Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2015-7273

Summary
Assigner-certcc
Assigner Org ID-37e5125f-f79b-445b-8fad-9564f167944b
Published At-10 Apr, 2017 | 03:00
Updated At-06 Aug, 2024 | 07:43
Rejected At-
Credits

Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has XXE.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:certcc
Assigner Org ID:37e5125f-f79b-445b-8fad-9564f167944b
Published At:10 Apr, 2017 | 03:00
Updated At:06 Aug, 2024 | 07:43
Rejected At:
▼CVE Numbering Authority (CNA)

Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has XXE.

Affected Products
Vendor
n/a
Product
Dell Integrated Remote Access Controller (iDRAC)
Versions
Affected
  • Dell Integrated Remote Access Controller (iDRAC)
Problem Types
TypeCWE IDDescription
textN/AXXE
Type: text
CWE ID: N/A
Description: XXE
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://en.community.dell.com/techcenter/extras/m/white_papers/20441859
x_refsource_MISC
Hyperlink: http://en.community.dell.com/techcenter/extras/m/white_papers/20441859
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://en.community.dell.com/techcenter/extras/m/white_papers/20441859
x_refsource_MISC
x_transferred
Hyperlink: http://en.community.dell.com/techcenter/extras/m/white_papers/20441859
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cret@cert.org
Published At:10 Apr, 2017 | 03:59
Updated At:20 Apr, 2025 | 01:37

Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has XXE.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.09.8CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Primary
Version: 3.0
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches
Dell Inc.
dell
>>integrated_remote_access_controller_firmware>>Versions up to 2.20.20.20(inclusive)
cpe:2.3:o:dell:integrated_remote_access_controller_firmware:*:*:*:*:*:*:*:*
Dell Inc.
dell
>>integrated_remote_access_controller_7>>-
cpe:2.3:h:dell:integrated_remote_access_controller_7:-:*:*:*:*:*:*:*
Dell Inc.
dell
>>integrated_remote_access_controller_8>>-
cpe:2.3:h:dell:integrated_remote_access_controller_8:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-611Primarynvd@nist.gov
CWE ID: CWE-611
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://en.community.dell.com/techcenter/extras/m/white_papers/20441859cret@cert.org
Vendor Advisory
http://en.community.dell.com/techcenter/extras/m/white_papers/20441859af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Hyperlink: http://en.community.dell.com/techcenter/extras/m/white_papers/20441859
Source: cret@cert.org
Resource:
Vendor Advisory
Hyperlink: http://en.community.dell.com/techcenter/extras/m/white_papers/20441859
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

213Records found
CVE-2020-29507
Matching Score-8
Assigner-Dell
ShareView Details
Matching Score-8
Assigner-Dell
CVSS Score-5.3||MEDIUM
EPSS-0.85% / 73.94%
||
7 Day CHG~0.00%
Published-11 Jul, 2022 | 19:25
Updated-16 Sep, 2024 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.4, and Dell BSAFE Micro Edition Suite, versions before 4.4, contain an Improper Input Validation Vulnerability.

Action-Not Available
Vendor-Oracle CorporationDell Inc.
Product-http_serverweblogic_server_proxy_plug-inbsafe_crypto-c-micro-editiondatabasebsafe_micro-edition-suitesecurity_serviceDell BSAFE Crypto-C Micro Edition
CWE ID-CWE-20
Improper Input Validation
CVE-2020-29508
Matching Score-8
Assigner-Dell
ShareView Details
Matching Score-8
Assigner-Dell
CVSS Score-5.3||MEDIUM
EPSS-0.24% / 46.23%
||
7 Day CHG~0.00%
Published-11 Jul, 2022 | 19:25
Updated-16 Sep, 2024 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Improper Input Validation Vulnerability.

Action-Not Available
Vendor-Oracle CorporationDell Inc.
Product-http_serverweblogic_server_proxy_plug-inbsafe_crypto-c-micro-editiondatabasebsafe_micro-edition-suitesecurity_serviceDell BSAFE Micro Edition Suite
CWE ID-CWE-331
Insufficient Entropy
CWE ID-CWE-20
Improper Input Validation
CVE-2015-7272
Matching Score-8
Assigner-CERT/CC
ShareView Details
Matching Score-8
Assigner-CERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.86% / 74.09%
||
7 Day CHG~0.00%
Published-10 Apr, 2017 | 03:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 and 7/8 before 2.21.21.21 allows attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long SSH username or input.

Action-Not Available
Vendor-n/aDell Inc.
Product-integrated_remote_access_controller_6integrated_remote_access_controller_7integrated_remote_access_controller_8integrated_remote_access_controller_firmwareDell Integrated Remote Access Controller (iDRAC)
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2015-1605
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.42% / 61.22%
||
7 Day CHG~0.00%
Published-24 Feb, 2015 | 15:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple SQL injection vulnerabilities in Dell ScriptLogic Asset Manager (aka Quest Workspace Asset Manager) before 9.5 allow remote attackers to execute arbitrary SQL commands via unspecified vectors to (1) GetClientPackage.aspx or (2) GetProcessedPackage.aspx.

Action-Not Available
Vendor-n/aDell Inc.
Product-asset_managern/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2018-1237
Matching Score-8
Assigner-Dell
ShareView Details
Matching Score-8
Assigner-Dell
CVSS Score-9.8||CRITICAL
EPSS-0.34% / 55.88%
||
7 Day CHG~0.00%
Published-27 Mar, 2018 | 21:00
Updated-17 Sep, 2024 | 04:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell EMC ScaleIO versions prior to 2.5, contain improper restriction of excessive authentication attempts on the Light installation Agent (LIA). This component is deployed on every server in the ScaleIO cluster and is used for central management of ScaleIO nodes. A remote malicious user, having network access to LIA, could potentially exploit this vulnerability to launch brute force guessing of user names and passwords of user accounts on the LIA.

Action-Not Available
Vendor-Dell Inc.
Product-emc_scaleioScaleIO
CWE ID-CWE-287
Improper Authentication
CVE-2020-35163
Matching Score-8
Assigner-Dell
ShareView Details
Matching Score-8
Assigner-Dell
CVSS Score-5.3||MEDIUM
EPSS-0.74% / 71.96%
||
7 Day CHG~0.00%
Published-11 Jul, 2022 | 19:25
Updated-17 Sep, 2024 | 02:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain a Use of Insufficiently Random Values Vulnerability.

Action-Not Available
Vendor-Oracle CorporationDell Inc.
Product-http_serverweblogic_server_proxy_plug-inbsafe_crypto-c-micro-editiondatabasebsafe_micro-edition-suitesecurity_serviceDell BSAFE Crypto-C Micro Edition
CWE ID-CWE-330
Use of Insufficiently Random Values
CVE-2020-35164
Matching Score-8
Assigner-Dell
ShareView Details
Matching Score-8
Assigner-Dell
CVSS Score-6.7||MEDIUM
EPSS-0.58% / 67.80%
||
7 Day CHG~0.00%
Published-11 Jul, 2022 | 19:25
Updated-16 Sep, 2024 | 20:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability.

Action-Not Available
Vendor-Oracle CorporationDell Inc.
Product-http_serverweblogic_server_proxy_plug-inbsafe_crypto-c-micro-editiondatabasebsafe_micro-edition-suitesecurity_serviceDell BSAFE Crypto-C Micro Edition
CWE ID-CWE-385
Covert Timing Channel
CVE-2020-29506
Matching Score-8
Assigner-Dell
ShareView Details
Matching Score-8
Assigner-Dell
CVSS Score-6.8||MEDIUM
EPSS-1.33% / 79.12%
||
7 Day CHG~0.00%
Published-11 Jul, 2022 | 19:25
Updated-17 Sep, 2024 | 00:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.5.2, contain an Observable Timing Discrepancy Vulnerability.

Action-Not Available
Vendor-Oracle CorporationDell Inc.
Product-http_serverweblogic_server_proxy_plug-inbsafe_crypto-c-micro-editiondatabasebsafe_micro-edition-suitesecurity_serviceDell BSAFE Crypto-C Micro Edition
CWE ID-CWE-385
Covert Timing Channel
CVE-2017-14375
Matching Score-8
Assigner-Dell
ShareView Details
Matching Score-8
Assigner-Dell
CVSS Score-9.8||CRITICAL
EPSS-2.76% / 85.44%
||
7 Day CHG~0.00%
Published-01 Nov, 2017 | 01:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

EMC Unisphere for VMAX Virtual Appliance (vApp) versions prior to 8.4.0.15, EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.15, EMC VASA Virtual Appliance versions prior to 8.4.0.512, and EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 (Enginuity Release 5977.1125.1125 and earlier) contain an authentication bypass vulnerability that may potentially be exploited by malicious users to compromise the affected system.

Action-Not Available
Vendor-n/aELAN Microelectronics CorporationDell Inc.
Product-vmax_emanagementvasaemc_unispheresolutions_enablerEMC VMAX Virtual Appliance (vApp) EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.15, EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.15, EMC VASA Virtual Appliance versions prior to 8.4.0.512, EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 (Enginuity Release 5977.1125.1125 and earlier)
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2024-25971
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-5.5||MEDIUM
EPSS-0.05% / 14.79%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 18:43
Updated-27 Jan, 2025 | 18:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell PowerProtect Data Manager, version 19.15, contains an XML External Entity Injection vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to information disclosure, denial-of-service.

Action-Not Available
Vendor-Dell Inc.
Product-powerprotect_data_managerPowerProtect Data Manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-36608
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-6.5||MEDIUM
EPSS-0.06% / 18.54%
||
7 Day CHG~0.00%
Published-30 Jul, 2025 | 18:09
Updated-06 Aug, 2025 | 14:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell SmartFabric OS10 Software, versions prior to 10.6.0.5, contains an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.

Action-Not Available
Vendor-Dell Inc.
Product-smartfabric_os10SmartFabric OS10 Software
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-36603
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-4.2||MEDIUM
EPSS-0.02% / 3.44%
||
7 Day CHG~0.00%
Published-21 Jul, 2025 | 16:20
Updated-06 Aug, 2025 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell AppSync, version(s) 4.6.0.0, contains an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering.

Action-Not Available
Vendor-Dell Inc.
Product-appsyncAppSync
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-43067
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-4.9||MEDIUM
EPSS-0.02% / 3.96%
||
7 Day CHG~0.00%
Published-23 Oct, 2023 | 15:05
Updated-17 Sep, 2024 | 13:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Unity prior to 5.3 contains an XML External Entity injection vulnerability. An XXE attack could potentially exploit this vulnerability disclosing local files in the file system.

Action-Not Available
Vendor-Dell Inc.
Product-unity_operating_environmentunityvsa_operating_environmentunity_xt_operating_environmentUnity
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-26484
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-5.5||MEDIUM
EPSS-0.05% / 14.21%
||
7 Day CHG+0.01%
Published-14 Aug, 2025 | 14:24
Updated-18 Aug, 2025 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell CloudLink, versions 8.0 through 8.1.1, contains an Improper Restriction of XML External Entity Reference vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Denial of service.

Action-Not Available
Vendor-Dell Inc.
Product-cloudlinkCloudLink
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-11048
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-8.1||HIGH
EPSS-0.41% / 60.53%
||
7 Day CHG~0.00%
Published-10 Aug, 2018 | 20:00
Updated-17 Sep, 2024 | 01:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell EMC Data Protection Advisor, versions 6.2, 6,3, 6.4, 6.5 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 contain a XML External Entity (XXE) Injection vulnerability in the REST API. An authenticated remote malicious user could potentially exploit this vulnerability to read certain system files in the server or cause denial of service by supplying specially crafted Document Type Definitions (DTDs) in an XML request.

Action-Not Available
Vendor-Dell Inc.
Product-emc_integrated_data_protection_applianceemc_data_protection_advisorData Protection AdvisorIntegrated Data Protection Appliance
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-21517
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-7.2||HIGH
EPSS-0.44% / 62.29%
||
7 Day CHG~0.00%
Published-01 Mar, 2021 | 20:25
Updated-17 Sep, 2024 | 00:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SRS Policy Manager 6.X is affected by an XML External Entity Injection (XXE) vulnerability due to a misconfigured XML parser that processes user-supplied DTD input without sufficient validation. A remote unauthenticated attacker can potentially exploit this vulnerability to read system files as a non-root user and may be able to temporarily disrupt the ESRS service.

Action-Not Available
Vendor-Dell Inc.
Product-emc_srs_policy_managerSRS Policy Manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-22478
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-8.1||HIGH
EPSS-0.09% / 25.62%
||
7 Day CHG~0.00%
Published-06 May, 2025 | 15:55
Updated-13 May, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering.

Action-Not Available
Vendor-Dell Inc.
Product-storage_managerDell Storage Center - Dell Storage Manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-3722
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-7.5||HIGH
EPSS-18.57% / 95.01%
||
7 Day CHG~0.00%
Published-06 Jun, 2019 | 19:13
Updated-16 Sep, 2024 | 17:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XML External Entity (XXE) Injection Vulnerability

Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1.0.3 and prior to 9.2.0.4 contain an XML external entity (XXE) injection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to read arbitrary server system files by supplying specially crafted document type definitions (DTDs) in an XML request.

Action-Not Available
Vendor-Dell Inc.
Product-emc_openmanage_server_administratorOpenManage Server Administrator
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-3752
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-8.2||HIGH
EPSS-0.38% / 58.37%
||
7 Day CHG~0.00%
Published-16 Jul, 2021 | 21:20
Updated-16 Sep, 2024 | 23:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2 and 19.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1, 2.2, 2.3 and 2.4. contain an XML External Entity(XXE) Injection vulnerability. A remote unauthenticated malicious user could potentially exploit this vulnerability to cause Denial of Service or information exposure by supplying specially crafted document type definitions (DTDs) in an XML request.

Action-Not Available
Vendor-Dell Inc.
Product-emc_integrated_data_protection_applianceemc_avamar_serverAvamar
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-39586
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-2.9||LOW
EPSS-0.03% / 6.81%
||
7 Day CHG~0.00%
Published-09 Oct, 2024 | 06:48
Updated-17 Oct, 2024 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell AppSync Server, version 4.3 through 4.6, contains an XML External Entity Injection vulnerability. An adjacent high privileged attacker could potentially exploit this vulnerability, leading to information disclosure.

Action-Not Available
Vendor-Dell Inc.
Product-emc_appsyncAppSync
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-5323
Matching Score-6
Assigner-Dell
ShareView Details
Matching Score-6
Assigner-Dell
CVSS Score-5.4||MEDIUM
EPSS-0.43% / 61.61%
||
7 Day CHG~0.00%
Published-19 Jul, 2021 | 21:30
Updated-16 Sep, 2024 | 18:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell EMC OpenManage Enterprise (OME) versions prior to 3.2 and OpenManage Enterprise-Modular (OME-M) versions prior to 1.10.00 contain an injection vulnerability. A remote authenticated malicious user with low privileges could potentially exploit this vulnerability to gain access to sensitive information or cause denial-of-service.

Action-Not Available
Vendor-Dell Inc.
Product-emc_openmanage_enterprise-modularemc_openmanage_enterpriseDell OpenManage Enterprise
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2019-0228
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-7.83% / 91.62%
||
7 Day CHG~0.00%
Published-17 Apr, 2019 | 14:07
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.

Action-Not Available
Vendor-n/aThe Apache Software FoundationFedora ProjectOracle Corporation
Product-banking_trade_finance_process_managementpeoplesoft_enterprise_peopletoolsbanking_supply_chain_financepdfboxcommunications_messaging_serverhyperion_financial_reportingfedoraretail_xstore_point_of_servicejamesbanking_corporate_lending_process_managementcommunications_session_report_managerwebcenter_sitesbanking_credit_facilities_process_managementbanking_virtual_account_managementApache PDFBox
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-3878
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.8||CRITICAL
EPSS-0.32% / 54.77%
||
7 Day CHG~0.00%
Published-15 Oct, 2021 | 13:40
Updated-03 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

Action-Not Available
Vendor-stanfordstanfordnlp
Product-corenlpstanfordnlp/corenlp
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-8027
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-2.97% / 85.96%
||
7 Day CHG~0.00%
Published-31 Jul, 2018 | 13:00
Updated-16 Sep, 2024 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.

Action-Not Available
Vendor-The Apache Software Foundation
Product-camelApache Camel
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-8940
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.62% / 69.14%
||
7 Day CHG~0.00%
Published-14 May, 2019 | 18:12
Updated-05 Aug, 2024 | 07:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ClientServiceConfigController.cs in Enghouse Cloud Contact Center Platform 7.2.5 has functionality for loading external XML files and parsing them, allowing an attacker to upload a malicious XML file and reference it in the URL of the application, forcing the application to load and parse the malicious XML file, aka an XXE issue.

Action-Not Available
Vendor-enghousen/a
Product-contact_center\n/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-6489
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-9.8||CRITICAL
EPSS-0.31% / 53.80%
||
7 Day CHG~0.00%
Published-22 Feb, 2018 | 22:00
Updated-05 Aug, 2024 | 06:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML External Entity (XXE) vulnerability in Micro Focus Project and Portfolio Management Center, version 9.32. This vulnerability can be exploited to allow XML External Entity (XXE)

Action-Not Available
Vendor-n/aMicro Focus International Limited
Product-project_and_portfolio_management_centern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-6486
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-7.3||HIGH
EPSS-0.21% / 43.70%
||
7 Day CHG~0.00%
Published-02 Feb, 2018 | 14:00
Updated-16 Sep, 2024 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MFSBGN03797 rev.1 - Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), XML External Entity Injection

XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection.

Action-Not Available
Vendor-Micro Focus International Limited
Product-fortify_audit_workbenchfortify_software_security_centerFortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-7523
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.07% / 21.16%
||
7 Day CHG~0.00%
Published-13 Jul, 2025 | 07:02
Updated-26 Aug, 2025 | 12:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jinher OA DelTemp.aspx xml external entity reference

A vulnerability was found in Jinher OA 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /c6/Jhsoft.Web.message/ToolBar/DelTemp.aspx. The manipulation leads to xml external entity reference. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-jinherJinher
Product-jinher_oaOA
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-3881
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-9.4||CRITICAL
EPSS-1.98% / 82.79%
||
7 Day CHG~0.00%
Published-01 Aug, 2018 | 20:00
Updated-16 Sep, 2024 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable unauthenticated XML external injection vulnerability was identified in FocalScope v2416. A unauthenticated attacker could submit a specially crafted web request to FocalScope's server that could cause an XXE, and potentially result in data compromise.

Action-Not Available
Vendor-focalscopeFocalScope
Product-focalscopeFocalscope
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-7824
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.06% / 19.78%
||
7 Day CHG~0.00%
Published-19 Jul, 2025 | 13:02
Updated-26 Aug, 2025 | 13:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jinher OA XmlHttp.aspx xml external entity reference

A vulnerability was found in Jinher OA 1.1. It has been rated as problematic. This issue affects some unknown processing of the file XmlHttp.aspx. The manipulation leads to xml external entity reference. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-jinherJinher
Product-jinher_oaOA
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-7823
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.06% / 19.78%
||
7 Day CHG~0.00%
Published-19 Jul, 2025 | 12:44
Updated-22 Jul, 2025 | 13:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jinher OA ProjectScheduleDelete.aspx xml external entity reference

A vulnerability was found in Jinher OA 1.2. It has been declared as problematic. This vulnerability affects unknown code of the file ProjectScheduleDelete.aspx. The manipulation leads to xml external entity reference. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Jinher
Product-OA
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20687
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.59% / 80.89%
||
7 Day CHG~0.00%
Published-18 Nov, 2019 | 18:12
Updated-05 Aug, 2024 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML external entity (XXE) vulnerability in CommandCenterWebServices/.*?wsdl in Raritan CommandCenter Secure Gateway before 8.0.0 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.

Action-Not Available
Vendor-raritann/a
Product-commandcenter_secure_gatewayn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20664
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.35% / 79.30%
||
7 Day CHG~0.00%
Published-03 Jan, 2019 | 18:00
Updated-05 Aug, 2024 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_adselfservice_plusn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2016-5795
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.3||HIGH
EPSS-1.19% / 77.96%
||
7 Day CHG~0.00%
Published-31 Aug, 2017 | 21:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XXE issue was discovered in Automated Logic Corporation (ALC) Liebert SiteScan Web Version 6.5 and prior, ALC WebCTRL Version 6.5 and prior, and Carrier i-Vu Version 6.5 and prior. An attacker could enter malicious input to WebCTRL, i-Vu, or SiteScan Web through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network.

Action-Not Available
Vendor-automatedlogiccarriern/a
Product-automatedlogic_webctrlsitescan_webi-vun/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-35066
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 61.59%
||
7 Day CHG~0.00%
Published-21 Jun, 2021 | 19:05
Updated-04 Aug, 2024 | 00:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132.

Action-Not Available
Vendor-connectwisen/a
Product-automaten/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20433
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.54% / 84.88%
||
7 Day CHG~0.00%
Published-24 Dec, 2018 | 13:00
Updated-05 Aug, 2024 | 11:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

Action-Not Available
Vendor-mchangen/aDebian GNU/Linux
Product-debian_linuxc3p0n/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2015-3907
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.46% / 63.37%
||
7 Day CHG~0.00%
Published-03 Jul, 2019 | 20:54
Updated-06 Aug, 2024 | 05:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CodeIgniter Rest Server (aka codeigniter-restserver) 2.7.1 allows XXE attacks.

Action-Not Available
Vendor-codeigniter-restserver_projectn/a
Product-codeigniter-restservern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20222
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.36% / 57.62%
||
7 Day CHG~0.00%
Published-04 Apr, 2019 | 15:48
Updated-05 Aug, 2024 | 11:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XXE issue in Airsonic before 10.1.2 during parse.

Action-Not Available
Vendor-airsonic_projectn/a
Product-airsonicn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20318
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.48% / 64.17%
||
7 Day CHG~0.00%
Published-21 Dec, 2018 | 00:00
Updated-17 Sep, 2024 | 01:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in weixin-java-tools v3.2.0. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file.

Action-Not Available
Vendor-wxjava_projectn/a
Product-wxjavan/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20059
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.40% / 60.09%
||
7 Day CHG~0.00%
Published-11 Dec, 2018 | 10:00
Updated-16 Sep, 2024 | 21:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE.

Action-Not Available
Vendor-pippon/a
Product-pippon/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-15531
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-19.56% / 95.19%
||
7 Day CHG~0.00%
Published-26 Sep, 2018 | 22:00
Updated-05 Aug, 2024 | 09:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.

Action-Not Available
Vendor-javamelody_projectn/a
Product-javamelodyn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-14485
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-21.70% / 95.52%
||
7 Day CHG~0.00%
Published-07 May, 2019 | 17:47
Updated-05 Aug, 2024 | 09:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

BlogEngine.NET 3.3 allows XXE attacks via the POST body to metaweblog.axd.

Action-Not Available
Vendor-blogenginen/a
Product-blogengine.netn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20160
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.67% / 85.20%
||
7 Day CHG~0.00%
Published-29 May, 2019 | 21:12
Updated-05 Aug, 2024 | 11:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ZxChat (aka ZeXtras Chat), as used for zimbra-chat and zimbra-talk in Synacor Zimbra Collaboration Suite 8.7 and 8.8 and in other products, allows XXE attacks, as demonstrated by a crafted XML request to mailboxd.

Action-Not Available
Vendor-n/aSynacor, Inc.
Product-zimbra_collaboration_suiten/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-18703
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.57% / 84.96%
||
7 Day CHG~0.00%
Published-16 Aug, 2021 | 17:55
Updated-04 Aug, 2024 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/utils/atom.py'.

Action-Not Available
Vendor-quokka_projectn/a
Product-quokkan/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-13415
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-42.98% / 97.40%
||
7 Day CHG~0.00%
Published-13 Aug, 2018 | 17:00
Updated-05 Aug, 2024 | 09:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running Plex, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.

Action-Not Available
Vendor-plexn/a
Product-media_servern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-12463
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-7.3||HIGH
EPSS-19.33% / 95.14%
||
7 Day CHG~0.00%
Published-12 Jul, 2018 | 16:00
Updated-16 Sep, 2024 | 22:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MFSBGN03811 rev.1 - Fortify Software Security Center (SSC), Multiple vulnerabilities

An XML external entity (XXE) vulnerability in Fortify Software Security Center (SSC), version 17.1, 17.2, 18.1 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.

Action-Not Available
Vendor-Micro Focus International LimitedHP Inc.
Product-fortify_software_security_centerFortify Software Security Center
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-1285
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-49.02% / 97.69%
||
7 Day CHG~0.00%
Published-11 May, 2020 | 16:41
Updated-05 Aug, 2024 | 03:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

Action-Not Available
Vendor-n/aNetApp, Inc.The Apache Software FoundationFedora ProjectOracle Corporation
Product-manageability_software_development_kitfedorahospitality_simphonyhospitality_opera_5application_testing_suitelog4netsnapcenterApache log4net
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-12544
Matching Score-4
Assigner-Eclipse Foundation
ShareView Details
Matching Score-4
Assigner-Eclipse Foundation
CVSS Score-9.8||CRITICAL
EPSS-0.64% / 69.68%
||
7 Day CHG~0.00%
Published-10 Oct, 2018 | 20:00
Updated-05 Aug, 2024 | 08:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-vert.xEclipse Vert.x
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-13417
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-48.50% / 97.66%
||
7 Day CHG~0.00%
Published-13 Aug, 2018 | 17:00
Updated-05 Aug, 2024 | 09:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Vuze Bittorrent Client 5.7.6.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running Vuze, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.

Action-Not Available
Vendor-vuzen/a
Product-bittorrent_clientn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-1309
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-2.86% / 85.71%
||
7 Day CHG~0.00%
Published-23 May, 2018 | 14:00
Updated-16 Sep, 2024 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Action-Not Available
Vendor-The Apache Software Foundation
Product-nifiApache NiFi
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • Next
Details not found