| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2023-23595 |
611 |
|
|
2023-01-15 |
2023-01-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as "machine example.com login daniel password qwerty" in the documentation example for the .netrc file format. NOTE: 2.x versions are no longer supported. There is no available information about whether any later version is affected. |
|
2 |
CVE-2023-22624 |
611 |
|
|
2023-01-17 |
2023-01-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Zoho ManageEngine Exchange Reporter Plus before 5708 allows attackers to conduct XXE attacks. |
|
3 |
CVE-2022-47514 |
611 |
|
|
2022-12-18 |
2022-12-22 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An XML external entity (XXE) injection vulnerability in XML-RPC.NET before 2.5.0 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, as demonstrated by a pingback.aspx POST request. |
|
4 |
CVE-2022-46827 |
611 |
|
|
2022-12-08 |
2022-12-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible. |
|
5 |
CVE-2022-46682 |
611 |
|
|
2022-12-12 |
2022-12-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
6 |
CVE-2022-45400 |
611 |
|
|
2022-11-15 |
2022-11-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
7 |
CVE-2022-45397 |
611 |
|
|
2022-11-15 |
2022-11-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
8 |
CVE-2022-45396 |
611 |
|
|
2022-11-15 |
2022-11-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
9 |
CVE-2022-45395 |
611 |
|
|
2022-11-15 |
2022-11-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
10 |
CVE-2022-45386 |
611 |
|
|
2022-11-15 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
11 |
CVE-2022-45326 |
611 |
|
|
2022-12-06 |
2022-12-08 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks. |
|
12 |
CVE-2022-45194 |
611 |
|
|
2022-11-12 |
2022-11-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
CBRN-Analysis before 22 allows XXE attacks via am mws XML document, leading to NTLMv2-SSP hash disclosure. |
|
13 |
CVE-2022-43689 |
611 |
|
|
2022-11-14 |
2022-11-17 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure. |
|
14 |
CVE-2022-43570 |
611 |
|
|
2022-11-04 |
2022-11-08 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, an authenticated user can perform an extensible markup language (XML) external entity (XXE) injection via a custom View. The XXE injection causes Splunk Web to embed incorrect documents into an error. |
|
15 |
CVE-2022-43430 |
611 |
|
|
2022-10-19 |
2022-10-22 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
16 |
CVE-2022-43415 |
611 |
|
|
2022-10-19 |
2022-10-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
17 |
CVE-2022-42341 |
611 |
|
|
2022-10-14 |
2022-10-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction. |
|
18 |
CVE-2022-42307 |
611 |
|
|
2022-10-03 |
2022-10-04 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service. |
|
19 |
CVE-2022-42301 |
611 |
|
|
2022-10-03 |
2022-10-04 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) injection attack through the nbars process. |
|
20 |
CVE-2022-41967 |
611 |
|
|
2022-12-28 |
2023-01-06 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Dragonfly is a Java runtime dependency management library. Dragonfly v0.3.0-SNAPSHOT does not configure DocumentBuilderFactory to prevent XML external entity (XXE) attacks. This issue is patched in 0.3.1-SNAPSHOT. As a workaround, since Dragonfly only parses XML `SNAPSHOT` versions are being resolved, this vulnerability may be avoided by not trying to resolve `SNAPSHOT` versions. |
|
21 |
CVE-2022-41241 |
611 |
|
|
2022-09-21 |
2022-09-22 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
22 |
CVE-2022-41226 |
611 |
|
|
2022-09-21 |
2022-09-22 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
23 |
CVE-2022-40771 |
611 |
|
|
2022-11-23 |
2022-11-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure. |
|
24 |
CVE-2022-40747 |
611 |
|
|
2022-11-03 |
2022-11-04 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
"IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 236584." |
|
25 |
CVE-2022-40705 |
611 |
|
|
2022-09-22 |
2022-09-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
** UNSUPPORTED WHEN ASSIGNED ** An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previous versions are also affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. |
|
26 |
CVE-2022-40304 |
611 |
|
|
2022-11-23 |
2022-12-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked. |
|
27 |
CVE-2022-39135 |
611 |
|
|
2022-09-11 |
2022-11-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
In Apache Calcite prior to version 1.32.0 the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, which makes them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators. |
|
28 |
CVE-2022-38419 |
611 |
|
|
2022-10-14 |
2022-10-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction. |
|
29 |
CVE-2022-38342 |
611 |
|
|
2022-09-13 |
2022-10-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Safe Software FME Server v2021.2.5, v2022.0.0.2 and below was discovered to contain a XML External Entity (XXE) vulnerability which allows authenticated attackers to perform data exfiltration or Server-Side Request Forgery (SSRF) attacks. |
|
30 |
CVE-2022-37911 |
611 |
|
DoS |
2022-12-12 |
2022-12-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Due to improper restrictions on XML entities multiple vulnerabilities exist in the command line interface of ArubaOS. A successful exploit could allow an authenticated attacker to retrieve files from the local system or cause the application to consume system resources, resulting in a denial of service condition. |
|
31 |
CVE-2022-37189 |
611 |
|
DoS |
2022-09-07 |
2022-09-10 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
DDMAL MEI2Volpiano 0.8.2 is vulnerable to XML External Entity (XXE), leading to a Denial of Service. This occurs due to the usage of the unsafe 'xml.etree' library to parse untrusted XML input. |
|
32 |
CVE-2022-36773 |
611 |
|
|
2022-09-01 |
2022-11-03 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 233571. |
|
33 |
CVE-2022-35741 |
611 |
|
DoS |
2022-07-18 |
2022-07-25 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the vulnerability. When the SAML 2.0 plugin is enabled in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities. The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XXE injection attacks such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server. |
|
34 |
CVE-2022-35168 |
611 |
|
|
2022-07-12 |
2022-07-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Due to improper input sanitization of XML input in SAP Business One - version 10.0, an attacker can perform a denial-of-service attack rendering the system temporarily inoperative. |
|
35 |
CVE-2022-34793 |
611 |
|
|
2022-06-30 |
2022-07-08 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Jenkins Recipe Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
36 |
CVE-2022-34348 |
611 |
|
|
2022-09-23 |
2022-09-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 230017. |
|
37 |
CVE-2022-34001 |
611 |
|
|
2022-07-19 |
2022-07-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Unit4 ERP through 7.9 allows XXE via ExecuteServerProcessAsynchronously. |
|
38 |
CVE-2022-32458 |
611 |
|
|
2022-07-20 |
2022-09-14 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files. |
|
39 |
CVE-2022-32285 |
611 |
|
|
2022-06-14 |
2022-06-22 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions < V3.2.3). The affected module is vulnerable to XML External Entity (XXE) attacks due to insufficient input sanitation. This may allow an attacker to disclose confidential data under certain circumstances. |
|
40 |
CVE-2022-31775 |
611 |
|
|
2022-08-01 |
2022-08-04 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228359. |
|
41 |
CVE-2022-31678 |
611 |
|
|
2022-10-28 |
2022-10-31 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure. |
|
42 |
CVE-2022-31471 |
611 |
|
|
2022-07-26 |
2022-08-01 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts XML external entity references. By exploiting this vulnerability, a remote unauthenticated attacker may read the contents of local files. |
|
43 |
CVE-2022-31447 |
611 |
|
|
2022-06-14 |
2022-06-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An XML external entity (XXE) injection vulnerability in Magicpin v3.4 allows attackers to access sensitive database information via a crafted SVG file. |
|
44 |
CVE-2022-31261 |
611 |
|
|
2022-05-24 |
2022-06-08 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
An XXE issue was discovered in Morpheus through 5.2.16 and 5.4.x through 5.4.4. A successful attack requires a SAML identity provider to be configured. In order to exploit the vulnerability, the attacker must know the unique SAML callback ID of the configured identity source. A remote attacker can send a request crafted with an XXE payload to invoke a malicious DTD hosted on a system that they control. This results in reading local files that the application has access to. |
|
45 |
CVE-2022-30971 |
611 |
|
|
2022-05-17 |
2022-05-25 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
|
46 |
CVE-2022-29943 |
611 |
|
|
2022-05-04 |
2022-05-13 |
6.8 |
None |
Remote |
Low |
??? |
Complete |
None |
None |
|
Talend Administration Center has a vulnerability that allows an authenticated user to use XML External Entity (XXE) processing to achieve read access as root on the remote filesystem. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version. |
|
47 |
CVE-2022-29801 |
611 |
|
|
2022-05-20 |
2022-08-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.13), Teamcenter V13.0 (All versions < V13.0.0.9). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem. |
|
48 |
CVE-2022-29265 |
611 |
|
|
2022-04-30 |
2022-05-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services. |
|
49 |
CVE-2022-28890 |
611 |
|
|
2022-05-05 |
2022-05-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities. |
|
50 |
CVE-2022-28219 |
611 |
|
Exec Code |
2022-04-05 |
2022-10-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution. |
