Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-24591

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-21 Aug, 2020 | 19:05
Updated At-04 Aug, 2024 | 15:19
Rejected At-
Credits

The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:21 Aug, 2020 | 19:05
Updated At:04 Aug, 2024 | 15:19
Rejected At:
▼CVE Numbering Authority (CNA)

The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AC:L/AV:N/A:H/C:H/I:N/PR:H/S:U/UI:N
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AC:L/AV:N/A:H/C:H/I:N/PR:H/S:U/UI:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0728
x_refsource_MISC
Hyperlink: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0728
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0728
x_refsource_MISC
x_transferred
Hyperlink: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0728
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:21 Aug, 2020 | 20:15
Updated At:19 Apr, 2022 | 18:28

The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
Primary2.05.5MEDIUM
AV:N/AC:L/Au:S/C:P/I:N/A:P
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
Type: Primary
Version: 2.0
Base score: 5.5
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:P
CPE Matches
WSO2 LLC
wso2
>>api_manager>>Versions up to 3.0.0(inclusive)
cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*
WSO2 LLC
wso2
>>api_manager_analytics>>2.2.0
cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*
WSO2 LLC
wso2
>>api_manager_analytics>>2.5.0
cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*
WSO2 LLC
wso2
>>api_microgateway>>2.2.0
cpe:2.3:a:wso2:api_microgateway:2.2.0:*:*:*:*:*:*:*
WSO2 LLC
wso2
>>enterprise_integrator>>6.2.0
cpe:2.3:a:wso2:enterprise_integrator:6.2.0:*:*:*:*:*:*:*
WSO2 LLC
wso2
>>enterprise_integrator>>6.3.0
cpe:2.3:a:wso2:enterprise_integrator:6.3.0:*:*:*:*:*:*:*
WSO2 LLC
wso2
>>identity_server_analytics>>Versions up to 5.6.0(inclusive)
cpe:2.3:a:wso2:identity_server_analytics:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-611Primarynvd@nist.gov
CWE ID: CWE-611
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0728cve@mitre.org
Vendor Advisory
Hyperlink: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0728
Source: cve@mitre.org
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

82Records found
CVE-2023-6836
Matching Score-6
Assigner-WSO2 LLC
ShareView Details
Matching Score-6
Assigner-WSO2 LLC
CVSS Score-4.6||MEDIUM
EPSS-0.17% / 38.71%
||
7 Day CHG~0.00%
Published-15 Dec, 2023 | 09:26
Updated-02 Aug, 2024 | 08:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.

Action-Not Available
Vendor-WSO2 LLC
Product-api_microgatewayapi_managerenterprise_integratorapi_manager_analyticsmicro_integratoridentity_serveridentity_server_as_key_managerWSO2 Micro IntegratorWSO2 API Manager WSO2 API MicrogatewayWSO2 Enterprise IntegratorWSO2 Identity ServerWSO2 API Manager AnalyticsWSO2 IS as Key Manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-24589
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.1||CRITICAL
EPSS-89.20% / 99.52%
||
7 Day CHG~0.00%
Published-21 Aug, 2020 | 19:06
Updated-04 Aug, 2024 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks.

Action-Not Available
Vendor-n/aWSO2 LLC
Product-api_microgatewayapi_managern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-42646
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.1||CRITICAL
EPSS-1.27% / 78.69%
||
7 Day CHG~0.00%
Published-11 May, 2022 | 00:00
Updated-04 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests.

Action-Not Available
Vendor-n/aWSO2 LLC
Product-identity_server_as_key_managerapi_manageridentity_servern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-13883
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.28% / 50.88%
||
7 Day CHG~0.00%
Published-06 Jun, 2020 | 18:49
Updated-04 Aug, 2024 | 12:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.

Action-Not Available
Vendor-n/aWSO2 LLC
Product-api_microgatewayidentity_server_as_key_managerapi_managern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-11885
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4||MEDIUM
EPSS-0.35% / 56.75%
||
7 Day CHG~0.00%
Published-17 Apr, 2020 | 19:14
Updated-04 Aug, 2024 | 11:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to make unintended network invocations such as SSRF via an uploaded file.

Action-Not Available
Vendor-n/aWSO2 LLC
Product-enterprise_integratorn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2016-4312
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-7.5||HIGH
EPSS-5.42% / 89.77%
||
7 Day CHG~0.00%
Published-16 Feb, 2017 | 18:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials.

Action-Not Available
Vendor-n/aWSO2 LLC
Product-identity_servern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-12719
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.7||HIGH
EPSS-0.40% / 60.04%
||
7 Day CHG~0.00%
Published-07 May, 2020 | 23:40
Updated-04 Aug, 2024 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier.

Action-Not Available
Vendor-n/aWSO2 LLC
Product-identity_server_analyticsapi_microgatewayapi_managerenterprise_integratorapi_manager_analyticsidentity_serveridentity_server_as_key_managern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-0277
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.78% / 72.66%
||
7 Day CHG~0.00%
Published-12 Mar, 2019 | 22:00
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP HANA extended application services, version 1, advanced does not sufficiently validate an XML document accepted from an authenticated developer with privileges to the SAP space (XML External Entity vulnerability).

Action-Not Available
Vendor-SAP SE
Product-hana_extended_application_servicesSAP HANA Extended Application Services
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2016-5971
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.41% / 60.27%
||
7 Day CHG~0.00%
Published-26 Sep, 2016 | 01:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Security Privileged Identity Manager (ISPIM) Virtual Appliance 2.x before 2.0.2 FP8 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Action-Not Available
Vendor-n/aIBM Corporation
Product-security_privileged_identity_manager_virtual_appliancen/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-25971
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-5.5||MEDIUM
EPSS-0.05% / 14.79%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 18:43
Updated-27 Jan, 2025 | 18:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell PowerProtect Data Manager, version 19.15, contains an XML External Entity Injection vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to information disclosure, denial-of-service.

Action-Not Available
Vendor-Dell Inc.
Product-powerprotect_data_managerPowerProtect Data Manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-7037
Matching Score-4
Assigner-Avaya, Inc.
ShareView Details
Matching Score-4
Assigner-Avaya, Inc.
CVSS Score-8.1||HIGH
EPSS-0.56% / 67.41%
||
7 Day CHG~0.00%
Published-28 Apr, 2021 | 21:30
Updated-16 Sep, 2024 | 22:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Avaya Equinox Conferencing XXE vulnerability

An XML External Entities (XXE) vulnerability in Media Server component of Avaya Equinox Conferencing could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system or even potentially lead to a denial of service. The affected versions of Avaya Equinox Conferencing includes all 9.x versions before 9.1.11. Equinox Conferencing is now offered as Avaya Meetings Server.

Action-Not Available
Vendor-Avaya LLC
Product-equinox_conferencingAvaya Meetings Server
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2016-0250
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 48.75%
||
7 Day CHG~0.00%
Published-12 Mar, 2018 | 21:00
Updated-05 Aug, 2024 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML external entity (XXE) vulnerability in IBM InfoSphere Information Governance Catalog 11.3 before 11.3.1.2 and 11.5 before 11.5.0.1 allows remote authenticated users to read arbitrary files or cause a denial of service via crafted XML data. IBM X-Force ID: 110510.

Action-Not Available
Vendor-n/aIBM Corporation
Product-infosphere_information_servern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2016-0284
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.33% / 55.55%
||
7 Day CHG~0.00%
Published-24 Nov, 2016 | 19:41
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The XML parser in IBM Rational Collaborative Lifecycle Management 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Quality Manager 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Team Concert 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational DOORS Next Generation 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Engineering Lifecycle Manager 4.x before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Rhapsody Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; and Rational Software Architect Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5 allows remote authenticated users to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Action-Not Available
Vendor-n/aIBM Corporation
Product-rational_doors_next_generationrational_collaborative_lifecycle_managementrational_engineering_lifecycle_managerrational_team_concertrational_software_architect_design_managerrational_rhapsody_design_managerrational_quality_managern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-20233
Matching Score-4
Assigner-Atlassian
ShareView Details
Matching Score-4
Assigner-Atlassian
CVSS Score-6.5||MEDIUM
EPSS-0.77% / 72.54%
||
7 Day CHG~0.00%
Published-18 Jan, 2019 | 21:00
Updated-16 Sep, 2024 | 22:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the parsing of atlassian plugin xml files in an uploaded JAR.

Action-Not Available
Vendor-Atlassian
Product-universal_plugin_managerUniversal Plugin Manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-1920
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.52% / 65.87%
||
7 Day CHG~0.00%
Published-07 Dec, 2018 | 16:00
Updated-16 Sep, 2024 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Marketing Platform 9.1.0, 9.1.2 and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 152855.

Action-Not Available
Vendor-IBM Corporation
Product-marketing_platformMarketing Platform
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-1970
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.36% / 57.37%
||
7 Day CHG~0.00%
Published-04 Feb, 2019 | 21:00
Updated-17 Sep, 2024 | 02:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Security Identity Manager 7.0.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 153751.

Action-Not Available
Vendor-IBM Corporation
Product-security_access_managerSecurity Identity Manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-2019
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.55% / 66.81%
||
7 Day CHG~0.00%
Published-18 Jan, 2019 | 17:00
Updated-17 Sep, 2024 | 03:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Security Identity Manager 6.0.0 Virtual Appliance is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 155265.

Action-Not Available
Vendor-IBM Corporation
Product-security_identity_managerSecurity Identity Manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-1845
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.46% / 62.97%
||
7 Day CHG~0.00%
Published-17 Jun, 2019 | 15:10
Updated-17 Sep, 2024 | 04:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150905.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, IncMicrosoft Corporation
Product-infosphere_information_server_business_glossarylinux_kernelinfosphere_information_server_metadata_workbenchwindowsinfosphere_governance_cataloginfosphere_information_serveraixinfosphere_information_server_on_cloudInfoSphere Information Server
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-1844
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.35% / 56.78%
||
7 Day CHG~0.00%
Published-12 Oct, 2018 | 12:00
Updated-17 Sep, 2024 | 01:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM FileNet Content Manager 5.2.1 and 5.5.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150904.

Action-Not Available
Vendor-IBM Corporation
Product-filenet_content_managerFileNet Content Manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-1730
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.36% / 57.37%
||
7 Day CHG~0.00%
Published-05 Dec, 2018 | 17:00
Updated-16 Sep, 2024 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM QRadar SIEM 7.2 and 7.3 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 147709.

Action-Not Available
Vendor-IBM Corporation
Product-qradar_security_information_and_event_managerQRadar SIEM
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-1542
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.48% / 64.09%
||
7 Day CHG~0.00%
Published-06 Jul, 2018 | 14:00
Updated-17 Sep, 2024 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM FileNet Content Manager, IBM Content Foundation, and IBM Case Foundation Administration Console for Content Platform Engine (ACCE) 5.2.1 and 5.5.0 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 142597.

Action-Not Available
Vendor-IBM Corporation
Product-filenet_content_managercontent_foundationFileNet P8 Platform
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-1588
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.36% / 57.37%
||
7 Day CHG~0.00%
Published-25 Sep, 2018 | 16:00
Updated-16 Sep, 2024 | 23:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Jazz Foundation (IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6) is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 143501.

Action-Not Available
Vendor-IBM Corporation
Product-rational_engineering_lifecycle_managerRational Engineering Lifecycle Manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-32925
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.51% / 65.13%
||
7 Day CHG~0.00%
Published-13 May, 2021 | 17:50
Updated-03 Aug, 2024 | 23:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities.

Action-Not Available
Vendor-chamilon/a
Product-chamilon/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-1421
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.32% / 54.72%
||
7 Day CHG~0.00%
Published-04 Apr, 2018 | 18:00
Updated-16 Sep, 2024 | 22:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM WebSphere DataPower Appliances 7.1, 7.2, 7.5, 7.5.1, 7.5.2, and 7.6 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 139023.

Action-Not Available
Vendor-IBM Corporation
Product-datapower_gatewayDataPower Gateways
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-1424
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.52% / 65.87%
||
7 Day CHG~0.00%
Published-07 Dec, 2018 | 16:00
Updated-16 Sep, 2024 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Marketing Platform 9.1.0, 9.1.2, and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 139029.

Action-Not Available
Vendor-IBM Corporation
Product-marketing_platformMarketing Platform
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-1835
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.29% / 51.64%
||
7 Day CHG~0.00%
Published-02 Nov, 2018 | 15:00
Updated-17 Sep, 2024 | 03:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Daeja ViewONE Professional, Standard & Virtual 5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150514.

Action-Not Available
Vendor-IBM Corporation
Product-daeja_viewoneDaeja ViewONE
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-1846
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.35% / 56.78%
||
7 Day CHG~0.00%
Published-02 Nov, 2018 | 15:00
Updated-16 Sep, 2024 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Rational Engineering Lifecycle Manager 5.0 through 5.0.2 and 6.0 through 6.0.6 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150945.

Action-Not Available
Vendor-IBM Corporation
Product-rational_engineering_lifecycle_managerRational Engineering Lifecycle Manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-1702
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.35% / 56.78%
||
7 Day CHG~0.00%
Published-28 Sep, 2018 | 13:00
Updated-16 Sep, 2024 | 23:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Platform Symphony 7.1 Fix Pack 1 and 7.1.1 and IBM Spectrum Symphony 7.1.2 and 7.2.0.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 146189.

Action-Not Available
Vendor-IBM Corporation
Product-spectrum_symphonyplatform_symphonySpectrum SymphonyPlatform Symphony
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-26969
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6.5||MEDIUM
EPSS-0.86% / 74.06%
||
7 Day CHG~0.00%
Published-05 Mar, 2021 | 16:41
Updated-03 Aug, 2024 | 20:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote authenticated authenticated xml external entity (xxe) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Due to improper restrictions on XML entities a vulnerability exists in the web-based management interface of AirWave. A successful exploit could allow an authenticated attacker to retrieve files from the local system or cause the application to consume system resources, resulting in a denial of service condition.

Action-Not Available
Vendor-n/aAruba Networks
Product-airwaveAruba AirWave Management Platform
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-27635
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-9||CRITICAL
EPSS-2.08% / 83.27%
||
7 Day CHG~0.00%
Published-09 Jun, 2021 | 13:30
Updated-03 Aug, 2024 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compromise as to integrity.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_for_javaSAP NetWeaver AS for JAVA
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-25164
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6.5||MEDIUM
EPSS-1.12% / 77.36%
||
7 Day CHG~0.00%
Published-28 Apr, 2021 | 19:37
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.

Action-Not Available
Vendor-n/aAruba Networks
Product-airwaveAruba AirWave Management Platform
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-25165
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-8.1||HIGH
EPSS-0.94% / 75.26%
||
7 Day CHG~0.00%
Published-28 Apr, 2021 | 19:56
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.

Action-Not Available
Vendor-n/aAruba Networks
Product-airwaveAruba AirWave Management Platform
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-25163
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-8.1||HIGH
EPSS-0.94% / 75.26%
||
7 Day CHG~0.00%
Published-29 Apr, 2021 | 10:45
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.

Action-Not Available
Vendor-n/aAruba Networks
Product-airwaveAruba AirWave Management Platform
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-4208
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.38% / 58.41%
||
7 Day CHG~0.00%
Published-07 May, 2019 | 18:35
Updated-17 Sep, 2024 | 02:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 159129.

Action-Not Available
Vendor-IBM Corporation
Product-tririga_application_platformTRIRIGA Application Platform
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-11048
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-8.1||HIGH
EPSS-0.41% / 60.53%
||
7 Day CHG~0.00%
Published-10 Aug, 2018 | 20:00
Updated-17 Sep, 2024 | 01:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell EMC Data Protection Advisor, versions 6.2, 6,3, 6.4, 6.5 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 contain a XML External Entity (XXE) Injection vulnerability in the REST API. An authenticated remote malicious user could potentially exploit this vulnerability to read certain system files in the server or cause denial of service by supplying specially crafted Document Type Definitions (DTDs) in an XML request.

Action-Not Available
Vendor-Dell Inc.
Product-emc_integrated_data_protection_applianceemc_data_protection_advisorData Protection AdvisorIntegrated Data Protection Appliance
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-22498
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-8.1||HIGH
EPSS-0.32% / 54.76%
||
7 Day CHG~0.00%
Published-19 Jan, 2021 | 15:56
Updated-03 Aug, 2024 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML External Entity Injection vulnerability in Micro Focus Application Lifecycle Management (Previously known as Quality Center) product. The vulnerability affects versions 12.x, 12.60 Patch 5 and earlier, 15.0.1 Patch 2 and earlier and 15.5. The vulnerability could be exploited to allow an XML External Entity Injection.

Action-Not Available
Vendor-n/aMicro Focus International Limited
Product-application_lifecycle_managementApplication Lifecycle Management ( Previously known as Quality Center ).
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-20502
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.27% / 50.49%
||
7 Day CHG~0.00%
Published-30 Mar, 2021 | 16:45
Updated-17 Sep, 2024 | 04:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 198059.

Action-Not Available
Vendor-IBM Corporation
Product-rational_engineering_lifecycle_managerengineering_insightsrational_team_concertengineering_workflow_managementengineering_lifecycle_managementengineering_requirements_quality_assistant_on-premisesEngineering Workflow ManagementRational Engineering Lifecycle ManagerEngineering Lifecycle OptimizationRational Team Concert
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-1369
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.53% / 66.07%
||
7 Day CHG~0.00%
Published-29 Apr, 2021 | 17:30
Updated-08 Nov, 2024 | 23:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Firepower Device Manager On-Box Software XML External Entity Vulnerability

A vulnerability in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected device. This vulnerability is due to the improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by sending malicious requests that contain references in XML entities to an affected system. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information or causing a partial denial of service (DoS) condition on the affected device.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-firepower_device_managerCisco Firepower Threat Defense Software
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-34832
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 16.57%
||
7 Day CHG~0.00%
Published-27 Oct, 2023 | 00:00
Updated-09 Sep, 2024 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in VERMEG AgileReporter 21.3. XXE can occur via an XML document to the Analysis component.

Action-Not Available
Vendor-vermegn/a
Product-agile_reportern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-4246
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.40% / 59.73%
||
7 Day CHG~0.00%
Published-28 May, 2020 | 14:45
Updated-17 Sep, 2024 | 03:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Security Identity Governance and Intelligence 5.2.6 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 175481.

Action-Not Available
Vendor-IBM Corporation
Product-security_identity_governance_and_intelligenceSecurity Identity Governance and Intelligence
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-7032
Matching Score-4
Assigner-Avaya, Inc.
ShareView Details
Matching Score-4
Assigner-Avaya, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.48% / 64.14%
||
7 Day CHG~0.00%
Published-13 Nov, 2020 | 00:20
Updated-17 Sep, 2024 | 01:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Avaya WebLM Improper Restriction of XML External Entity Reference

An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2.

Action-Not Available
Vendor-Avaya LLC
Product-aura_system_managerweblmWebLMSystem Manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2017-2815
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-8.1||HIGH
EPSS-0.35% / 56.84%
||
7 Day CHG~0.00%
Published-15 May, 2018 | 17:00
Updated-05 Aug, 2024 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable XML entity injection vulnerability exists in OpenFire User Import Export Plugin 2.6.0. A specially crafted web request can cause the retrieval of arbitrary files or denial of service. An authenticated attacker can send a crafted web request to trigger this vulnerability.

Action-Not Available
Vendor-igniterealtimeTalos (Cisco Systems, Inc.)
Product-user_import_exportOpen Fire User Import Export Plugin
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-5013
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.58% / 67.84%
||
7 Day CHG~0.00%
Published-05 May, 2021 | 15:45
Updated-16 Sep, 2024 | 20:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM QRadar SIEM 7.3 and 7.4 may vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 193245.

Action-Not Available
Vendor-IBM Corporation
Product-qradar_security_information_and_event_managerQRadar SIEM
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-4510
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.6||HIGH
EPSS-0.07% / 23.04%
||
7 Day CHG~0.00%
Published-14 Jul, 2020 | 13:10
Updated-16 Sep, 2024 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM QRadar SIEM 7.3 and 7.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 182365.

Action-Not Available
Vendor-IBM Corporation
Product-qradar_security_information_and_event_managerQRadar SIEM
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-4509
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.6||HIGH
EPSS-0.48% / 63.91%
||
7 Day CHG~0.00%
Published-04 Jun, 2020 | 13:35
Updated-16 Sep, 2024 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM QRadar SIEM 7.3 and 7.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 182364.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, Inc
Product-qradar_security_information_and_event_managerlinux_kernelQRadar SIEM
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-4772
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.54% / 66.65%
||
7 Day CHG~0.00%
Published-12 Oct, 2020 | 13:05
Updated-16 Sep, 2024 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML External Entity Injection (XXE) vulnerability may impact IBM Curam Social Program Management 7.0.9 and 7.0.10. A remote attacker could exploit this vulnerability to expose sensitive information, denial of service, server side request forgery or consume memory resources. IBM X-Force ID: 189150.

Action-Not Available
Vendor-IBM Corporation
Product-curam_social_program_managementCuram SPM
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-19031
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-6.28% / 90.55%
||
7 Day CHG~0.00%
Published-30 Dec, 2019 | 19:12
Updated-05 Aug, 2024 | 02:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Easy XML Editor through v1.7.8 is affected by: XML External Entity Injection. The impact is: Arbitrary File Read and DoS by consuming resources. The component is: XML Parsing. The attack vector is: Specially crafted XML payload.

Action-Not Available
Vendor-edit-xmln/a
Product-easy_xml_editorn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2014-0950
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.45% / 62.77%
||
7 Day CHG~0.00%
Published-20 Apr, 2018 | 21:00
Updated-06 Aug, 2024 | 09:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple XML external entity (XXE) vulnerabilities in (1) CQWeb / CM Server, (2) ClearQuest Native client, (3) ClearQuest Eclipse client, and (4) ClearQuest Eclipse Designer components in IBM Rational ClearQuest 7.1.1 through 7.1.1.9, 7.1.2 through 7.1.2.13, 8.0.0 through 8.0.0.10, and 8.0.1 through 8.0.1.3 allow remote attackers to cause a denial of service or access other servers via crafted XML data. IBM X-Force ID: 92623.

Action-Not Available
Vendor-n/aIBM Corporation
Product-rational_clearquestn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-1607
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.36% / 57.37%
||
7 Day CHG~0.00%
Published-25 Sep, 2018 | 16:00
Updated-16 Sep, 2024 | 23:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 143797.

Action-Not Available
Vendor-IBM Corporation
Product-rational_engineering_lifecycle_managerRational Engineering Lifecycle Manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-4456
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.40% / 59.73%
||
7 Day CHG~0.00%
Published-30 Jul, 2019 | 13:25
Updated-16 Sep, 2024 | 17:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Daeja ViewONE Professional, Standard & Virtual 5.0.5 and 5.0.6 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 163620.

Action-Not Available
Vendor-IBM Corporation
Product-daeja_viewoneDaeja ViewONE
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
  • Previous
  • 1
  • 2
  • Next
Details not found