Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2018-15506

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-19 Jun, 2019 | 16:13
Updated At-05 Aug, 2024 | 09:54
Rejected At-
Credits

In BubbleUPnP 0.9 update 30, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running BubbleUPnP, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack the cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:19 Jun, 2019 | 16:13
Updated At:05 Aug, 2024 | 09:54
Rejected At:
▼CVE Numbering Authority (CNA)

In BubbleUPnP 0.9 update 30, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running BubbleUPnP, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack the cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.bubblesoftapps.com/bubbleupnpserver2/docs/changelog.html
x_refsource_CONFIRM
Hyperlink: https://www.bubblesoftapps.com/bubbleupnpserver2/docs/changelog.html
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.bubblesoftapps.com/bubbleupnpserver2/docs/changelog.html
x_refsource_CONFIRM
x_transferred
Hyperlink: https://www.bubblesoftapps.com/bubbleupnpserver2/docs/changelog.html
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:19 Jun, 2019 | 17:15
Updated At:21 Jun, 2019 | 16:14

In BubbleUPnP 0.9 update 30, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running BubbleUPnP, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack the cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.09.8CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Primary
Version: 3.0
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches
bubblesoftapps
bubblesoftapps
>>bubbleupnp>>0.9
cpe:2.3:a:bubblesoftapps:bubbleupnp:0.9:update_30:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-611Primarynvd@nist.gov
CWE ID: CWE-611
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.bubblesoftapps.com/bubbleupnpserver2/docs/changelog.htmlcve@mitre.org
Release Notes
Vendor Advisory
Hyperlink: https://www.bubblesoftapps.com/bubbleupnpserver2/docs/changelog.html
Source: cve@mitre.org
Resource:
Release Notes
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

143Records found
CVE-2020-9352
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.96% / 75.56%
||
7 Day CHG~0.00%
Published-23 Feb, 2020 | 00:00
Updated-04 Aug, 2024 | 11:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter. NOTE: the documentation states "These tools are, by default, available to anyone ... so they should only be deployed into a trusted environment. Alternately, the tools can easily be restricted to administrators or end users by protecting the tools path with normal authentication and authorization mechanisms on the web server."

Action-Not Available
Vendor-smartclientn/a
Product-smartclientn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-0839
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.3||HIGH
EPSS-0.12% / 31.83%
||
7 Day CHG+0.01%
Published-04 Mar, 2022 | 14:25
Updated-02 Aug, 2024 | 23:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of XML External Entity Reference in liquibase/liquibase

Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.

Action-Not Available
Vendor-liquibaseliquibaseOracle Corporation
Product-sqlclliquibaseliquibase/liquibase
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-0272
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.3||HIGH
EPSS-0.29% / 51.78%
||
7 Day CHG~0.00%
Published-21 Apr, 2022 | 16:20
Updated-02 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of XML External Entity Reference in detekt/detekt

Improper Restriction of XML External Entity Reference in GitHub repository detekt/detekt prior to 1.20.0.

Action-Not Available
Vendor-detektdetekt
Product-detektdetekt/detekt
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-0265
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.3||HIGH
EPSS-9.68% / 92.61%
||
7 Day CHG+0.44%
Published-03 Mar, 2022 | 21:40
Updated-02 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of XML External Entity Reference in hazelcast/hazelcast

Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast in 5.1-BETA-1.

Action-Not Available
Vendor-hazelcasthazelcast
Product-hazelcasthazelcast/hazelcast
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2013-4334
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.36% / 57.63%
||
7 Day CHG~0.00%
Published-07 Feb, 2020 | 13:53
Updated-06 Aug, 2024 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

opWebAPIPlugin 0.5.1, 0.4.0, and 0.1.0: XXE Vulnerabilities

Action-Not Available
Vendor-tejimayaopWebAPIPlugin
Product-opwebapipluginopWebAPIPlugin
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-45024
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 65.23%
||
7 Day CHG~0.00%
Published-17 Jun, 2022 | 11:57
Updated-04 Aug, 2024 | 04:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to XML External Entity (XXE).

Action-Not Available
Vendor-rocketsoftwaren/a
Product-ags-zenan/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-43090
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.45% / 62.69%
||
7 Day CHG~0.00%
Published-25 Mar, 2022 | 15:47
Updated-04 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML External Entity (XXE) vulnerability exists in soa-model before 1.6.4 in the WSDLParser function.

Action-Not Available
Vendor-predic8n/a
Product-soa_modeln/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-43142
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.31% / 53.42%
||
7 Day CHG~0.00%
Published-30 Mar, 2022 | 21:05
Updated-04 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML External Entity (XXE) vulnerability exists in wuta jox 1.16 in the readObject method in JOXSAXBeanInput.

Action-Not Available
Vendor-jox_projectn/a
Product-joxn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-40722
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-9.8||CRITICAL
EPSS-0.38% / 58.82%
||
7 Day CHG~0.00%
Published-13 Jan, 2022 | 20:27
Updated-16 Sep, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AEM Forms Improper Restriction of XML External Entity Reference

AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be abused by an attacker to achieve RCE.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_manager_cloud_serviceexperience_managerExperience Manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-3878
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.8||CRITICAL
EPSS-0.32% / 54.80%
||
7 Day CHG~0.00%
Published-15 Oct, 2021 | 13:40
Updated-03 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

Action-Not Available
Vendor-stanfordstanfordnlp
Product-corenlpstanfordnlp/corenlp
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-3902
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.8||CRITICAL
EPSS-4.12% / 88.17%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 10:52
Updated-19 Nov, 2024 | 17:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of XML External Entity Reference in dompdf/dompdf

An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.

Action-Not Available
Vendor-dompdf_projectdompdfdompdf
Product-dompdfdompdf/dompdfdompdf
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-38298
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.59% / 89.95%
||
7 Day CHG~0.00%
Published-07 Oct, 2021 | 21:33
Updated-04 Aug, 2024 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_admanager_plusn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-3836
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.8||CRITICAL
EPSS-0.17% / 38.15%
||
7 Day CHG~0.00%
Published-14 Dec, 2021 | 15:20
Updated-03 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of XML External Entity Reference in dbeaver/dbeaver

dbeaver is vulnerable to Improper Restriction of XML External Entity Reference

Action-Not Available
Vendor-dbeaverdbeaver
Product-dbeaverdbeaver/dbeaver
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-34436
Matching Score-4
Assigner-Eclipse Foundation
ShareView Details
Matching Score-4
Assigner-Eclipse Foundation
CVSS Score-9.8||CRITICAL
EPSS-3.50% / 87.14%
||
7 Day CHG~0.00%
Published-02 Sep, 2021 | 20:55
Updated-04 Aug, 2024 | 00:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to LemMinX) in order to provide language support for XML. This is installed by default.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-theiaEclipse Theia
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-20627
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.45% / 62.56%
||
7 Day CHG~0.00%
Published-23 Mar, 2020 | 16:55
Updated-05 Aug, 2024 | 02:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

AutoUpdater.cs in AutoUpdater.NET before 1.5.8 allows XXE.

Action-Not Available
Vendor-rbsoftn/a
Product-autoupdater.netn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-10799
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.34% / 55.92%
||
7 Day CHG~0.00%
Published-20 Mar, 2020 | 22:40
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call.

Action-Not Available
Vendor-svglib_projectn/a
Product-svglibn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2015-7326
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.96% / 82.75%
||
7 Day CHG~0.00%
Published-07 Jun, 2017 | 14:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML External Entity (XXE) vulnerability in Milton Webdav before 2.7.0.3.

Action-Not Available
Vendor-miltonn/a
Product-webdavn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-25257
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.36% / 57.63%
||
7 Day CHG~0.00%
Published-11 Sep, 2020 | 02:19
Updated-04 Aug, 2024 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows XXE attacks for read/write access to arbitrary files.

Action-Not Available
Vendor-hylandn/a
Product-onbasen/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-25020
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.00% / 82.89%
||
7 Day CHG~0.00%
Published-29 Aug, 2020 | 18:31
Updated-05 May, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components.

Action-Not Available
Vendor-mpxjn/aOracle Corporation
Product-primavera_unifiermpxjn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-25215
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.49% / 64.61%
||
7 Day CHG~0.00%
Published-17 Sep, 2020 | 00:00
Updated-04 Aug, 2024 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

yWorks yEd Desktop before 3.20.1 allows XXE attacks via an XML or GraphML document.

Action-Not Available
Vendor-yworksn/a
Product-yedn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2017-3206
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-9.8||CRITICAL
EPSS-1.53% / 80.59%
||
7 Day CHG~0.00%
Published-11 Jun, 2018 | 17:00
Updated-05 Aug, 2024 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The Action Message Format (AMF3) deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages

The Java implementation of AMF3 deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.

Action-Not Available
Vendor-exadelExadel
Product-flamingoFlamingo amf-serializer
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-0239
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.7||MEDIUM
EPSS-0.06% / 17.03%
||
7 Day CHG-0.04%
Published-17 Jan, 2022 | 06:15
Updated-23 Aug, 2024 | 14:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

Action-Not Available
Vendor-stanfordstanfordnlpstanford
Product-corenlpstanfordnlp/corenlpcorenlp
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-46660
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.37% / 57.93%
||
7 Day CHG~0.00%
Published-29 Jan, 2022 | 23:10
Updated-04 Aug, 2024 | 05:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) attacks.

Action-Not Available
Vendor-signiantn/a
Product-manager\+agentsn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-9670
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-94.43% / 99.98%
||
7 Day CHG~0.00%
Published-29 May, 2019 | 21:04
Updated-30 Jul, 2025 | 01:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-07-10||Apply updates per vendor instructions.

mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.

Action-Not Available
Vendor-n/aSynacor, Inc.
Product-zimbra_collaboration_suiten/aZimbra Collaboration Suite (ZCS)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-7442
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.56% / 89.91%
||
7 Day CHG~0.00%
Published-08 May, 2019 | 20:54
Updated-04 Aug, 2024 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault <=10.7 allows remote attackers to read arbitrary files or potentially bypass authentication via a crafted DTD in the SAML authentication system.

Action-Not Available
Vendor-cyberarkn/a
Product-enterprise_password_vaultn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-5312
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.48% / 64.20%
||
7 Day CHG~0.00%
Published-04 Jan, 2019 | 16:00
Updated-04 Aug, 2024 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in weixin-java-tools v3.3.0. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file. NOTE: this issue exists because of an incomplete fix for CVE-2018-20318.

Action-Not Available
Vendor-wxjava_projectn/a
Product-wxjavan/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-5748
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.36% / 57.63%
||
7 Day CHG~0.00%
Published-09 Jan, 2019 | 17:00
Updated-04 Aug, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks.

Action-Not Available
Vendor-traccarn/a
Product-servern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-3773
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-9.8||CRITICAL
EPSS-0.31% / 53.65%
||
7 Day CHG~0.00%
Published-18 Jan, 2019 | 22:00
Updated-17 Sep, 2024 | 03:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spring Web Services XML External Entity Injection (XXE)

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Action-Not Available
Vendor-Oracle CorporationVMware (Broadcom Inc.)
Product-flexcube_private_bankingfinancial_services_analytical_applications_infrastructurespring_web_servicesSpring Web Services
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-3774
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-9.8||CRITICAL
EPSS-2.11% / 83.39%
||
7 Day CHG~0.00%
Published-18 Jan, 2019 | 22:00
Updated-16 Sep, 2024 | 20:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spring Batch XML External Entity Injection (XXE)

Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-spring_batchSpring Batch
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-3772
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-9.8||CRITICAL
EPSS-2.75% / 85.43%
||
7 Day CHG~0.00%
Published-18 Jan, 2019 | 22:00
Updated-16 Sep, 2024 | 16:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spring Integration XML External Entity Injection (XXE)

Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Action-Not Available
Vendor-Oracle CorporationVMware (Broadcom Inc.)
Product-spring_integrationretail_customer_management_and_segmentation_foundationSpring Integration
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-7523
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.06% / 19.01%
||
7 Day CHG-0.01%
Published-13 Jul, 2025 | 07:02
Updated-26 Aug, 2025 | 12:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jinher OA DelTemp.aspx xml external entity reference

A vulnerability was found in Jinher OA 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /c6/Jhsoft.Web.message/ToolBar/DelTemp.aspx. The manipulation leads to xml external entity reference. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-jinherJinher
Product-jinher_oaOA
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-14678
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-10||CRITICAL
EPSS-0.80% / 73.06%
||
7 Day CHG~0.00%
Published-14 Nov, 2019 | 20:59
Updated-05 Aug, 2024 | 00:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used.

Action-Not Available
Vendor-sasn/aMicrosoft CorporationHP Inc.IBM CorporationLinux Kernel Organization, IncOracle Corporation
Product-windows_server_2016windows_8linux_kernelwindows_8.1windows_server_2012solarishp-uxwindowswindows_7windows_10xml_mapperz\/osaixbase_saswindows_server_2019n/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-13990
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-10.42% / 92.92%
||
7 Day CHG~0.00%
Published-26 Jul, 2019 | 00:00
Updated-15 Oct, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

Action-Not Available
Vendor-softwareagn/aAtlassianNetApp, Inc.The Apache Software FoundationOracle Corporation
Product-flexcube_investor_servicingprimavera_unifierquartzretail_central_officegoogle_guava_mapviewerjd_edwards_enterpriseone_orchestratorretail_back_officeterracotta_quartz_scheduler_mapviewercommunications_ip_service_activatorcommunications_session_route_manageractive_iq_unified_managerflexcube_private_bankingretail_integration_busretail_returns_managementapache_batik_mapviewerbanking_enterprise_product_manufacturingjira_service_managementretail_point-of-servicebanking_enterprise_originationsbanking_paymentsretail_order_brokertomeeretail_xstore_point_of_servicecustomer_management_and_segmentation_foundationfusion_middleware_mapviewercloud_secure_agentdocumakerwebcenter_siteshyperion_infrastructure_technologyenterprise_manager_ops_centerenterprise_manager_base_platformn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20664
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.35% / 79.32%
||
7 Day CHG~0.00%
Published-03 Jan, 2019 | 18:00
Updated-05 Aug, 2024 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_adselfservice_plusn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-12924
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.14% / 34.15%
||
7 Day CHG+0.02%
Published-08 Jul, 2019 | 21:00
Updated-04 Aug, 2024 | 23:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. It was possible for an attacker to use a vulnerability in the configuration of the XML processor to read any file on the host system. Because all credentials were stored in a cleartext file, it was possible to steal all users' credentials (including the highest privileged users).

Action-Not Available
Vendor-mailenablen/a
Product-mailenablen/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2019-11677
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.22% / 88.31%
||
7 Day CHG-1.74%
Published-02 May, 2019 | 13:06
Updated-04 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Custom Report import function in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to XML External Entity (XXE) Injection.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_firewall_analyzern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-1010268
Matching Score-4
Assigner-7556d962-6fb7-411e-85fa-6cd62f095ba8
ShareView Details
Matching Score-4
Assigner-7556d962-6fb7-411e-85fa-6cd62f095ba8
CVSS Score-9.8||CRITICAL
EPSS-13.24% / 93.88%
||
7 Day CHG~0.00%
Published-18 Jul, 2019 | 16:05
Updated-05 Aug, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance: https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688. The attack vector is: Send a specially crafted SOAP call.

Action-Not Available
Vendor-ladon_projectLadon
Product-ladonLadon
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-0228
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-7.83% / 91.62%
||
7 Day CHG~0.00%
Published-17 Apr, 2019 | 14:07
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.

Action-Not Available
Vendor-n/aThe Apache Software FoundationFedora ProjectOracle Corporation
Product-banking_trade_finance_process_managementpeoplesoft_enterprise_peopletoolsbanking_supply_chain_financepdfboxcommunications_messaging_serverhyperion_financial_reportingfedoraretail_xstore_point_of_servicejamesbanking_corporate_lending_process_managementcommunications_session_report_managerwebcenter_sitesbanking_credit_facilities_process_managementbanking_virtual_account_managementApache PDFBox
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-8940
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.62% / 69.16%
||
7 Day CHG~0.00%
Published-14 May, 2019 | 18:12
Updated-05 Aug, 2024 | 07:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ClientServiceConfigController.cs in Enghouse Cloud Contact Center Platform 7.2.5 has functionality for loading external XML files and parsing them, allowing an attacker to upload a malicious XML file and reference it in the URL of the application, forcing the application to load and parse the malicious XML file, aka an XXE issue.

Action-Not Available
Vendor-enghousen/a
Product-contact_center\n/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-6486
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-7.3||HIGH
EPSS-0.21% / 43.69%
||
7 Day CHG~0.00%
Published-02 Feb, 2018 | 14:00
Updated-16 Sep, 2024 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MFSBGN03797 rev.1 - Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), XML External Entity Injection

XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection.

Action-Not Available
Vendor-Micro Focus International Limited
Product-fortify_audit_workbenchfortify_software_security_centerFortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-6489
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-9.8||CRITICAL
EPSS-0.31% / 53.81%
||
7 Day CHG~0.00%
Published-22 Feb, 2018 | 22:00
Updated-05 Aug, 2024 | 06:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML External Entity (XXE) vulnerability in Micro Focus Project and Portfolio Management Center, version 9.32. This vulnerability can be exploited to allow XML External Entity (XXE)

Action-Not Available
Vendor-n/aMicro Focus International Limited
Product-project_and_portfolio_management_centern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-3881
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-9.4||CRITICAL
EPSS-1.98% / 82.80%
||
7 Day CHG~0.00%
Published-01 Aug, 2018 | 20:00
Updated-16 Sep, 2024 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable unauthenticated XML external injection vulnerability was identified in FocalScope v2416. A unauthenticated attacker could submit a specially crafted web request to FocalScope's server that could cause an XXE, and potentially result in data compromise.

Action-Not Available
Vendor-focalscopeFocalScope
Product-focalscopeFocalscope
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20687
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.59% / 80.91%
||
7 Day CHG~0.00%
Published-18 Nov, 2019 | 18:12
Updated-05 Aug, 2024 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML external entity (XXE) vulnerability in CommandCenterWebServices/.*?wsdl in Raritan CommandCenter Secure Gateway before 8.0.0 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.

Action-Not Available
Vendor-raritann/a
Product-commandcenter_secure_gatewayn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20059
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.40% / 60.11%
||
7 Day CHG~0.00%
Published-11 Dec, 2018 | 10:00
Updated-16 Sep, 2024 | 21:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE.

Action-Not Available
Vendor-pippon/a
Product-pippon/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20433
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.54% / 84.88%
||
7 Day CHG~0.00%
Published-24 Dec, 2018 | 13:00
Updated-05 Aug, 2024 | 11:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

Action-Not Available
Vendor-mchangen/aDebian GNU/Linux
Product-debian_linuxc3p0n/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20318
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.48% / 64.20%
||
7 Day CHG~0.00%
Published-21 Dec, 2018 | 00:00
Updated-17 Sep, 2024 | 01:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in weixin-java-tools v3.2.0. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file.

Action-Not Available
Vendor-wxjava_projectn/a
Product-wxjavan/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20160
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.67% / 85.21%
||
7 Day CHG~0.00%
Published-29 May, 2019 | 21:12
Updated-05 Aug, 2024 | 11:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ZxChat (aka ZeXtras Chat), as used for zimbra-chat and zimbra-talk in Synacor Zimbra Collaboration Suite 8.7 and 8.8 and in other products, allows XXE attacks, as demonstrated by a crafted XML request to mailboxd.

Action-Not Available
Vendor-n/aSynacor, Inc.
Product-zimbra_collaboration_suiten/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-18471
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-15.52% / 94.41%
||
7 Day CHG~0.00%
Published-19 Jun, 2019 | 15:48
Updated-05 Aug, 2024 | 11:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

/api/2.0/rest/aggregator/xml in Axentra firmware, used by NETGEAR Stora, Seagate GoFlex Home, and MEDION LifeCloud, has an XXE vulnerability that can be chained with an SSRF bug to gain remote command execution as root. It can be triggered by anyone who knows the IP address of the affected device.

Action-Not Available
Vendor-medionaxentraseagaten/aNETGEAR, Inc.
Product-storagoflex_homehipservlifecloudn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-17411
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.66% / 70.26%
||
7 Day CHG~0.00%
Published-26 Sep, 2018 | 22:00
Updated-05 Aug, 2024 | 10:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML External Entity (XXE) vulnerability exists in iWay Data Quality Suite Web Console 10.6.1.ga-2016-11-20.

Action-Not Available
Vendor-n/aibi - Information Builders (Cloud Software Group, Inc.)
Product-data_quality_suiten/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-16521
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.31% / 53.81%
||
7 Day CHG~0.00%
Published-05 Sep, 2018 | 15:00
Updated-16 Sep, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML External Entity (XXE) vulnerability exists in HTML Form Entry 3.7.0, as distributed in OpenMRS Reference Application 2.8.0.

Action-Not Available
Vendor-openmrsn/a
Product-html_form_entryreference_applicationn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found