Total
1111 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-1187 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-11-21 | 5.0 MEDIUM | 5.5 MEDIUM |
| A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. | |||||
| CVE-2019-1060 | 1 Microsoft | 6 Windows 10, Windows 8.1, Windows Rt 8.1 and 3 more | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
| A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. | |||||
| CVE-2019-1057 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-11-21 | 9.3 HIGH | 7.5 HIGH |
| A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the user’s system. To exploit the vulnerability, an attacker could host a specially crafted website designed to invoke MSXML through a web browser. However, an attacker would have no way to force a user to visit such a website. Instead, an attacker would typically have to convince a user to either click a link in an email message or instant message that would then take the user to the website. When Internet Explorer parses the XML content, an attacker could run malicious code remotely to take control of the user’s system. The update addresses the vulnerability by correcting how the MSXML parser processes user input. | |||||
| CVE-2019-19998 | 1 Xiuno | 1 Xiunobbs | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Xiuno BBS 4.0 allows XXE via plugin/xn_wechat_public/route/token.php. | |||||
| CVE-2019-19702 | 1 Modoboa | 1 Modoboa-dmarc | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML documents that are emailed to the address in the rua field of the DMARC records of a domain. | |||||
| CVE-2019-19032 | 1 Xmlblueprint | 1 Xmlblueprint | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| XMLBlueprint through 16.191112 is affected by XML External Entity Injection. The impact is: Arbitrary File Read when an XML File is validated. The component is: XML Validate function. The attack vector is: Specially crafted XML payload. | |||||
| CVE-2019-19031 | 1 Edit-xml | 1 Easy Xml Editor | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| Easy XML Editor through v1.7.8 is affected by: XML External Entity Injection. The impact is: Arbitrary File Read and DoS by consuming resources. The component is: XML Parsing. The attack vector is: Specially crafted XML payload. | |||||
| CVE-2019-18943 | 1 Microfocus | 1 Solutions Business Manager | 2024-11-21 | 5.2 MEDIUM | 6.1 MEDIUM |
| Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to XML External Entity Processing (XXE) on certain operations. | |||||
| CVE-2019-18412 | 1 Jetbrains | 1 Idetalk | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| JetBrains IDETalk plugin before version 193.4099.10 allows XXE | |||||
| CVE-2019-18227 | 1 Advantech | 1 Wise-paas\/rmm | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. XXE vulnerabilities exist that may allow disclosure of sensitive data. | |||||
| CVE-2019-18213 | 3 Eclipse, Theia Xml Extension Project, Xml Language Server Project | 3 Wild Web Developer, Theia Xml Extension, Xml Server Project | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response capture for password cracking). This occurs in extensions/contentmodel/participants/diagnostics/LSPXMLParserConfiguration.java. | |||||
| CVE-2019-17637 | 2 Debian, Eclipse | 2 Debian Linux, Web Tools Platform | 2024-11-21 | 5.8 MEDIUM | 7.1 HIGH |
| In all versions of Eclipse Web Tools Platform through release 3.18 (2020-06), XML and DTD files referring to external entities could be exploited to send the contents of local files to a remote server when edited or validated, even when external entity resolution is disabled in the user preferences. | |||||
| CVE-2019-17554 | 1 Apache | 1 Olingo | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks. | |||||
| CVE-2019-17085 | 1 Microfocus | 1 Operations Agent | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| XXE attack vulnerability on Micro Focus Operations Agent, affected version 12.0, 12.01, 12.02, 12.03, 12.04, 12.05, 12.06, 12.10, 12.11. The vulnerability could be exploited to do an XXE attack on Operations Agent. | |||||
| CVE-2019-17020 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g. includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to the XML document. This vulnerability affects Firefox < 72. | |||||
| CVE-2019-16549 | 1 Jenkins | 1 Maven | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents. | |||||
| CVE-2019-16188 | 1 Hcltech | 1 Appscan Source | 2024-11-21 | 5.8 MEDIUM | 7.1 HIGH |
| HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations. In particular, an attacker can send a specially crafted .ozasmt file to a targeted victim and ask the victim to open it. When the victim imports the .ozasmt file in AppScan Source, the content of any file in the local file system (to which the victim as read access) can be exfiltrated to a remote listener under the attacker's control. The product does not disable external XML Entity Processing, which can lead to information disclosure and denial of services attacks. | |||||
| CVE-2019-16174 | 1 Limesurvey | 1 Limesurvey | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity. | |||||
| CVE-2019-15983 | 1 Cisco | 1 Data Center Network Manager | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| A vulnerability in the SOAP API of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. To exploit this vulnerability, an attacker would need administrative privileges on the DCNM application. The vulnerability exists because the SOAP API improperly handles XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by inserting malicious XML content in an API request. A successful exploit could allow the attacker to read arbitrary files from the affected device. Note: The severity of this vulnerability is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one. | |||||
| CVE-2019-15641 | 1 Webmin | 1 Webmin | 2024-11-21 | 6.8 MEDIUM | 6.5 MEDIUM |
| xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks. By default, only root, admin, and sysadm can access xmlrpc.cgi. | |||||