Total
1150 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-23195 | 2025-01-22 | 7.5 High | ||
| An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the `DocumentBuilderFactory` class without disabling external entity resolution. An attacker can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch. | ||||
| CVE-2024-3486 | 1 Microfocus | 1 Imanager | 2025-01-21 | 7.8 High |
| XML External Entity injection vulnerability found in OpenText™ iManager 3.2.6.0200. This could lead to information disclosure and remote code execution. | ||||
| CVE-2024-3969 | 1 Microfocus | 1 Imanager | 2025-01-21 | 7.8 High |
| XML External Entity injection vulnerability found in OpenText™ iManager 3.2.6.0200. This could lead to remote code execution by parsing untrusted XML payload | ||||
| CVE-2022-46300 | 1 Visam | 1 Vbase Automation Base | 2025-01-17 | 5.5 Medium |
| Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | ||||
| CVE-2022-45468 | 1 Visam | 1 Vbase Automation Base | 2025-01-17 | 5.5 Medium |
| Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | ||||
| CVE-2022-45121 | 1 Visam | 1 Vbase Automation Base | 2025-01-17 | 5.5 Medium |
| Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | ||||
| CVE-2022-43512 | 1 Visam | 1 Vbase Automation Base | 2025-01-17 | 5.5 Medium |
| Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | ||||
| CVE-2022-41696 | 1 Visam | 1 Vbase Automation Base | 2025-01-17 | 5.5 Medium |
| Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | ||||
| CVE-2022-45876 | 1 Visam | 1 Vbase | 2025-01-17 | 5.5 Medium |
| Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. | ||||
| CVE-2022-41221 | 1 Opentext | 1 Archive Center Administration | 2025-01-17 | 7.1 High |
| The client in OpenText Archive Center Administration through 21.2 allows XXE attacks. Authenticated users of the OpenText Archive Center Administration client (Versions 16.2.3, 21.2, and older versions) could upload XML files to the application that it did not sufficiently validate. As a result, attackers could craft XML files that, when processed by the application, would cause a negative security impact such as data exfiltration or localized denial of service against the application instance and system of the user running it. | ||||
| CVE-2024-4357 | 1 Progress | 1 Telerik Reporting | 2025-01-16 | 6.5 Medium |
| An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity Processing. | ||||
| CVE-2024-12298 | 2025-01-14 | 5.5 Medium | ||
| We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Attackers may be able to abuse this vulnerability to disclose confidential data on a computer. | ||||
| CVE-2023-34411 | 1 Xml Library Project | 1 Xml Library | 2025-01-08 | 7.5 High |
| The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document. The earliest affected version is 0.8.9. | ||||
| CVE-2023-46590 | 1 Siemens | 1 Siemens Opc Ua Modeling Editor | 2025-01-08 | 7.5 High |
| A vulnerability has been identified in Siemens OPC UA Modelling Editor (SiOME) (All versions < V2.8). Affected products suffer from a XML external entity (XXE) injection vulnerability. This vulnerability could allow an attacker to interfere with an application's processing of XML data and read arbitrary files in the system. | ||||
| CVE-2023-24470 | 1 Microfocus | 1 Arcsight Logger | 2025-01-06 | 9.1 Critical |
| Potential XML External Entity Injection in ArcSight Logger versions prior to 7.3.0. | ||||
| CVE-2023-29498 | 1 Fujielectric | 1 Frenic Rhc Loader | 2025-01-03 | 5.5 Medium |
| Improper restriction of XML external entity reference (XXE) vulnerability exists in FRENIC RHC Loader v1.1.0.3 and earlier. If a user opens a specially crafted project file, sensitive information on the system where the affected product is installed may be disclosed. | ||||
| CVE-2024-56324 | 2025-01-03 | N/A | ||
| GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one's "group admin" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one's GoCD server to arbitrary locations using some kind of environment egress control. | ||||
| CVE-2024-56322 | 2025-01-03 | N/A | ||
| GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control. | ||||
| CVE-2024-55081 | 2025-01-02 | 9.8 Critical | ||
| An XML External Entity (XXE) injection vulnerability in the component /datagrip/upload of Chat2DB v0.3.5 allows attackers to execute arbitrary code via supplying a crafted XML input. | ||||
| CVE-2022-34716 | 2 Microsoft, Redhat | 5 .net, .net Core, Powershell and 2 more | 2025-01-02 | 5.9 Medium |
| .NET Spoofing Vulnerability | ||||