been patched in version 4.0.3. | ||||
| CVE-2023-25955 | 1 Mlit | 1 National Land Numerical Information Data Conversion Tool | 2024-11-21 | 5.5 Medium |
| National land numerical information data conversion tool all versions improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker. | ||||
| CVE-2023-24620 | 1 Esotericsoftware | 1 Yamlbeans | 2024-11-21 | 5.5 Medium |
| An issue was discovered in Esoteric YamlBeans through 1.15. A crafted YAML document is able perform am XML Entity Expansion attack against YamlBeans YamlReader. By exploiting the Anchor feature in YAML, it is possible to generate a small YAML document that, when read, is expanded to a large size, causing CPU and memory consumption, such as a Java Out-of-Memory exception. | ||||
| CVE-2023-24470 | 1 Microfocus | 1 Arcsight Logger | 2024-11-21 | 9.1 Critical |
| Potential XML External Entity Injection in ArcSight Logger versions prior to 7.3.0. | ||||
| CVE-2023-24443 | 1 Jenkins | 1 Testcomplete Support | 2024-11-21 | 9.8 Critical |
| Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2023-24441 | 1 Jenkins | 1 Mstest | 2024-11-21 | 9.8 Critical |
| Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2023-24430 | 1 Jenkins | 1 Semantic Versioning | 2024-11-21 | 9.8 Critical |
| Jenkins Semantic Versioning Plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2023-24429 | 1 Jenkins | 1 Semantic Versioning | 2024-11-21 | 9.8 Critical |
| Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. | ||||
| CVE-2023-24323 | 1 Mojoportal | 1 Mojoportal | 2024-11-21 | 8.8 High |
| Mojoportal v2.7 was discovered to contain an authenticated XML external entity (XXE) injection vulnerability. | ||||
| CVE-2023-24189 | 1 Bstek | 1 Urule | 2024-11-21 | 9.8 Critical |
| An XML External Entity (XXE) vulnerability in urule v2.1.7 allows attackers to execute arbitrary code via uploading a crafted XML file to /urule/common/saveFile. | ||||
| CVE-2023-24187 | 1 Ureport Project | 1 Ureport | 2024-11-21 | 7.8 High |
| An XML External Entity (XXE) vulnerability in ureport v2.2.9 allows attackers to execute arbitrary code via uploading a crafted XML file to /ureport/designer/saveReportFile. | ||||
| CVE-2023-23926 | 1 Neo4j | 1 Awesome Procedures On Cyper | 2024-11-21 | 5.9 Medium |
| APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j. An XML External Entity (XXE) vulnerability found in the apoc.import.graphml procedure of APOC core plugin prior to version 5.5.0 and 4.4.0.14 (4.4 branch) in Neo4j graph database. XML External Entity (XXE) injection occurs when the XML parser allows external entities to be resolved. The XML parser used by the apoc.import.graphml procedure was not configured in a secure way and therefore allowed this. External entities can be used to read local files, send HTTP requests, and perform denial-of-service attacks on the application. Abusing the XXE vulnerability enabled assessors to read local files remotely. Although with the level of privileges assessors had this was limited to one-line files. With the ability to write to the database, any file could have been read. Additionally, assessors noted, with local testing, the server could be crashed by passing in improperly formatted XML. The minimum version containing a patch for this vulnerability is 5.5.0. Those who cannot upgrade the library can control the allowlist of the procedures that can be used in your system. | ||||
| CVE-2023-23595 | 1 Bluecatnetworks | 1 Device Registration Portal | 2024-11-21 | 7.5 High |
| BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as "machine example.com login daniel password qwerty" in the documentation example for the .netrc file format. NOTE: 2.x versions are no longer supported. There is no available information about whether any later version is affected. | ||||