XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method.
Max CVSS
8.0
EPSS Score
0.04%
Published
2024-02-20
Updated
2024-02-20
The CodeQL CLI repo holds binaries for the CodeQL command line interface (CLI). Prior to version 2.16.3, an XML parser used by the CodeQL CLI to read various auxiliary files is vulnerable to an XML External Entity attack. If a vulnerable version of the CLI is used to process either a maliciously modified CodeQL database, or a specially prepared set of QL query sources, the CLI can be made to make an outgoing HTTP request to an URL that contains material read from a local file chosen by the attacker. This may result in a loss of privacy of exfiltration of secrets. Security researchers and QL authors who receive databases or QL source files from untrusted sources may be impacted. A single untrusted `.ql` or `.qll` file cannot be affected, but a zip archive or tarball containing QL sources may unpack auxiliary files that will trigger an attack when CodeQL sees them in the file system. Those using CodeQL for routine analysis of source trees with a preselected set of trusted queries are not affected. In particular, extracting XML files from a source tree into the CodeQL database does not make one vulnerable. The problem is fixed in release 2.16.3 of the CodeQL CLI. Other than upgrading, workarounds include not accepting CodeQL databases or queries from untrusted sources, or only processing such material on a machine without an Internet connection. Customers who use older releases of CodeQL for security scanning in an automated CI system and cannot upgrade for compliance reasons can continue using that version. That use case is safe. If such customers have a private query pack and use the `codeql pack create` command to precompile them before using them in the CI system, they should be using the production CodeQL release to run `codeql pack create`. That command is safe as long as the QL source it precompiled is trusted. All other development of the query pack should use an upgraded CLI.
Max CVSS
2.7
EPSS Score
0.05%
Published
2024-02-22
Updated
2024-02-23
SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected.
Max CVSS
8.6
EPSS Score
0.04%
Published
2024-02-13
Updated
2024-02-13
The Spreadsheet::ParseXLSX package before 0.30 for Perl allows XXE attacks because it neglects to use the no_xxe option of XML::Twig.
Max CVSS
6.5
EPSS Score
0.07%
Published
2024-01-18
Updated
2024-01-27
Electronic Delivery Check System (Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version) March, Heisei 31 era edition Ver.14.0.001.002 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.
Max CVSS
5.5
EPSS Score
0.05%
Published
2024-01-24
Updated
2024-01-30
An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.
Max CVSS
8.3
EPSS Score
0.60%
Published
2024-02-13
Updated
2024-02-13
Electronic Deliverables Creation Support Tool (Construction Edition) prior to Ver1.0.4 and Electronic Deliverables Creation Support Tool (Design & Survey Edition) prior to Ver1.0.4 improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.
Max CVSS
5.5
EPSS Score
0.05%
Published
2024-01-24
Updated
2024-01-30
Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier, and Electronic delivery item Inspection Support SystemVer.4.0.31 and earlier improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.
Max CVSS
5.5
EPSS Score
0.08%
Published
2024-01-24
Updated
2024-01-30
When SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur.
Max CVSS
7.5
EPSS Score
0.09%
Published
2024-02-01
Updated
2024-02-09
Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the Remote upload endpoint.
Max CVSS
9.8
EPSS Score
1.57%
Published
2023-12-30
Updated
2024-01-05
The XML parser in Magic xpi Integration Platform 4.13.4 allows XXE attacks, e.g., via onItemImport.
Max CVSS
6.5
EPSS Score
0.05%
Published
2024-02-06
Updated
2024-02-13
XML External Entity injection in apache ambari versions <= 2.7.7, Users are recommended to upgrade to version 2.7.8, which fixes this issue. More Details: Oozie Workflow Scheduler had a vulnerability that allowed for root-level file reading and privilege escalation from low-privilege users. The vulnerability was caused through lack of proper user input validation. This vulnerability is known as an XML External Entity (XXE) injection attack. Attackers can exploit XXE vulnerabilities to read arbitrary files on the server, including sensitive system files. In theory, it might be possible to use this to escalate privileges.
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-02-27
Updated
2024-02-28
Improper Restriction of XML External Entity Reference vulnerability in Apache Cocoon.This issue affects Apache Cocoon: from 2.2.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.
Max CVSS
9.8
EPSS Score
2.52%
Published
2023-11-30
Updated
2023-12-05
Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
Max CVSS
9.8
EPSS Score
0.09%
Published
2023-11-29
Updated
2023-12-05
e-Tax software Version3.0.10 and earlier improperly restricts XML external entity references (XXE) due to the configuration of the embedded XML parser. By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.
Max CVSS
5.5
EPSS Score
0.05%
Published
2023-11-06
Updated
2023-11-14
A vulnerability has been identified in Siemens OPC UA Modelling Editor (SiOME) (All versions < V2.8). Affected products suffer from a XML external entity (XXE) injection vulnerability. This vulnerability could allow an attacker to interfere with an application's processing of XML data and read arbitrary files in the system.
Max CVSS
7.5
EPSS Score
0.04%
Published
2023-11-14
Updated
2023-11-20
An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory.
Max CVSS
9.8
EPSS Score
0.15%
Published
2023-10-30
Updated
2023-11-06
An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).
Max CVSS
9.8
EPSS Score
1.02%
Published
2023-12-19
Updated
2023-12-22
Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to conduct XML External Entity (XXE) attacks. By processing a specially crafted request containing malformed XML data, arbitrary files on the server containing account information may be read by the attacker.
Max CVSS
7.5
EPSS Score
0.11%
Published
2023-10-18
Updated
2023-10-25
In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE
Max CVSS
9.8
EPSS Score
0.09%
Published
2023-10-09
Updated
2023-10-12
fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.
Max CVSS
7.5
EPSS Score
0.08%
Published
2024-01-10
Updated
2024-01-25
CX-Designer Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4) contains an improper restriction of XML external entity reference (XXE) vulnerability. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Designer is installed may be disclosed.
Max CVSS
5.5
EPSS Score
0.05%
Published
2023-10-23
Updated
2023-11-01
Dell Unity prior to 5.3 contains an XML External Entity injection vulnerability. An XXE attack could potentially exploit this vulnerability disclosing local files in the file system.
Max CVSS
6.5
EPSS Score
0.05%
Published
2023-10-23
Updated
2023-10-28
Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfiltration of local text files to a remote server. Gradle parses XML files for several purposes. Most of the time, Gradle parses XML files it generated or were already present locally. Only Ivy XML descriptors and Maven POM files can be fetched from remote repositories and parsed by Gradle. In Gradle 7.6.3 and 8.4, resolving XML external entities has been disabled for all use cases to protect against this vulnerability. Gradle will now refuse to parse XML files that have XML external entities.
Max CVSS
6.8
EPSS Score
0.06%
Published
2023-10-06
Updated
2024-02-16
FD Application Apr. 2022 Edition (Version 9.01) and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.
Max CVSS
5.5
EPSS Score
0.05%
Published
2023-10-02
Updated
2023-10-03
979 vulnerabilities found
1 2 3 4 5 6 ...... 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!