CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-776

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-38490 776 2021-08-10 2021-08-18
5.0
None Remote Low Not required Partial None None
Altova MobileTogether Server before 7.3 SP1 allows XML exponential entity expansion, a different vulnerability than CVE-2021-37425.
2 CVE-2021-32623 776 DoS 2021-06-16 2021-06-23
4.0
None Remote Low ??? None None Partial
Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using a single HTTP request. To exploit this, users need to have ingest privileges, limiting the group of potential attackers The problem has been fixed in Opencast 9.6. There is no known workaround for this issue.
3 CVE-2021-28973 776 2021-04-13 2021-04-21
4.0
None Remote Low ??? Partial None None
The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE attacks.
4 CVE-2021-28302 776 DoS Overflow 2021-03-12 2021-08-11
5.0
None Remote Low Not required None None Partial
A stack overflow in pupnp before version 1.14.5 can cause the denial of service through the Parser_parseDocument() function. ixmlNode_free() will release a child node recursively, which will consume stack space and lead to a crash.
5 CVE-2021-23926 776 2021-01-14 2021-06-28
6.4
None Remote Low Not required Partial None Partial
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.
6 CVE-2021-20453 776 2021-04-20 2021-04-23
6.4
None Remote Low Not required Partial None Partial
IBM WebSphere Application Server 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196648.
7 CVE-2021-3541 776 DoS Bypass 2021-07-09 2021-08-05
4.0
None Remote Low ??? None None Partial
A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.
8 CVE-2021-1267 776 DoS 2021-01-13 2021-01-20
4.0
None Remote Low ??? None None Partial
A vulnerability in the dashboard widget of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper restrictions on XML entities. An attacker could exploit this vulnerability by crafting an XML-based widget on an affected server. A successful exploit could cause increased memory and CPU utilization, which could result in a DoS condition.
9 CVE-2020-27017 776 2020-11-09 2021-07-21
4.0
None Remote Low ??? Partial None None
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability.
10 CVE-2020-25186 776 2020-10-22 2021-07-21
5.0
None Remote Low Not required Partial None None
An XXE vulnerability exists within LeviStudioU Release Build 2019-09-21 and prior when processing parameter entities, which may allow file disclosure.
11 CVE-2020-24665 776 DoS 2021-01-29 2021-02-04
4.0
None Remote Low ??? None None Partial
The Dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains an XML Entity Expansion injection vulnerability, which allows an authenticated remote users to trigger a denial of service (DoS) condition. Specifically, the vulnerability lies in the 'dashboardXml' parameter. Remediated in >= 7.1.0.25, >= 8.2.0.6, >= 8.3.0.0 GA
12 CVE-2020-24591 776 2020-08-21 2021-07-21
5.5
None Remote Low ??? Partial None Partial
The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0.
13 CVE-2020-24590 776 2020-08-21 2020-08-27
6.4
None Remote Low Not required Partial None Partial
The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML Entity Expansion attacks.
14 CVE-2020-24589 776 2020-08-21 2021-07-21
6.4
None Remote Low Not required Partial None Partial
The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks.
15 CVE-2020-24052 776 2020-08-21 2021-07-21
6.4
None Remote Low Not required Partial None Partial
Several XML External Entity (XXE) vulnerabilities in the Moog EXO Series EXVF5C-2 and EXVP7C2-3 units allow remote unauthenticated users to read arbitrary files via a crafted Document Type Definition (DTD) in an XML request.
16 CVE-2020-15303 776 2021-06-28 2021-07-02
4.0
None Remote Low ??? None None Partial
Infoblox NIOS before 8.5.2 allows entity expansion during an XML upload operation, a related issue to CVE-2003-1564.
17 CVE-2020-11462 776 2020-05-04 2020-05-12
4.3
None Remote Medium Not required None None Partial
An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed. The default restricted mode of the RPC2 interface is NOT vulnerable.
18 CVE-2020-9354 776 2020-02-23 2021-07-21
6.4
None Remote Low Not required None Partial Partial
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. path traversal.
19 CVE-2020-9352 776 2020-02-23 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
20 CVE-2020-6856 776 2020-02-06 2020-02-07
4.0
None Remote Low ??? Partial None None
An XML External Entity (XEE) vulnerability exists in the JOC Cockpit component of SOS JobScheduler 1.12 and 1.13.2 allows attackers to read files from the server via an entity declaration in any of the XML documents that are used to specify the run-time settings of jobs and orders.
21 CVE-2020-5227 776 DoS 2020-01-28 2020-02-08
5.0
None Remote Low Not required None None Partial
Feedgen (python feedgen) before 0.9.0 is susceptible to XML Denial of Service attacks. The *feedgen* library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb). This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only. This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources.
22 CVE-2020-4481 776 2020-08-05 2021-07-21
6.4
None Remote Low Not required Partial None Partial
IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.
23 CVE-2020-4377 776 2020-08-03 2021-07-21
6.4
None Remote Low Not required Partial None Partial
IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 179156.
24 CVE-2020-2172 776 2020-04-07 2020-04-07
4.0
None Remote Low ??? Partial None None
Jenkins Code Coverage API Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
25 CVE-2019-20104 776 DoS 2020-02-06 2020-02-10
5.0
None Remote Low Not required None None Partial
The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability.
26 CVE-2019-12401 776 2019-09-10 2020-08-24
5.0
None Remote Low Not required None None Partial
Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.
27 CVE-2019-11253 776 2019-10-17 2020-10-02
5.0
None Remote Low Not required None None Partial
Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility.
28 CVE-2019-8126 776 2019-11-05 2021-07-21
4.0
None Remote Low ??? Partial None None
An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.
29 CVE-2019-5442 776 DoS 2019-06-12 2020-10-16
5.0
None Remote Low Not required None None Partial
XML Entity Expansion (Billion Laughs Attack) on Pippo 1.12.0 results in Denial of Service.Entities are created recursively and large amounts of heap memory is taken. Eventually, the JVM process will run out of memory. Otherwise, if the OS does not bound the memory on that process, memory will continue to be exhausted and will affect other processes on the system.
30 CVE-2019-5427 776 2019-04-22 2021-01-20
5.0
None Remote Low Not required None None Partial
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
31 CVE-2017-18640 776 2019-12-12 2021-06-17
5.0
None Remote Low Not required None None Partial
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
32 CVE-2017-5644 776 DoS 2017-03-24 2020-10-20
7.1
None Remote Medium Not required None None Complete
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
33 CVE-2015-9541 776 2020-01-24 2020-04-30
5.0
None Remote Low Not required None None Partial
Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
34 CVE-2014-2228 776 Exec Code 2020-02-19 2020-03-06
7.5
None Remote Low Not required Partial Partial Partial
The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages.
35 CVE-2013-6461 776 2019-11-05 2020-08-18
4.3
None Remote Medium Not required None None Partial
Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits
36 CVE-2013-6460 776 DoS 2019-11-05 2020-08-18
4.3
None Remote Medium Not required None None Partial
Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents
37 CVE-2013-4335 776 2020-02-07 2020-02-11
7.5
None Remote Low Not required Partial Partial Partial
opOpenSocialPlugin 0.8.2.1, > 0.9.9.2, 0.9.13, 1.2.6: Multiple XML External Entity Injection Vulnerabilities
38 CVE-2012-6685 776 2020-02-19 2020-02-25
5.0
None Remote Low Not required Partial None None
Nokogiri before 1.5.4 is vulnerable to XXE attacks
39 CVE-2012-3340 776 +Info 2020-09-01 2020-09-03
4.0
None Remote Low ??? Partial None None
IBM InfoSphere Guardium 8.0, 8.01, and 8.2 is vulnerable to XML external entity injection, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 78291.
Total number of vulnerabilities : 39   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.