Filtered by CWE-611
Filtered by vendor Subscriptions
Total 1101 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-40896 2024-12-24 9.1 Critical
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.
CVE-2024-56356 2024-12-20 5.9 Medium
In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack
CVE-2021-22501 2024-12-20 N/A
Improper Restriction of XML External Entity Reference vulnerability in OpenText™ Operations Bridge Manager allows Input Data Manipulation.  The vulnerability could be exploited to confidential information This issue affects Operations Bridge Manager: 2017.05, 2017.11, 2018.05, 2018.11, 2019.05, 2019.11, 2020.05, 2020.10.
CVE-2024-49064 2024-12-20 6.5 Medium
Microsoft SharePoint Information Disclosure Vulnerability
CVE-2024-8602 2024-12-18 N/A
When the XML is read from the codes in the PDF and parsed using a DocumentBuilder, the default settings of the DocumentBuilder allow for an XXE (XML External Entity) attack. Further information on this can be found on the website of the Open Worldwide Application Security Project (OWASP). An attacker could theoretically leverage this by delivering a manipulated PDF file to the target, and depending on the environment, various actions can be executed. These actions include: * Reading files from the operating system * Crashing the thread handling the parsing or causing it to enter an infinite loop * Executing HTTP requests * Loading additional DTDs or XML files * Under certain conditions, executing OS commands
CVE-2024-49535 3 Adobe, Apple, Microsoft 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more 2024-12-18 6.3 Medium
Acrobat Reader versions 24.005.20307, 24.001.30213, 24.001.30193, 20.005.30730, 20.005.30710 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. This vulnerability allows an attacker to provide malicious XML input containing a reference to an external entity, leading to data disclosure or potentially code execution. Exploitation of this issue requires user interaction in that a victim must process a malicious XML document.
CVE-2024-31139 1 Jetbrains 1 Teamcity 2024-12-16 5.9 Medium
In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector
CVE-2023-25926 3 Ibm, Linux, Microsoft 4 Aix, Security Guardium Key Lifecycle Manager, Linux Kernel and 1 more 2024-12-13 5.5 Medium
IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 247599.
CVE-2024-55887 2024-12-13 8.6 High
Ucum-java is a FHIR Java library providing UCUM Services. In versions prior to 1.0.9, XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where ucum is being used to within a host where external clients can submit XML. Release 1.0.9 of Ucum-java fixes this vulnerability. As a workaround, ensure that the source xml for instantiating UcumEssenceService is trusted.
CVE-2024-55875 2024-12-13 9.8 Critical
http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 5.41.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. Version 5.41.0.0 contains a patch for the issue.
CVE-2024-11622 1 Hpe 1 Insight Remote Support 2024-12-12 7.3 High
An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases.
CVE-2024-53674 1 Hpe 1 Insight Remote Support 2024-12-12 7.3 High
An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases.
CVE-2024-53675 1 Hpe 1 Insight Remote Support 2024-12-12 7.3 High
An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases.
CVE-2024-46455 2024-12-12 9.8 Critical
unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser.
CVE-2024-25606 1 Liferay 2 Digital Experience Platform, Liferay Portal 2024-12-11 8 High
XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method.
CVE-2024-47582 2024-12-10 5.3 Medium
Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. This causes limited impact on availability of the application.
CVE-2023-36419 1 Microsoft 1 Azure Hdinsights 2024-12-10 8.8 High
Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability
CVE-2023-32706 1 Splunk 2 Splunk, Splunk Cloud Platform 2024-12-10 7.7 High
On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon.
CVE-2024-54005 2024-12-10 5.1 Medium
A vulnerability has been identified in COMOS V10.3 (All versions < V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions < V10.4.3.0.47), COMOS V10.4.4 (All versions < V10.4.4.2), COMOS V10.4.4.1 (All versions < V10.4.4.1.21). The PDMS/E3D Engineering Interface improperly handles XML External Entity (XXE) entries when communicating with an external application. This could allow an attacker to extract any file with a known location on the user's system or accessible network folders by injecting malicious data into the communication channel between the two systems.
CVE-2024-49704 2024-12-10 5.5 Medium
A vulnerability has been identified in COMOS V10.3 (All versions < V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions < V10.4.3.0.47), COMOS V10.4.4 (All versions < V10.4.4.2), COMOS V10.4.4.1 (All versions < V10.4.4.1.21). The Generic Data Mapper, the Engineering Adapter, and the Engineering Interface improperly handle XML External Entity (XXE) entries when parsing configuration and mapping files. This could allow an attacker to extract any file with a known location on the user's system or accessible network folders by persuading a user to use a maliciously crafted configuration or mapping file in one of the affected components.