Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2014-2052

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-11 Feb, 2020 | 15:23
Updated At-06 Aug, 2024 | 09:58
Rejected At-
Credits

Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
ā–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:11 Feb, 2020 | 15:23
Updated At:06 Aug, 2024 | 09:58
Rejected At:
ā–¼CVE Numbering Authority (CNA)

Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
http://owncloud.org/about/security/advisories/oC-SA-2014-006/
x_refsource_MISC
https://owncloud.org/security/advisories/xxe-multiple-third-party-components/
x_refsource_CONFIRM
https://www.securityfocus.com/bid/66222
x_refsource_MISC
Hyperlink: http://owncloud.org/about/security/advisories/oC-SA-2014-006/
Resource:
x_refsource_MISC
Hyperlink: https://owncloud.org/security/advisories/xxe-multiple-third-party-components/
Resource:
x_refsource_CONFIRM
Hyperlink: https://www.securityfocus.com/bid/66222
Resource:
x_refsource_MISC
ā–¼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
http://owncloud.org/about/security/advisories/oC-SA-2014-006/
x_refsource_MISC
x_transferred
https://owncloud.org/security/advisories/xxe-multiple-third-party-components/
x_refsource_CONFIRM
x_transferred
https://www.securityfocus.com/bid/66222
x_refsource_MISC
x_transferred
Hyperlink: http://owncloud.org/about/security/advisories/oC-SA-2014-006/
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://owncloud.org/security/advisories/xxe-multiple-third-party-components/
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://www.securityfocus.com/bid/66222
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
ā–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:11 Feb, 2020 | 16:15
Updated At:31 Mar, 2025 | 11:54

Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches

ownCloud GmbH
owncloud
>>owncloud>>Versions before 5.0.15(exclusive)
cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*
ownCloud GmbH
owncloud
>>owncloud_server>>Versions from 6.0.0(inclusive) to 6.0.2(exclusive)
cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-611Primarynvd@nist.gov
CWE ID: CWE-611
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
http://owncloud.org/about/security/advisories/oC-SA-2014-006/cve@mitre.org
Vendor Advisory
https://owncloud.org/security/advisories/xxe-multiple-third-party-components/cve@mitre.org
Vendor Advisory
https://www.securityfocus.com/bid/66222cve@mitre.org
Third Party Advisory
VDB Entry
http://owncloud.org/about/security/advisories/oC-SA-2014-006/af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
https://owncloud.org/security/advisories/xxe-multiple-third-party-components/af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
https://www.securityfocus.com/bid/66222af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
VDB Entry
Hyperlink: http://owncloud.org/about/security/advisories/oC-SA-2014-006/
Source: cve@mitre.org
Resource:
Vendor Advisory
Hyperlink: https://owncloud.org/security/advisories/xxe-multiple-third-party-components/
Source: cve@mitre.org
Resource:
Vendor Advisory
Hyperlink: https://www.securityfocus.com/bid/66222
Source: cve@mitre.org
Resource:
Third Party Advisory
VDB Entry
Hyperlink: http://owncloud.org/about/security/advisories/oC-SA-2014-006/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory
Hyperlink: https://owncloud.org/security/advisories/xxe-multiple-third-party-components/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory
Hyperlink: https://www.securityfocus.com/bid/66222
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
VDB Entry

Change History

0
Information is not available yet

Similar CVEs

231Records found

CVE-2022-1704
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.6||HIGH
EPSS-0.82% / 52.65%
||
7 Day CHG~0.00%
Published-05 Aug, 2022 | 15:25
Updated-16 Apr, 2025 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Inductive Automation Ignition

Due to an XML external entity reference, the software parses XML in the backup/restore functionality without XML security flags, which may lead to a XXE attack while restoring the backup.

Action-Not Available
Vendor-inductiveautomationInductive Automation
Product-ignitionIgnition
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-1700
Matching Score-4
Assigner-Forcepoint
ShareView Details
Matching Score-4
Assigner-Forcepoint
CVSS Score-7.5||HIGH
EPSS-0.70% / 48.60%
||
7 Day CHG~0.00%
Published-12 Sep, 2022 | 18:07
Updated-03 Aug, 2024 | 00:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Restriction of XML External Entity Reference ('XXE') vulnerability in the Policy Engine of Forcepoint Data Loss Prevention (DLP), which is also leveraged by Forcepoint One Endpoint (F1E), Web Security Content Gateway, Email Security with DLP enabled, and Cloud Security Gateway prior to June 20, 2022. The XML parser in the Policy Engine was found to be improperly configured to support external entities and external DTD (Document Type Definitions), which can lead to an XXE attack. This issue affects: Forcepoint Data Loss Prevention (DLP) versions prior to 8.8.2. Forcepoint One Endpoint (F1E) with Policy Engine versions prior to 8.8.2. Forcepoint Web Security Content Gateway versions prior to 8.5.5. Forcepoint Email Security with DLP enabled versions prior to 8.5.5. Forcepoint Cloud Security Gateway prior to June 20, 2022.

Action-Not Available
Vendor-forcepointForcepoint
Product-data_loss_preventionemail_securityone_endpoint_with_policy_engineweb_security_content_gatewaycloud_security_gatewayCloud Security Gateway One Endpoint (F1E) with Policy EngineEmail Security with DLP enabledWeb Security Content GatewayData Loss Prevention (DLP)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-21082
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-9.8||CRITICAL
EPSS-0.81% / 52.36%
||
7 Day CHG~0.00%
Published-16 Apr, 2024 | 21:26
Updated-26 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: XML Services). Supported versions that are affected are 7.0.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in takeover of Oracle BI Publisher. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Action-Not Available
Vendor-Oracle Corporation
Product-bi_publisherBI Publisher (formerly XML Publisher)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-0228
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-9.45% / 94.83%
||
7 Day CHG~0.00%
Published-17 Apr, 2019 | 14:07
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.

Action-Not Available
Vendor-n/aThe Apache Software FoundationFedora ProjectOracle Corporation
Product-banking_trade_finance_process_managementpeoplesoft_enterprise_peopletoolsbanking_supply_chain_financepdfboxcommunications_messaging_serverhyperion_financial_reportingfedoraretail_xstore_point_of_servicejamesbanking_corporate_lending_process_managementcommunications_session_report_managerwebcenter_sitesbanking_credit_facilities_process_managementbanking_virtual_account_managementApache PDFBox
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-8940
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.63% / 73.27%
||
7 Day CHG~0.00%
Published-14 May, 2019 | 18:12
Updated-05 Aug, 2024 | 07:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ClientServiceConfigController.cs in Enghouse Cloud Contact Center Platform 7.2.5 has functionality for loading external XML files and parsing them, allowing an attacker to upload a malicious XML file and reference it in the URL of the application, forcing the application to load and parse the malicious XML file, aka an XXE issue.

Action-Not Available
Vendor-enghousen/a
Product-contact_center\n/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-10991
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.25% / 65.86%
||
7 Day CHG~0.00%
Published-26 Mar, 2020 | 23:42
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java

Action-Not Available
Vendor-mulesoftn/a
Product-aplkitn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2026-49875
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-0.48% / 38.27%
||
7 Day CHG+0.12%
Published-12 Jun, 2026 | 08:54
Updated-30 Jun, 2026 | 03:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution.Ā Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

Action-Not Available
Vendor-The Apache Software FoundationRed Hat, Inc.
Product-cxfApache CXFRed Hat JBoss Web Server 5Red Hat Single Sign-On 7Red Hat build of Apache Camel 4 for Quarkus 3Red Hat JBoss Enterprise Application Platform 7Red Hat build of Apache Camel for Spring Boot 4Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20222
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.71% / 74.61%
||
7 Day CHG~0.00%
Published-04 Apr, 2019 | 15:48
Updated-05 Aug, 2024 | 11:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XXE issue in Airsonic before 10.1.2 during parse.

Action-Not Available
Vendor-airsonic_projectn/a
Product-airsonicn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-2777
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-9.3||CRITICAL
EPSS-79.13% / 99.55%
||
7 Day CHG~0.00%
Published-07 May, 2025 | 14:53
Updated-26 Feb, 2026 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SysAid On-Prem <= 23.3.40 lshw Proceessing XML External Entity Injection

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.

Action-Not Available
Vendor-SysAid Technologies Ltd.
Product-sysaidSysAid On-Prem
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-6486
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-7.3||HIGH
EPSS-1.22% / 64.89%
||
7 Day CHG~0.00%
Published-02 Feb, 2018 | 14:00
Updated-16 Sep, 2024 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MFSBGN03797 rev.1 - Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), XML External Entity Injection

XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection.

Action-Not Available
Vendor-Micro Focus International Limited
Product-fortify_audit_workbenchfortify_software_security_centerFortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-6489
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-9.8||CRITICAL
EPSS-1.26% / 66.09%
||
7 Day CHG~0.00%
Published-22 Feb, 2018 | 22:00
Updated-05 Aug, 2024 | 06:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML External Entity (XXE) vulnerability in Micro Focus Project and Portfolio Management Center, version 9.32. This vulnerability can be exploited to allow XML External Entity (XXE)

Action-Not Available
Vendor-n/aMicro Focus International Limited
Product-project_and_portfolio_management_centern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-2776
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-9.3||CRITICAL
EPSS-72.97% / 99.38%
||
7 Day CHG~0.00%
Published-07 May, 2025 | 14:50
Updated-19 Nov, 2025 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-08-12||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
SysAid On-Prem <= 23.3.40 serverurl Proceessing XML External Entity Injection

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.

Action-Not Available
Vendor-SysAid Technologies Ltd.
Product-sysaidSysAid On-PremSysAid On-Prem
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-49656
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-9.8||CRITICAL
EPSS-0.84% / 53.49%
||
7 Day CHG~0.00%
Published-29 Nov, 2023 | 13:45
Updated-13 Feb, 2025 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Action-Not Available
Vendor-Jenkins
Product-matlabJenkins MATLAB Plugin
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-49733
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-1.29% / 66.76%
||
7 Day CHG~0.00%
Published-30 Nov, 2023 | 11:29
Updated-13 Feb, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Cocoon's StreamGenerator is vulnerable to XXE injection

Improper Restriction of XML External Entity Reference vulnerability in Apache Cocoon.This issue affects Apache Cocoon: from 2.2.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-cocoonApache Cocoon
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-48362
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-0.75% / 50.57%
||
7 Day CHG~0.00%
Published-24 Jul, 2024 | 07:45
Updated-13 Feb, 2025 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Drill: XXE Vulnerability in XML Format Reader

XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any file on a remote file system or execute commands via a malicious XML file. Users are recommended to upgrade to version 1.21.2, which fixes this issue.

Action-Not Available
Vendor-apache_software_foundationThe Apache Software Foundation
Product-drillApache Drillapache_drill
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-0839
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.3||HIGH
EPSS-2.92% / 85.35%
||
7 Day CHG~0.00%
Published-04 Mar, 2022 | 14:25
Updated-03 Nov, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of XML External Entity Reference in liquibase/liquibase

Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.

Action-Not Available
Vendor-liquibaseliquibaseOracle Corporation
Product-sqlclliquibaseliquibase/liquibase
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-45612
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-8.6||HIGH
EPSS-0.60% / 44.11%
||
7 Day CHG~0.00%
Published-09 Oct, 2023 | 10:20
Updated-19 Sep, 2024 | 13:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE

Action-Not Available
Vendor-JetBrains s.r.o.
Product-ktorKtorktor
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-46502
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.72% / 49.43%
||
7 Day CHG~0.00%
Published-30 Oct, 2023 | 00:00
Updated-09 Sep, 2024 | 21:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory.

Action-Not Available
Vendor-opencrxn/a
Product-opencrxn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-46265
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-6.5||MEDIUM
EPSS-4.00% / 89.29%
||
7 Day CHG~0.00%
Published-19 Dec, 2023 | 15:43
Updated-17 Sep, 2024 | 02:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).

Action-Not Available
Vendor-Ivanti Software
Product-avalancheAvalanche
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-3881
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-9.4||CRITICAL
EPSS-1.23% / 65.42%
||
7 Day CHG~0.00%
Published-01 Aug, 2018 | 20:00
Updated-16 Sep, 2024 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable unauthenticated XML external injection vulnerability was identified in FocalScope v2416. A unauthenticated attacker could submit a specially crafted web request to FocalScope's server that could cause an XXE, and potentially result in data compromise.

Action-Not Available
Vendor-focalscopeFocalScope
Product-focalscopeFocalscope
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-25082
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.78% / 51.29%
||
7 Day CHG~0.00%
Published-21 Mar, 2023 | 18:00
Updated-26 Feb, 2025 | 16:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
zwczou WeChat SDK Python to_xml xml external entity reference

A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The patch is named e54abadc777715b6dcb545c13214d1dea63df6c9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-223403.

Action-Not Available
Vendor-wechat_sdk_python_projectzwczou
Product-wechat_sdk_pythonWeChat SDK Python
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-25142
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-0.37% / 29.13%
||
7 Day CHG~0.00%
Published-24 Dec, 2025 | 19:27
Updated-29 Dec, 2025 | 15:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NovaRad NovaPACS Diagnostics Viewer 8.5 XML External Entity Injection

NovaRad NovaPACS Diagnostics Viewer 8.5.19.75 contains an unauthenticated XML External Entity (XXE) injection vulnerability in XML preference import settings. Attackers can craft malicious XML files with DTD parameter entities to retrieve arbitrary system files through an out-of-band channel attack.

Action-Not Available
Vendor-NovaRad Corporation
Product-NovaPACS Diagnostics Viewer
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20318
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.66% / 73.83%
||
7 Day CHG~0.00%
Published-21 Dec, 2018 | 00:00
Updated-17 Sep, 2024 | 01:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in weixin-java-tools v3.2.0. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file.

Action-Not Available
Vendor-wxjava_projectn/a
Product-wxjavan/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20433
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.59% / 90.50%
||
7 Day CHG+0.12%
Published-24 Dec, 2018 | 13:00
Updated-05 Aug, 2024 | 11:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

Action-Not Available
Vendor-mchangen/aDebian GNU/Linux
Product-debian_linuxc3p0n/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-36419
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.8||HIGH
EPSS-1.73% / 74.86%
||
7 Day CHG~0.00%
Published-10 Oct, 2023 | 17:08
Updated-11 Feb, 2026 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability

Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-azure_hdinsightAzure HDInsight
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20687
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.53% / 82.97%
||
7 Day CHG~0.00%
Published-18 Nov, 2019 | 18:12
Updated-05 Aug, 2024 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML external entity (XXE) vulnerability in CommandCenterWebServices/.*?wsdl in Raritan CommandCenter Secure Gateway before 8.0.0 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.

Action-Not Available
Vendor-raritann/a
Product-commandcenter_secure_gatewayn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20664
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-8.05% / 94.09%
||
7 Day CHG~0.00%
Published-03 Jan, 2019 | 18:00
Updated-05 Aug, 2024 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_adselfservice_plusn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-11586
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.25% / 65.70%
||
7 Day CHG~0.00%
Published-06 Apr, 2020 | 21:35
Updated-04 Aug, 2024 | 11:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XXE issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request that contains malicious XML DTD data.

Action-Not Available
Vendor-cipplannern/a
Product-cipacen/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20160
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.23% / 80.59%
||
7 Day CHG~0.00%
Published-29 May, 2019 | 21:12
Updated-05 Aug, 2024 | 11:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ZxChat (aka ZeXtras Chat), as used for zimbra-chat and zimbra-talk in Synacor Zimbra Collaboration Suite 8.7 and 8.8 and in other products, allows XXE attacks, as demonstrated by a crafted XML request to mailboxd.

Action-Not Available
Vendor-n/aSynacor, Inc.
Product-zimbra_collaboration_suiten/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2026-38429
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.30% / 21.72%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 00:00
Updated-06 May, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-43142
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.43% / 69.78%
||
7 Day CHG~0.00%
Published-30 Mar, 2022 | 21:05
Updated-04 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML External Entity (XXE) vulnerability exists in wuta jox 1.16 in the readObject method in JOXSAXBeanInput.

Action-Not Available
Vendor-jox_projectn/a
Product-joxn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-10091
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.51% / 39.49%
||
7 Day CHG~0.00%
Published-08 Sep, 2025 | 11:02
Updated-09 Oct, 2025 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jinher OA XML Type xml external entity reference

A vulnerability has been found in Jinher OA up to 1.2. This affects an unknown function of the file /c6/Jhsoft.Web.projectmanage/ProjectManage/XmlHttp.aspx/?Type=add of the component XML Handler. The manipulation leads to xml external entity reference. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-jinherJinher
Product-jinher_oaOA
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-16521
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.92% / 77.35%
||
7 Day CHG~0.00%
Published-05 Sep, 2018 | 15:00
Updated-16 Sep, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML External Entity (XXE) vulnerability exists in HTML Form Entry 3.7.0, as distributed in OpenMRS Reference Application 2.8.0.

Action-Not Available
Vendor-openmrsn/a
Product-html_form_entryreference_applicationn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-0239
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.7||MEDIUM
EPSS-1.22% / 64.92%
||
7 Day CHG~0.00%
Published-17 Jan, 2022 | 06:15
Updated-16 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

Action-Not Available
Vendor-stanfordstanfordnlpstanford
Product-corenlpstanfordnlp/corenlpcorenlp
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-0272
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.3||HIGH
EPSS-1.38% / 68.71%
||
7 Day CHG~0.00%
Published-21 Apr, 2022 | 16:20
Updated-02 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of XML External Entity Reference in detekt/detekt

Improper Restriction of XML External Entity Reference in GitHub repository detekt/detekt prior to 1.20.0.

Action-Not Available
Vendor-detektdetekt
Product-detektdetekt/detekt
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-45981
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.05% / 60.08%
||
7 Day CHG~0.00%
Published-02 Jun, 2022 | 17:40
Updated-04 Aug, 2024 | 04:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NetScout nGeniusONE 6.3.2 allows an XML External Entity (XXE) attack.

Action-Not Available
Vendor-netscoutn/a
Product-ngeniusonen/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-15531
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-27.87% / 97.86%
||
7 Day CHG~0.00%
Published-26 Sep, 2018 | 22:00
Updated-05 Aug, 2024 | 09:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.

Action-Not Available
Vendor-javamelody_projectn/a
Product-javamelodyn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-15506
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.70% / 90.70%
||
7 Day CHG~0.00%
Published-19 Jun, 2019 | 16:13
Updated-05 Aug, 2024 | 09:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In BubbleUPnP 0.9 update 30, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running BubbleUPnP, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack the cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.

Action-Not Available
Vendor-bubblesoftappsn/a
Product-bubbleupnpn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-45024
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.29% / 66.80%
||
7 Day CHG~0.00%
Published-17 Jun, 2022 | 11:57
Updated-04 Aug, 2024 | 04:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to XML External Entity (XXE).

Action-Not Available
Vendor-rocketsoftwaren/a
Product-ags-zenan/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-14485
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-16.29% / 96.56%
||
7 Day CHG~0.00%
Published-07 May, 2019 | 17:47
Updated-05 Aug, 2024 | 09:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

BlogEngine.NET 3.3 allows XXE attacks via the POST body to metaweblog.axd.

Action-Not Available
Vendor-blogenginen/a
Product-blogengine.netn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-28150
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.75% / 50.32%
||
7 Day CHG~0.00%
Published-24 Mar, 2023 | 00:00
Updated-30 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Independentsoft JODF before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file.

Action-Not Available
Vendor-independentsoftn/a
Product-jodfn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-14720
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-7.52% / 93.75%
||
7 Day CHG~0.00%
Published-02 Jan, 2019 | 18:00
Updated-05 Aug, 2024 | 09:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Action-Not Available
Vendor-n/aRed Hat, Inc.Oracle CorporationFasterXML, LLC.Debian GNU/Linux
Product-debian_linuxprimavera_unifiercommunications_billing_and_revenue_managementjackson-databindenterprise_manager_for_virtualizationfinancial_services_analytical_applications_infrastructureopenshift_container_platformjdeveloperbanking_platformjboss_enterprise_application_platformretail_merchandising_systemwebcenter_portaln/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-4311
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.5||MEDIUM
EPSS-0.67% / 47.42%
||
7 Day CHG~0.00%
Published-09 Jan, 2023 | 11:20
Updated-09 Apr, 2025 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Talend Open Studio for MDM XML xml external entity reference

A vulnerability classified as problematic was found in Talend Open Studio for MDM. This vulnerability affects unknown code of the component XML Handler. The manipulation leads to xml external entity reference. The patch is identified as 31d442b9fb1d518128fd18f6e4d54e06c3d67793. It is recommended to apply a patch to fix this issue. VDB-217666 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-talendTalend
Product-open_studioOpen Studio for MDM
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-43090
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.90% / 77.12%
||
7 Day CHG~0.00%
Published-25 Mar, 2022 | 15:47
Updated-04 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML External Entity (XXE) vulnerability exists in soa-model before 1.6.4 in the WSDLParser function.

Action-Not Available
Vendor-predic8n/a
Product-soa_modeln/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-4295
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.5||MEDIUM
EPSS-0.72% / 49.26%
||
7 Day CHG~0.00%
Published-29 Dec, 2022 | 08:08
Updated-03 Aug, 2024 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ONC code-validator-api XML CodeValidatorApiConfiguration.java vocabularyValidationConfigurations xml external entity reference

A vulnerability classified as problematic was found in ONC code-validator-api up to 1.0.30. This vulnerability affects the function vocabularyValidationConfigurations of the file src/main/java/org/sitenv/vocabularies/configuration/CodeValidatorApiConfiguration.java of the component XML Handler. The manipulation leads to xml external entity reference. Upgrading to version 1.0.31 is able to address this issue. The name of the patch is fbd8ea121755a2d3d116b13f235bc8b61d8449af. It is recommended to upgrade the affected component. VDB-217018 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-healthitONC
Product-code-validator-apicode-validator-api
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-1309
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-4.52% / 90.37%
||
7 Day CHG~0.00%
Published-23 May, 2018 | 14:00
Updated-16 Sep, 2024 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Action-Not Available
Vendor-The Apache Software Foundation
Product-nifiApache NiFi
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-28151
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.79% / 51.84%
||
7 Day CHG~0.00%
Published-24 Mar, 2023 | 00:00
Updated-30 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Independentsoft JSpreadsheet before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file.

Action-Not Available
Vendor-independentsoftn/a
Product-jspreadsheetn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-28152
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.75% / 50.32%
||
7 Day CHG~0.00%
Published-24 Mar, 2023 | 00:00
Updated-30 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Independentsoft JWord before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file.

Action-Not Available
Vendor-independentsoftn/a
Product-jwordn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-1285
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-49.84% / 98.76%
||
7 Day CHG~0.00%
Published-11 May, 2020 | 16:41
Updated-05 Aug, 2024 | 03:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

Action-Not Available
Vendor-n/aNetApp, Inc.The Apache Software FoundationFedora ProjectOracle Corporation
Product-manageability_software_development_kitfedorahospitality_simphonyhospitality_opera_5application_testing_suitelog4netsnapcenterApache log4net
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-41411
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.19% / 64.24%
||
7 Day CHG+0.01%
Published-16 Jun, 2022 | 09:52
Updated-04 Aug, 2024 | 03:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-droolsn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • Next
Details not found