| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-5312 |
611 |
|
|
2019-01-04 |
2019-01-16 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in weixin-java-tools v3.3.0. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file. NOTE: this issue exists because of an incomplete fix for CVE-2018-20318. |
|
2 |
CVE-2018-1000838 |
611 |
|
DoS |
2018-12-20 |
2019-01-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
autopsy version <= 4.9.0 contains a XML External Entity (XXE) vulnerability in CaseMetadata XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Specially crafted CaseMetadata. |
|
3 |
CVE-2018-1000837 |
611 |
|
DoS |
2018-12-20 |
2019-01-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
UML Designer version <= 8.0.0 contains a XML External Entity (XXE) vulnerability in XML parser for plugins that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via malicious plugins.xml file. |
|
4 |
CVE-2018-1000835 |
611 |
|
DoS |
2018-12-20 |
2019-01-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
KeePassDX version <= 2.5.0.0beta17 contains a XML External Entity (XXE) vulnerability in kdbx file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. |
|
5 |
CVE-2018-1000834 |
611 |
|
DoS |
2018-12-20 |
2019-01-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
runelite version <= runelite-parent-1.4.23 contains a XML External Entity (XXE) vulnerability in Man in the middle runscape services call that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. |
|
6 |
CVE-2018-1000831 |
611 |
|
DoS |
2018-12-20 |
2019-01-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
K9Mail version <= v5.600 contains a XML External Entity (XXE) vulnerability in WebDAV response parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via malicious WebDAV server or intercept the reponse of a valid WebDAV server. |
|
7 |
CVE-2018-1000830 |
611 |
|
DoS |
2018-12-20 |
2019-01-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
XR3Player version <= V3.124 contains a XML External Entity (XXE) vulnerability in Playlist parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. |
|
8 |
CVE-2018-1000828 |
611 |
|
DoS |
2018-12-20 |
2019-01-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
FrostWire version <= frostwire-desktop-6.7.4-build-272 contains a XML External Entity (XXE) vulnerability in Man in the middle on update that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the middle the call to update the software. |
|
9 |
CVE-2018-1000825 |
611 |
|
DoS |
2018-12-20 |
2019-01-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
FreeCol version <= nightly-2018-08-22 contains a XML External Entity (XXE) vulnerability in FreeColXMLReader parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Freecol file. |
|
10 |
CVE-2018-1000823 |
611 |
|
DoS |
2018-12-20 |
2019-01-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
exist version <= 5.0.0-RC4 contains a XML External Entity (XXE) vulnerability in XML Parser for REST Server that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. |
|
11 |
CVE-2018-1000822 |
611 |
|
DoS |
2018-12-20 |
2019-01-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
codelibs fess version before commit faa265b contains a XML External Entity (XXE) vulnerability in GSA XML file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via specially crafted GSA XML files. This vulnerability appears to have been fixed in after commit faa265b. |
|
12 |
CVE-2018-1000821 |
611 |
|
DoS |
2018-12-20 |
2019-01-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
MicroMathematics version before commit 5c05ac8 contains a XML External Entity (XXE) vulnerability in SMathStudio files that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Specially crafted SMathStudio files. This vulnerability appears to have been fixed in after commit 5c05ac8. |
|
13 |
CVE-2018-1000820 |
611 |
|
DoS |
2018-12-20 |
2019-01-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 45bc09c. |
|
14 |
CVE-2018-1000652 |
611 |
|
DoS |
2018-08-20 |
2018-10-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
JabRef version <=4.3.1 contains a XML External Entity (XXE) vulnerability in MsBibImporter XML Parser that can result in disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted MsBib file. This vulnerability appears to have been fixed in after commit 89f855d. |
|
15 |
CVE-2018-1000651 |
611 |
|
DoS |
2018-08-20 |
2018-11-01 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Stroom version <5.4.5 contains a XML External Entity (XXE) vulnerability in XML Parser that can result in disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted XML file. |
|
16 |
CVE-2018-1000644 |
611 |
|
DoS |
2018-08-20 |
2018-11-01 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Eclipse RDF4j version < 2.4.0 Milestone 2 contains a XML External Entity (XXE) vulnerability in RDF4j XML parser parsing RDF files that can result in the disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted RDF file. |
|
17 |
CVE-2018-1000639 |
611 |
|
|
2018-08-20 |
2018-10-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
LatexDraw version <=4.0 contains a XML External Entity (XXE) vulnerability in SVG parsing functionality that can result in disclosure of data, server side request forgery, port scanning, possible rce. This attack appear to be exploitable via Specially crafted SVG file. |
|
18 |
CVE-2018-1000616 |
611 |
|
|
2018-07-09 |
2018-09-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity. |
|
19 |
CVE-2018-1000614 |
611 |
|
|
2018-07-09 |
2018-09-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message. |
|
20 |
CVE-2018-1000548 |
611 |
|
DoS |
2018-06-26 |
2018-08-20 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Umlet version < 14.3 contains a XML External Entity (XXE) vulnerability in File parsing that can result in disclosure of confidential data, denial of service, server side request forgery. This attack appear to be exploitable via Specially crafted UXF file. This vulnerability appears to have been fixed in 14.3. |
|
21 |
CVE-2018-1000546 |
611 |
|
Exec Code |
2018-06-26 |
2018-08-20 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Triplea version <= 1.9.0.0.10291 contains a XML External Entity (XXE) vulnerability in Importing game data that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be exploitable via Specially crafted game data file (XML). |
|
22 |
CVE-2018-1000542 |
611 |
|
Exec Code |
2018-06-26 |
2018-08-20 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
netbeans-mmd-plugin version <= 1.4.3 contains a XML External Entity (XXE) vulnerability in MMD file import that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be exploitable via Specially crafted MMD file. |
|
23 |
CVE-2018-1000540 |
611 |
|
DoS |
2018-06-26 |
2018-08-20 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
LoboEvolution version < 9b75694cedfa4825d4a2330abf2719d470c654cd contains a XML External Entity (XXE) vulnerability in XML Parsing when viewing the XML file in the browser that can result in disclosure of confidential data, denial of service, server side request forgery. This attack appear to be exploitable via Specially crafted XML file. |
|
24 |
CVE-2018-1000515 |
611 |
|
|
2018-06-26 |
2018-08-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ventrian News-Articles version NewsArticles.00.09.11 contains a XML External Entity (XXE) vulnerability in News-Articles/API/MetaWebLog/Handler.ashx.vb that can result in Attacker can read any file in the server or use smbrelay attack to access to server.. |
|
25 |
CVE-2018-1000198 |
611 |
|
|
2018-06-05 |
2018-07-18 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
A XML external entity processing vulnerability exists in Jenkins Black Duck Hub Plugin 3.1.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read permission to make Jenkins process XML eternal entities in an XML document. |
|
26 |
CVE-2018-1000124 |
611 |
|
|
2018-03-13 |
2018-04-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
I Librarian I-librarian version 4.8 and earlier contains a XML External Entity (XXE) vulnerability in line 154 of importmetadata.php(simplexml_load_string) that can result in an attacker reading the contents of a file and SSRF. This attack appear to be exploitable via posting xml in the Parameter form_import_textarea. |
|
27 |
CVE-2018-1000090 |
611 |
|
DoS |
2018-03-13 |
2018-04-13 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
textpattern version version 4.6.2 contains a XML Injection vulnerability in Import XML feature that can result in Denial of service in context to the web server by exhausting server memory resources. This attack appear to be exploitable via Uploading a specially crafted XML file. |
|
28 |
CVE-2018-1000069 |
611 |
|
|
2018-03-13 |
2018-04-19 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
FreePlane version 1.5.9 and earlier contains a XML External Entity (XXE) vulnerability in XML Parser in mindmap loader that can result in stealing data from victim's machine. This attack appears to require the victim to open a specially crafted mind map file. This vulnerability appears to have been fixed in 1.6+. |
|
29 |
CVE-2018-1000056 |
611 |
|
|
2018-02-09 |
2018-03-06 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. |
|
30 |
CVE-2018-1000055 |
611 |
|
|
2018-02-09 |
2018-03-06 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. |
|
31 |
CVE-2018-1000054 |
611 |
|
|
2018-02-09 |
2018-03-13 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins CCM Plugin 3.1 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. |
|
32 |
CVE-2018-1000012 |
611 |
|
|
2018-01-23 |
2018-02-07 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. |
|
33 |
CVE-2018-1000011 |
611 |
|
|
2018-01-23 |
2018-02-07 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins FindBugs Plugin 4.71 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. |
|
34 |
CVE-2018-1000010 |
611 |
|
|
2018-01-23 |
2018-02-07 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins DRY Plugin 2.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. |
|
35 |
CVE-2018-1000009 |
611 |
|
|
2018-01-23 |
2018-02-07 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins Checkstyle Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. |
|
36 |
CVE-2018-1000008 |
611 |
|
|
2018-01-23 |
2018-02-07 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jenkins PMD Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. |
|
37 |
CVE-2018-20664 |
611 |
|
|
2019-01-03 |
2019-01-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license. |
|
38 |
CVE-2018-20318 |
611 |
|
|
2018-12-20 |
2019-01-16 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in weixin-java-tools v3.2.0. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file. |
|
39 |
CVE-2018-20157 |
611 |
|
|
2018-12-14 |
2019-01-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files. |
|
40 |
CVE-2018-20059 |
611 |
|
|
2018-12-11 |
2019-01-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE. |
|
41 |
CVE-2018-20000 |
611 |
|
|
2018-12-09 |
2019-01-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java. |
|
42 |
CVE-2018-19371 |
611 |
|
|
2019-01-02 |
2019-01-24 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The SaveUserSettings service in Content Manager in SDL Web 8.5.0 has an XXE Vulnerability that allows reading sensitive files from the system. |
|
43 |
CVE-2018-18737 |
611 |
|
|
2018-10-29 |
2018-12-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An XXE issue was discovered in Douchat 4.0.4 because Data\notify.php calls simplexml_load_string. This can also be used for SSRF. |
|
44 |
CVE-2018-18659 |
611 |
|
|
2018-10-26 |
2018-12-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-19 Unauthenticated XXE in /management/UdpHttpService issue. |
|
45 |
CVE-2018-17889 |
611 |
|
|
2018-10-08 |
2018-11-25 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
In WECON Technology Co., Ltd. PI Studio HMI versions 4.1.9 and prior and PI Studio versions 4.2.34 and prior when parsing project files, the XMLParser that ships with Wecon PIStudio is vulnerable to a XML external entity injection attack, which may allow sensitive information disclosure. |
|
46 |
CVE-2018-17411 |
611 |
|
|
2018-09-26 |
2018-12-17 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
An XML External Entity (XXE) vulnerability exists in iWay Data Quality Suite Web Console 10.6.1.ga-2016-11-20. |
|
47 |
CVE-2018-16792 |
611 |
|
|
2018-12-05 |
2018-12-31 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
SolarWinds SFTP/SCP server through 2018-09-10 is vulnerable to XXE via a world readable and writable configuration file that allows an attacker to exfiltrate data. |
|
48 |
CVE-2018-16521 |
611 |
|
|
2018-09-05 |
2018-12-07 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An XML External Entity (XXE) vulnerability exists in HTML Form Entry 3.7.0, as distributed in OpenMRS Reference Application 2.8.0. |
|
49 |
CVE-2018-16303 |
611 |
|
DoS |
2018-09-01 |
2018-10-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
PDF-XChange Editor through 7.0.326.1 allows remote attackers to cause a denial of service (resource consumption) via a crafted x:xmpmeta structure, a related issue to CVE-2003-1564. |
|
50 |
CVE-2018-16252 |
611 |
|
|
2018-09-05 |
2018-12-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
FsPro Labs Event Log Explorer 4.6.1.2115 has ".elx" FileType XML External Entity Injection. |
