Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2018-17411

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-26 Sep, 2018 | 22:00
Updated At-05 Aug, 2024 | 10:47
Rejected At-
Credits

An XML External Entity (XXE) vulnerability exists in iWay Data Quality Suite Web Console 10.6.1.ga-2016-11-20.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:26 Sep, 2018 | 22:00
Updated At:05 Aug, 2024 | 10:47
Rejected At:
▼CVE Numbering Authority (CNA)

An XML External Entity (XXE) vulnerability exists in iWay Data Quality Suite Web Console 10.6.1.ga-2016-11-20.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/MrR3boot/CVE-Hunting/blob/master/iWay%20DQS%20XXE.pdf
x_refsource_MISC
Hyperlink: https://github.com/MrR3boot/CVE-Hunting/blob/master/iWay%20DQS%20XXE.pdf
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/MrR3boot/CVE-Hunting/blob/master/iWay%20DQS%20XXE.pdf
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/MrR3boot/CVE-Hunting/blob/master/iWay%20DQS%20XXE.pdf
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:26 Sep, 2018 | 22:29
Updated At:17 Dec, 2018 | 16:33

An XML External Entity (XXE) vulnerability exists in iWay Data Quality Suite Web Console 10.6.1.ga-2016-11-20.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.09.8CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.010.0HIGH
AV:N/AC:L/Au:N/C:C/I:C/A:C
Type: Primary
Version: 3.0
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 10.0
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
CPE Matches
ibi - Information Builders (Cloud Software Group, Inc.)
informationbuilders
>>data_quality_suite>>10.6.1
cpe:2.3:a:informationbuilders:data_quality_suite:10.6.1:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-611Primarynvd@nist.gov
CWE ID: CWE-611
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/MrR3boot/CVE-Hunting/blob/master/iWay%20DQS%20XXE.pdfcve@mitre.org
Exploit
Third Party Advisory
Hyperlink: https://github.com/MrR3boot/CVE-Hunting/blob/master/iWay%20DQS%20XXE.pdf
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

68Records found
CVE-2014-3990
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-11.47% / 93.33%
||
7 Day CHG~0.00%
Published-20 Mar, 2018 | 21:00
Updated-06 Aug, 2024 | 11:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitrary code via a crafted serialized PHP object, related to the quantity parameter in an update request.

Action-Not Available
Vendor-opencartn/a
Product-opencartn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2014-3005
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.29% / 88.39%
||
7 Day CHG~0.00%
Published-01 Feb, 2018 | 17:00
Updated-06 Aug, 2024 | 10:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.

Action-Not Available
Vendor-n/aZABBIXFedora Project
Product-zabbixfedoran/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2014-3244
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-6.51% / 90.72%
||
7 Day CHG~0.00%
Published-01 Feb, 2018 | 17:00
Updated-06 Aug, 2024 | 10:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.

Action-Not Available
Vendor-n/aSugarCRM Inc.
Product-sugarcrmn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2014-0030
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.8||CRITICAL
EPSS-18.96% / 95.08%
||
7 Day CHG~0.00%
Published-09 Oct, 2017 | 14:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.

Action-Not Available
Vendor-n/aThe Apache Software Foundation
Product-rollern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-1010268
Matching Score-4
Assigner-7556d962-6fb7-411e-85fa-6cd62f095ba8
ShareView Details
Matching Score-4
Assigner-7556d962-6fb7-411e-85fa-6cd62f095ba8
CVSS Score-9.8||CRITICAL
EPSS-13.24% / 93.88%
||
7 Day CHG~0.00%
Published-18 Jul, 2019 | 16:05
Updated-05 Aug, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance: https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688. The attack vector is: Send a specially crafted SOAP call.

Action-Not Available
Vendor-ladon_projectLadon
Product-ladonLadon
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-12924
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.14% / 34.15%
||
7 Day CHG+0.02%
Published-08 Jul, 2019 | 21:00
Updated-04 Aug, 2024 | 23:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. It was possible for an attacker to use a vulnerability in the configuration of the XML processor to read any file on the host system. Because all credentials were stored in a cleartext file, it was possible to steal all users' credentials (including the highest privileged users).

Action-Not Available
Vendor-mailenablen/a
Product-mailenablen/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2019-11677
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.22% / 88.31%
||
7 Day CHG-1.74%
Published-02 May, 2019 | 13:06
Updated-04 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Custom Report import function in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to XML External Entity (XXE) Injection.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_firewall_analyzern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-8940
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.62% / 69.16%
||
7 Day CHG~0.00%
Published-14 May, 2019 | 18:12
Updated-05 Aug, 2024 | 07:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ClientServiceConfigController.cs in Enghouse Cloud Contact Center Platform 7.2.5 has functionality for loading external XML files and parsing them, allowing an attacker to upload a malicious XML file and reference it in the URL of the application, forcing the application to load and parse the malicious XML file, aka an XXE issue.

Action-Not Available
Vendor-enghousen/a
Product-contact_center\n/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-8027
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-2.97% / 85.97%
||
7 Day CHG~0.00%
Published-31 Jul, 2018 | 13:00
Updated-16 Sep, 2024 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.

Action-Not Available
Vendor-The Apache Software Foundation
Product-camelApache Camel
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-6489
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-9.8||CRITICAL
EPSS-0.31% / 53.81%
||
7 Day CHG~0.00%
Published-22 Feb, 2018 | 22:00
Updated-05 Aug, 2024 | 06:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML External Entity (XXE) vulnerability in Micro Focus Project and Portfolio Management Center, version 9.32. This vulnerability can be exploited to allow XML External Entity (XXE)

Action-Not Available
Vendor-n/aMicro Focus International Limited
Product-project_and_portfolio_management_centern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-6486
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-7.3||HIGH
EPSS-0.21% / 43.69%
||
7 Day CHG~0.00%
Published-02 Feb, 2018 | 14:00
Updated-16 Sep, 2024 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MFSBGN03797 rev.1 - Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), XML External Entity Injection

XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection.

Action-Not Available
Vendor-Micro Focus International Limited
Product-fortify_audit_workbenchfortify_software_security_centerFortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20664
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.35% / 79.32%
||
7 Day CHG~0.00%
Published-03 Jan, 2019 | 18:00
Updated-05 Aug, 2024 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_adselfservice_plusn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-18471
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-15.52% / 94.41%
||
7 Day CHG~0.00%
Published-19 Jun, 2019 | 15:48
Updated-05 Aug, 2024 | 11:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

/api/2.0/rest/aggregator/xml in Axentra firmware, used by NETGEAR Stora, Seagate GoFlex Home, and MEDION LifeCloud, has an XXE vulnerability that can be chained with an SSRF bug to gain remote command execution as root. It can be triggered by anyone who knows the IP address of the affected device.

Action-Not Available
Vendor-medionaxentraseagaten/aNETGEAR, Inc.
Product-storagoflex_homehipservlifecloudn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2015-7326
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.96% / 82.75%
||
7 Day CHG~0.00%
Published-07 Jun, 2017 | 14:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML External Entity (XXE) vulnerability in Milton Webdav before 2.7.0.3.

Action-Not Available
Vendor-miltonn/a
Product-webdavn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2015-7273
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.71% / 71.42%
||
7 Day CHG~0.00%
Published-10 Apr, 2017 | 03:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has XXE.

Action-Not Available
Vendor-n/aDell Inc.
Product-integrated_remote_access_controller_7integrated_remote_access_controller_8integrated_remote_access_controller_firmwareDell Integrated Remote Access Controller (iDRAC)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-15506
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.14% / 83.52%
||
7 Day CHG~0.00%
Published-19 Jun, 2019 | 16:13
Updated-05 Aug, 2024 | 09:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In BubbleUPnP 0.9 update 30, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running BubbleUPnP, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack the cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.

Action-Not Available
Vendor-bubblesoftappsn/a
Product-bubbleupnpn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-15531
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-18.99% / 95.09%
||
7 Day CHG-0.57%
Published-26 Sep, 2018 | 22:00
Updated-05 Aug, 2024 | 09:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.

Action-Not Available
Vendor-javamelody_projectn/a
Product-javamelodyn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-3902
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.8||CRITICAL
EPSS-4.12% / 88.16%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 10:52
Updated-19 Nov, 2024 | 17:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of XML External Entity Reference in dompdf/dompdf

An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.

Action-Not Available
Vendor-dompdf_projectdompdfdompdf
Product-dompdfdompdf/dompdfdompdf
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
  • Previous
  • 1
  • 2
  • Next
Details not found