Total
1111 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-22832 | 1 Apache | 1 Nifi | 2025-03-24 | N/A | 7.5 HIGH |
| The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor. | |||||
| CVE-2025-25036 | 2025-03-21 | N/A | 6.8 MEDIUM | ||
| Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.This issue affects all versions of JPlatform 10 before 10.0.8 (SP8). | |||||
| CVE-2023-24187 | 1 Ureport Project | 1 Ureport | 2025-03-20 | N/A | 7.8 HIGH |
| An XML External Entity (XXE) vulnerability in ureport v2.2.9 allows attackers to execute arbitrary code via uploading a crafted XML file to /ureport/designer/saveReportFile. | |||||
| CVE-2023-22377 | 1 Fujitsu | 2 Tsclinical Define.xml Generator, Tsclinical Metadata Desktop Tools | 2025-03-19 | N/A | 7.4 HIGH |
| Improper restriction of XML external entity reference (XXE) vulnerability exists in tsClinical Define.xml Generator all versions (v1.0.0 to v1.4.0) and tsClinical Metadata Desktop Tools Version 1.0.3 to Version 1.1.0. If this vulnerability is exploited, an attacker may obtain an arbitrary file which meets a certain condition by reading a specially crafted XML file. | |||||
| CVE-2021-33950 | 1 Openkm | 1 Openkm | 2025-03-18 | N/A | 7.5 HIGH |
| An issue discovered in OpenKM v6.3.10 allows attackers to obtain sensitive information via the XMLTextExtractor function. | |||||
| CVE-2023-20855 | 1 Vmware | 2 Vrealize Automation, Vrealize Orchestrator | 2025-03-17 | N/A | 8.8 HIGH |
| VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges. | |||||
| CVE-2025-2365 | 2025-03-17 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability, which was classified as problematic, has been found in crmeb_java up to 1.3.4. Affected by this issue is the function webHook of the file WeChatMessageController.java. The manipulation leads to xml external entity reference. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2019-13608 | 1 Citrix | 1 Storefront Server | 2025-03-14 | 5.0 MEDIUM | 7.5 HIGH |
| Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks. | |||||
| CVE-2024-45490 | 1 Libexpat Project | 1 Libexpat | 2025-03-14 | N/A | 7.5 HIGH |
| An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. | |||||
| CVE-2023-26267 | 1 Php-saml-sp Project | 1 Php-saml-sp | 2025-03-14 | N/A | 6.5 MEDIUM |
| php-saml-sp before 1.1.1 and 2.x before 2.1.1 allows reading arbitrary files as the webserver user because resolving XML external entities was silently enabled via \LIBXML_DTDLOAD | \LIBXML_DTDATTR. | |||||
| CVE-2023-39472 | 1 Inductiveautomation | 1 Ignition | 2025-03-13 | N/A | 6.5 MEDIUM |
| Inductive Automation Ignition SimpleXMLReader XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the SimpleXMLReader class. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the SYSTEM. . Was ZDI-CAN-17571. | |||||
| CVE-2024-21255 | 1 Oracle | 1 Peoplesoft Enterprise Peopletools | 2025-03-13 | N/A | 8.8 HIGH |
| Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: XMLPublisher). Supported versions that are affected are 8.59, 8.60 and 8.61. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2025-0162 | 1 Ibm | 1 Aspera Shares | 2025-03-13 | N/A | 7.1 HIGH |
| IBM Aspera Shares 1.9.9 through 1.10.0 PL7 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | |||||
| CVE-2023-24189 | 1 Bstek | 1 Urule | 2025-03-12 | N/A | 9.8 CRITICAL |
| An XML External Entity (XXE) vulnerability in urule v2.1.7 allows attackers to execute arbitrary code via uploading a crafted XML file to /urule/common/saveFile. | |||||
| CVE-2023-51605 | 1 Honeywell | 1 Saia Pg5 Controls Suite | 2025-03-12 | N/A | 6.5 MEDIUM |
| Honeywell Saia PG5 Controls Suite XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Honeywell Saia PG5 Controls Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XML files. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. . Was ZDI-CAN-18644. | |||||
| CVE-2023-51604 | 1 Honeywell | 1 Saia Pg5 Controls Suite | 2025-03-12 | N/A | 6.5 MEDIUM |
| Honeywell Saia PG5 Controls Suite XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Honeywell Saia PG5 Controls Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XML files. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. . Was ZDI-CAN-18593. | |||||
| CVE-2023-51602 | 1 Honeywell | 1 Saia Pg5 Controls Suite | 2025-03-12 | N/A | 6.5 MEDIUM |
| Honeywell Saia PG5 Controls Suite XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Honeywell Saia PG5 Controls Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XML files. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. . Was ZDI-CAN-18591. | |||||
| CVE-2023-51601 | 1 Honeywell | 1 Saia Pg5 Controls Suite | 2025-03-12 | N/A | 6.5 MEDIUM |
| Honeywell Saia PG5 Controls Suite XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Honeywell Saia PG5 Controls Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of xml files. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. . Was ZDI-CAN-18563. | |||||
| CVE-2023-51600 | 1 Honeywell | 1 Saia Pg5 Controls Suite | 2025-03-12 | N/A | 6.5 MEDIUM |
| Honeywell Saia PG5 Controls Suite XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Honeywell Saia PG5 Controls Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XML files. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. . Was ZDI-CAN-18456. | |||||
| CVE-2024-49781 | 3 Ibm, Linux, Microsoft | 3 Openpages With Watson, Linux Kernel, Windows | 2025-03-11 | N/A | 7.1 HIGH |
| IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | |||||