| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-1010268 |
611 |
|
|
2019-07-18 |
2019-07-24 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance: https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688. The attack vector is: Send a specially crafted SOAP call. |
|
2 |
CVE-2019-1010202 |
611 |
|
|
2019-07-23 |
2019-08-05 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Jeesite 1.2.7 is affected by: XML External Entity (XXE). The impact is: sensitive information disclosure. The component is: convertToModel() function in src/main/java/com.thinkgem.jeesite/modules/act/service/ActProcessService.java. The attack vector is: network connectivity,authenticated,must upload a specially crafted xml file. The fixed version is: 4.0 and later. |
|
3 |
CVE-2019-1003015 |
611 |
|
DoS |
2019-02-06 |
2019-10-09 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to control the HTTP server (Jenkins) queried in preparation of job import to read arbitrary files, perform a denial of service attack, etc. |
|
4 |
CVE-2019-16188 |
611 |
|
DoS |
2019-09-25 |
2019-09-26 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations. In particular, an attacker can send a specially crafted .ozasmt file to a targeted victim and ask the victim to open it. When the victim imports the .ozasmt file in AppScan Source, the content of any file in the local file system (to which the victim as read access) can be exfiltrated to a remote listener under the attacker's control. The product does not disable external XML Entity Processing, which can lead to information disclosure and denial of services attacks. |
|
5 |
CVE-2019-16174 |
611 |
|
Exec Code |
2019-09-09 |
2019-09-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity. |
|
6 |
CVE-2019-15903 |
611 |
|
|
2019-09-04 |
2019-09-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. |
|
7 |
CVE-2019-15641 |
611 |
|
|
2019-08-26 |
2019-08-30 |
6.8 |
None |
Remote |
Low |
Single system |
Complete |
None |
None |
|
xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks. By default, only root, admin, and sysadm can access xmlrpc.cgi. |
|
8 |
CVE-2019-15637 |
611 |
|
|
2019-08-26 |
2019-10-09 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. This affects Tableau Server, Tableau Desktop, Tableau Reader, and Tableau Public Desktop. |
|
9 |
CVE-2019-15160 |
611 |
|
DoS |
2019-08-19 |
2019-08-23 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elixir allows attackers to cause a denial of service (resource consumption) via an XML entity expansion attack with an inline DTD. |
|
10 |
CVE-2019-14693 |
611 |
|
|
2019-08-08 |
2019-10-09 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing license XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. |
|
11 |
CVE-2019-14277 |
611 |
|
Exec Code File Inclusion |
2019-07-26 |
2019-10-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
** DISPUTED ** Axway SecureTransport 5.x through 5.3 (or 5.x through 5.5 with certain API configuration) is vulnerable to unauthenticated blind XML injection (and XXE) in the resetPassword functionality via the REST API. This vulnerability can lead to local file disclosure, DoS, or URI invocation attacks (i.e., SSRF with resultant remote code execution). NOTE: The vendor disputes this issues as not being a vulnerability because ?All attacks that use external entities are blocked (no external DTD or file inclusions, no SSRF). The impact on confidentiality, integrity and availability is not proved on any version.? |
|
12 |
CVE-2019-14258 |
611 |
|
|
2019-08-21 |
2019-08-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The XML-RPC subsystem in Zenoss 2.5.3 allows XXE attacks that lead to unauthenticated information disclosure via port 9988. |
|
13 |
CVE-2019-13990 |
611 |
|
|
2019-07-26 |
2019-09-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. |
|
14 |
CVE-2019-13625 |
611 |
|
|
2019-07-16 |
2019-07-19 |
9.4 |
None |
Remote |
Low |
Not required |
None |
Complete |
Complete |
|
NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as demonstrated by a project.prp file. |
|
15 |
CVE-2019-13608 |
611 |
|
|
2019-08-29 |
2019-09-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks. |
|
16 |
CVE-2019-13358 |
611 |
|
|
2019-07-05 |
2019-07-11 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format. |
|
17 |
CVE-2019-13176 |
611 |
|
|
2019-08-08 |
2019-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTTP, and outbound DNS). |
|
18 |
CVE-2019-13031 |
611 |
|
|
2019-06-28 |
2019-08-26 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule. |
|
19 |
CVE-2019-12924 |
611 |
|
|
2019-07-08 |
2019-07-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. It was possible for an attacker to use a vulnerability in the configuration of the XML processor to read any file on the host system. Because all credentials were stored in a cleartext file, it was possible to steal all users' credentials (including the highest privileged users). |
|
20 |
CVE-2019-12711 |
611 |
|
DoS |
2019-10-02 |
2019-10-09 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to access sensitive information or cause a denial of service (DoS) condition. The vulnerability is due to improper restrictions on XML entities. An attacker could exploit this vulnerability by sending malicious requests to an affected system that contain references in XML entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the application to consume available resources, resulting in a DoS condition. |
|
21 |
CVE-2019-12154 |
611 |
|
DoS |
2019-06-11 |
2019-06-13 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
XXE in the XML parser library in RealObjects PDFreactor before 10.1.10722 allows attackers to supply malicious XML content in externally referenced resources, leading to disclosure of local file contents and/or denial of service conditions. |
|
22 |
CVE-2019-11677 |
611 |
|
|
2019-05-02 |
2019-05-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Custom Report import function in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to XML External Entity (XXE) Injection. |
|
23 |
CVE-2019-11519 |
611 |
|
|
2019-04-25 |
2019-05-01 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen. |
|
24 |
CVE-2019-11392 |
611 |
|
|
2019-06-21 |
2019-06-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd. |
|
25 |
CVE-2019-10976 |
611 |
|
|
2019-07-25 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files. |
|
26 |
CVE-2019-10718 |
611 |
|
|
2019-06-21 |
2019-06-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Blind Injection, related to pingback.axd and BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs. |
|
27 |
CVE-2019-10337 |
611 |
|
|
2019-06-11 |
2019-06-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks. |
|
28 |
CVE-2019-10327 |
611 |
|
|
2019-05-31 |
2019-06-03 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks. |
|
29 |
CVE-2019-10309 |
611 |
|
|
2019-04-30 |
2019-05-06 |
4.8 |
None |
Local Network |
Low |
Not required |
Partial |
None |
Partial |
|
Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attackers on the same network to read arbitrary files from Swarm clients. |
|
30 |
CVE-2019-10266 |
611 |
|
|
2019-07-26 |
2019-07-31 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. When sending an out-of-bounds XML document to a URL, it is possible to read the file structure and even the content of files without authentication. |
|
31 |
CVE-2019-10264 |
611 |
|
|
2019-07-26 |
2019-07-31 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. With a valid administrator account, the "Move / Import / Export Users" screen has an Import Users option. This option accepts a ZIP archive containing a users.xml file that can trigger XXE. |
|
32 |
CVE-2019-10244 |
611 |
|
|
2019-04-09 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could potentially be target of XXE attack due to an improper factory and parser initialisation. |
|
33 |
CVE-2019-9843 |
611 |
|
|
2019-06-28 |
2019-07-05 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file. |
|
34 |
CVE-2019-9670 |
611 |
|
|
2019-05-29 |
2019-05-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability. |
|
35 |
CVE-2019-9488 |
611 |
|
|
2019-09-11 |
2019-09-13 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Trend Micro Deep Security Manager (10.x, 11.x) and Vulnerability Protection (2.0) are vulnerable to a XML External Entity Attack. However, for the attack to be possible, the attacker must have root/admin access to a protected host which is authorized to communicate with the Deep Security Manager (DSM). |
|
36 |
CVE-2019-8999 |
611 |
|
|
2019-04-18 |
2019-04-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An XML External Entity vulnerability in the UEM Core of BlackBerry UEM version(s) earlier than 12.10.1a could allow an attacker to potentially gain read access to files on any system reachable by the UEM service account. |
|
37 |
CVE-2019-8997 |
611 |
|
|
2019-03-21 |
2019-04-02 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
An XML External Entity Injection (XXE) vulnerability in the Management System (console) of BlackBerry AtHoc versions earlier than 7.6 HF-567 could allow an attacker to potentially read arbitrary local files from the application server or make requests on the network by entering maliciously crafted XML in an existing field. |
|
38 |
CVE-2019-7847 |
611 |
|
|
2019-07-18 |
2019-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Successful exploitation could lead to Arbitrary read access to the file system in the context of the current user. |
|
39 |
CVE-2019-7442 |
611 |
|
Bypass |
2019-05-08 |
2019-05-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault <=10.7 allows remote attackers to read arbitrary files or potentially bypass authentication via a crafted DTD in the SAML authentication system. |
|
40 |
CVE-2019-6179 |
611 |
|
|
2019-09-03 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) prior to version 2.5.0 , Lenovo XClarity Integrator (LXCI) for Microsoft System Center prior to version 7.7.0, and Lenovo XClarity Integrator (LXCI) for VMWare vCenter prior to version 6.1.0 that could allow information disclosure. |
|
41 |
CVE-2019-5312 |
611 |
|
|
2019-01-04 |
2019-01-16 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in weixin-java-tools v3.3.0. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file. NOTE: this issue exists because of an incomplete fix for CVE-2018-20318. |
|
42 |
CVE-2019-4513 |
611 |
|
|
2019-08-26 |
2019-10-09 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 164555. |
|
43 |
CVE-2019-4456 |
611 |
|
|
2019-07-30 |
2019-10-09 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
IBM Daeja ViewONE Professional, Standard & Virtual 5.0.5 and 5.0.6 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 163620. |
|
44 |
CVE-2019-4433 |
611 |
|
|
2019-08-20 |
2019-10-09 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
IBM InfoSphere Global Name Management 5.0 and 6.0 and IBM InfoSphere Identity Insight 8.1 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162890. |
|
45 |
CVE-2019-4424 |
611 |
|
|
2019-08-20 |
2019-10-09 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, and 19.0.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162770. |
|
46 |
CVE-2019-4419 |
611 |
|
|
2019-08-20 |
2019-10-09 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
IBM Intelligent Operations Center V5.1.0 through V5.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162737. |
|
47 |
CVE-2019-4340 |
611 |
|
|
2019-08-20 |
2019-10-09 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
IBM Security Guardium Big Data Intelligence 4.0 (SonarG) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 161419. |
|
48 |
CVE-2019-4208 |
611 |
|
|
2019-05-07 |
2019-10-09 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 159129. |
|
49 |
CVE-2019-4062 |
611 |
|
|
2019-07-30 |
2019-10-09 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
IBM i2 Intelligent Analyis Platform 9.0.0 through 9.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 157007. |
|
50 |
CVE-2019-4043 |
611 |
|
|
2019-04-02 |
2019-10-09 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
IBM Sterling B2B Integrator Standard Edition 5.2.0 snf 6.0.0.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 156239. |
