Search Results (1303 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2017-11390 1 Trendmicro 1 Control Manager 2025-04-20 N/A
XML external entity (XXE) processing vulnerability in Trend Micro Control Manager 6.0, if exploited, could lead to information disclosure. Formerly ZDI-CAN-4706.
CVE-2017-1149 1 Ibm 1 Urbancode Deploy 2025-04-20 N/A
IBM UrbanCode Deploy (UCD) 6.0, 6.1, and 6.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 122202.
CVE-2017-11286 1 Adobe 1 Coldfusion 2025-04-20 7.5 High
Adobe ColdFusion has an XML external entity (XXE) injection vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.
CVE-2017-11272 1 Adobe 1 Digital Editions 2025-04-20 N/A
Adobe Digital Editions 4.5.4 and earlier has a security bypass vulnerability.
CVE-2017-10889 1 Tablepress 1 Tablepress 2025-04-20 N/A
TablePress prior to version 1.8.1 allows an attacker to conduct XML External Entity (XXE) attacks via unspecified vectors.
CVE-2017-10617 1 Juniper 1 Contrail 2025-04-20 5 Medium
The ifmap service that comes bundled with Contrail has an XML External Entity (XXE) vulnerability that may allow an attacker to retrieve sensitive system files. Affected releases are Juniper Networks Contrail 2.2 prior to 2.21.4; 3.0 prior to 3.0.3.4; 3.1 prior to 3.1.4.0; 3.2 prior to 3.2.5.0. CVE-2017-10616 and CVE-2017-10617 can be chained together and have a combined CVSSv3 score of 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).
CVE-2017-1000021 1 Logicaldoc 1 Logicaldoc 2025-04-20 N/A
LogicalDoc Community Edition 7.5.3 and prior is vulnerable to XXE when indexing XML documents.
CVE-2017-0170 1 Microsoft 6 Windows 10, Windows 7, Windows 8.1 and 3 more 2025-04-20 N/A
Windows Performance Monitor in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an information disclosure vulnerability due to the way it parses XML input, aka "Windows Performance Monitor Information Disclosure Vulnerability".
CVE-2015-7241 1 Sap 1 Netweaver 2025-04-20 N/A
XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01.
CVE-2015-7273 1 Dell 3 Integrated Remote Access Controller 7, Integrated Remote Access Controller 8, Integrated Remote Access Controller Firmware 2025-04-20 N/A
Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has XXE.
CVE-2015-7326 1 Milton 1 Webdav 2025-04-20 N/A
XML External Entity (XXE) vulnerability in Milton Webdav before 2.7.0.3.
CVE-2016-8739 2 Apache, Redhat 3 Cxf, Jboss Amq, Jboss Fuse 2025-04-20 N/A
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.
CVE-2017-9458 1 Paloaltonetworks 1 Pan-os 2025-04-20 N/A
XML external entity (XXE) vulnerability in the GlobalProtect internal and external gateway interface in Palo Alto Networks PAN-OS before 6.1.18, 7.0.x before 7.0.17, 7.1.x before 7.1.12, and 8.0.x before 8.0.3 allows remote attackers to obtain sensitive information, cause a denial of service, or conduct server-side request forgery (SSRF) attacks via unspecified vectors.
CVE-2017-12620 1 Apache 1 Opennlp 2025-04-20 N/A
When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected.
CVE-2017-12621 1 Apache 1 Commons Jelly 2025-04-20 9.8 Critical
During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.
CVE-2017-12623 1 Apache 1 Nifi 2025-04-20 N/A
An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
CVE-2017-12629 4 Apache, Canonical, Debian and 1 more 9 Solr, Ubuntu Linux, Debian Linux and 6 more 2025-04-20 9.8 Critical
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.
CVE-2017-13706 1 Lansweeper 1 Lansweeper 2025-04-20 N/A
XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery (SSRF) attacks, conduct internal port scans, or have unspecified other impact via an XML request, aka bug #572705.
CVE-2017-14101 1 Changehealthcare 1 Conserus Image Repository 2025-04-20 N/A
A security researcher found an XML External Entity (XXE) vulnerability on the Conserus Image Repository archive solution version 2.1.1.105 by McKesson Medical Imaging Company, which is now a Change Healthcare company. An unauthenticated user supplying a modified HTTP SOAP request to the vulnerable service allows for arbitrary file read access to the local file system as well as the transmittal of the application service's account hashed credentials to a remote attacker.
CVE-2017-14526 1 Opentext 2 Documentum Administrator, Documentum Webtop 2025-04-20 N/A
Multiple XML external entity (XXE) vulnerabilities in the OpenText Documentum Administrator 7.2.0180.0055 allow remote authenticated users to list the contents of arbitrary directories, read arbitrary files, cause a denial of service, or, on Windows, obtain Documentum user hashes via a (1) crafted DTD, involving unspecified XML structures in a request to xda/com/documentum/ucf/server/transport/impl/GAIRConnector or crafted XML file in a MediaProfile file (2) import or (3) check in.