Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-23170

Summary
Assigner-INCD
Assigner Org ID-a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f
Published At-24 Jun, 2022 | 15:00
Updated At-16 Sep, 2024 | 19:24
Rejected At-
Credits

SysAid - Okta SSO integration

SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Any SysAid environment that uses the Okta SSO integration might be vulnerable. An unauthenticated attacker could exploit the XXE vulnerability by sending a malformed POST request to the identity provider endpoint. An attacker can extract the identity provider endpoint by decoding the SAMLRequest parameter's value and searching for the AssertionConsumerServiceURL parameter's value. It often allows an attacker to view files on the application server filesystem and interact with any back-end or external systems that the application can access. In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:INCD
Assigner Org ID:a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f
Published At:24 Jun, 2022 | 15:00
Updated At:16 Sep, 2024 | 19:24
Rejected At:
▼CVE Numbering Authority (CNA)
SysAid - Okta SSO integration

SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Any SysAid environment that uses the Okta SSO integration might be vulnerable. An unauthenticated attacker could exploit the XXE vulnerability by sending a malformed POST request to the identity provider endpoint. An attacker can extract the identity provider endpoint by decoding the SAMLRequest parameter's value and searching for the AssertionConsumerServiceURL parameter's value. It often allows an attacker to view files on the application server filesystem and interact with any back-end or external systems that the application can access. In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.

Affected Products
Vendor
SysAid Technologies Ltd.Sysaid
Product
SysAid - Okta SSO integration
Versions
Affected
  • From 22.1.63 before 22.1.49* (custom)
Problem Types
TypeCWE IDDescription
CWECWE-611CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
Type: CWE
CWE ID: CWE-611
Description: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
Metrics
VersionBase scoreBase severityVector
3.15.9MEDIUM
CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Version: 3.1
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Update to 22.1.50 cloud version, or to 22.1.64 on premise version.

Configurations
Workarounds
Exploits
Credits
Niv Levy - CyberArk
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.gov.il/en/departments/faq/cve_advisories
x_refsource_MISC
Hyperlink: https://www.gov.il/en/departments/faq/cve_advisories
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.gov.il/en/departments/faq/cve_advisories
x_refsource_MISC
x_transferred
Hyperlink: https://www.gov.il/en/departments/faq/cve_advisories
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@cyber.gov.il
Published At:24 Jun, 2022 | 15:15
Updated At:07 Jul, 2022 | 15:19

SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Any SysAid environment that uses the Okta SSO integration might be vulnerable. An unauthenticated attacker could exploit the XXE vulnerability by sending a malformed POST request to the identity provider endpoint. An attacker can extract the identity provider endpoint by decoding the SAMLRequest parameter's value and searching for the AssertionConsumerServiceURL parameter's value. It often allows an attacker to view files on the application server filesystem and interact with any back-end or external systems that the application can access. In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.15.9MEDIUM
CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary2.06.8MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Type: Primary
Version: 2.0
Base score: 6.8
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CPE Matches
SysAid Technologies Ltd.
sysaid
>>okta_sso>>Versions from 22.1.49(inclusive) to 22.1.63(inclusive)
cpe:2.3:a:sysaid:okta_sso:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-611Primarynvd@nist.gov
CWE-611Secondarycna@cyber.gov.il
CWE ID: CWE-611
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-611
Type: Secondary
Source: cna@cyber.gov.il
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.gov.il/en/departments/faq/cve_advisoriescna@cyber.gov.il
Third Party Advisory
Hyperlink: https://www.gov.il/en/departments/faq/cve_advisories
Source: cna@cyber.gov.il
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

173Records found
CVE-2016-6256
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.6||CRITICAL
EPSS-10.06% / 92.79%
||
7 Day CHG~0.00%
Published-25 May, 2017 | 19:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL_SYNC_XPT.ipo/proc, aka SAP Security Note 2378065.

Action-Not Available
Vendor-n/aSAP SE
Product-business_onen/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-9670
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-94.43% / 99.98%
||
7 Day CHG~0.00%
Published-29 May, 2019 | 21:04
Updated-30 Jul, 2025 | 01:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-07-10||Apply updates per vendor instructions.

mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.

Action-Not Available
Vendor-n/aSynacor, Inc.
Product-zimbra_collaboration_suiten/aZimbra Collaboration Suite (ZCS)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2016-4434
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.8||HIGH
EPSS-0.41% / 60.80%
||
7 Day CHG~0.00%
Published-29 Sep, 2017 | 20:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.

Action-Not Available
Vendor-n/aThe Apache Software Foundation
Product-tikan/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-32567
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-6.5||MEDIUM
EPSS-0.37% / 57.87%
||
7 Day CHG~0.00%
Published-10 Aug, 2023 | 18:58
Updated-09 Oct, 2024 | 19:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.236

Action-Not Available
Vendor-Ivanti Software
Product-avalancheWavelink
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-3773
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-9.8||CRITICAL
EPSS-0.31% / 53.66%
||
7 Day CHG~0.00%
Published-18 Jan, 2019 | 22:00
Updated-17 Sep, 2024 | 03:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spring Web Services XML External Entity Injection (XXE)

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Action-Not Available
Vendor-Oracle CorporationVMware (Broadcom Inc.)
Product-flexcube_private_bankingfinancial_services_analytical_applications_infrastructurespring_web_servicesSpring Web Services
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-28151
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 9.94%
||
7 Day CHG~0.00%
Published-24 Mar, 2023 | 00:00
Updated-30 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Independentsoft JSpreadsheet before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file.

Action-Not Available
Vendor-independentsoftn/a
Product-jspreadsheetn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-20627
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.45% / 62.56%
||
7 Day CHG~0.00%
Published-23 Mar, 2020 | 16:55
Updated-05 Aug, 2024 | 02:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

AutoUpdater.cs in AutoUpdater.NET before 1.5.8 allows XXE.

Action-Not Available
Vendor-rbsoftn/a
Product-autoupdater.netn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-28150
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 9.94%
||
7 Day CHG~0.00%
Published-24 Mar, 2023 | 00:00
Updated-30 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Independentsoft JODF before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file.

Action-Not Available
Vendor-independentsoftn/a
Product-jodfn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-24429
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-9.8||CRITICAL
EPSS-0.14% / 35.03%
||
7 Day CHG~0.00%
Published-24 Jan, 2023 | 00:00
Updated-02 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Action-Not Available
Vendor-Jenkins
Product-semantic_versioningJenkins Semantic Versioning Plugin
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-16174
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.13% / 77.43%
||
7 Day CHG~0.00%
Published-09 Sep, 2019 | 20:43
Updated-05 Aug, 2024 | 01:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity.

Action-Not Available
Vendor-limesurveyn/a
Product-limesurveyn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-16549
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-8.1||HIGH
EPSS-0.08% / 25.46%
||
7 Day CHG~0.00%
Published-17 Dec, 2019 | 14:40
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents.

Action-Not Available
Vendor-Jenkins
Product-mavenJenkins Maven Release Plugin
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-35741
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-19.42% / 95.17%
||
7 Day CHG+7.26%
Published-18 Jul, 2022 | 14:30
Updated-03 Aug, 2024 | 09:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache CloudStack SAML Single Sign-On XXE

Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the vulnerability. When the SAML 2.0 plugin is enabled in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities. The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XXE injection attacks such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server.

Action-Not Available
Vendor-The Apache Software Foundation
Product-cloudstackApache CloudStack
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-13990
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-10.42% / 92.93%
||
7 Day CHG~0.00%
Published-26 Jul, 2019 | 00:00
Updated-15 Oct, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

Action-Not Available
Vendor-softwareagn/aAtlassianNetApp, Inc.The Apache Software FoundationOracle Corporation
Product-flexcube_investor_servicingprimavera_unifierquartzretail_central_officegoogle_guava_mapviewerjd_edwards_enterpriseone_orchestratorretail_back_officeterracotta_quartz_scheduler_mapviewercommunications_ip_service_activatorcommunications_session_route_manageractive_iq_unified_managerflexcube_private_bankingretail_integration_busretail_returns_managementapache_batik_mapviewerbanking_enterprise_product_manufacturingjira_service_managementretail_point-of-servicebanking_enterprise_originationsbanking_paymentsretail_order_brokertomeeretail_xstore_point_of_servicecustomer_management_and_segmentation_foundationfusion_middleware_mapviewercloud_secure_agentdocumakerwebcenter_siteshyperion_infrastructure_technologyenterprise_manager_ops_centerenterprise_manager_base_platformn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-12331
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.32% / 54.80%
||
7 Day CHG~0.00%
Published-07 Nov, 2019 | 14:03
Updated-04 Sep, 2024 | 17:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ‚<!ENTITY‘ and thus allowing for an xml external entity processing (XXE) attack.

Action-Not Available
Vendor-n/aPHPOffice
Product-phpspreadsheetn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2019-0228
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-7.83% / 91.64%
||
7 Day CHG~0.00%
Published-17 Apr, 2019 | 14:07
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.

Action-Not Available
Vendor-n/aThe Apache Software FoundationFedora ProjectOracle Corporation
Product-banking_trade_finance_process_managementpeoplesoft_enterprise_peopletoolsbanking_supply_chain_financepdfboxcommunications_messaging_serverhyperion_financial_reportingfedoraretail_xstore_point_of_servicejamesbanking_corporate_lending_process_managementcommunications_session_report_managerwebcenter_sitesbanking_credit_facilities_process_managementbanking_virtual_account_managementApache PDFBox
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-35066
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 61.60%
||
7 Day CHG~0.00%
Published-21 Jun, 2021 | 19:05
Updated-04 Aug, 2024 | 00:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132.

Action-Not Available
Vendor-connectwisen/a
Product-automaten/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-46984
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-0.19% / 40.56%
||
7 Day CHG~0.00%
Published-19 Sep, 2024 | 22:38
Updated-25 Sep, 2024 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XML External Entity Reference (XXE) vulnerability can lead to a Server Side Request Forgery attack in gematik app-referencevalidator

The reference validator is a tool to perform advanced validation of FHIR resources for TI applications and interoperability standards. The profile location routine in the referencevalidator commons package is vulnerable to `XML External Entities` attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a `Server Side Request Forgery` attack. The vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources. The problem has been patched with the 2.5.1 version of the referencevalidator. Users are strongly recommended to update to this version or a more recent one. A pre-processing or manual analysis of input XML resources on existence of DTD definitions or external entities can mitigate the problem.

Action-Not Available
Vendor-gematikgematikgematik
Product-reference_validatorapp-referencevalidatorapp-referencevalidator
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2018-7230
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-8.8||HIGH
EPSS-0.36% / 57.49%
||
7 Day CHG~0.00%
Published-09 Mar, 2018 | 23:00
Updated-17 Sep, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A XML external entity (XXE) vulnerability exists in the import.cgi of the web interface component of the Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67.

Action-Not Available
Vendor-
Product-imp519-1er_firmwareibp319-1erimp319-1erimps110-1eibp519-1er_firmwareimp1110-1er_firmwareimps110-1eribp1110-1erimp519-1_firmwareimp519-1ibps110-1er_firmwareimp219-1_firmwareimp319-1_firmwareimps110-1er_firmwareimp219-1erimp319-1mps110-1ibp319-1er_firmwareimp319-1er_firmwareimps110-1e_firmwareimp219-1e_firmwareimp219-1eibp219-1erimp1110-1e_firmwareimp1110-1_firmwareimp519-1eimp319-1e_firmwareimp1110-1erimp219-1ibp219-1er_firmwareimp519-1erimp1110-1eimp319-1eibp1110-1er_firmwareibps110-1erimp219-1er_firmwareimp519-1e_firmwareimp1110-1ibp519-1ermps110-1_firmwarePelco Sarix Professional
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-3486
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-7.8||HIGH
EPSS-2.93% / 85.88%
||
7 Day CHG~0.00%
Published-15 May, 2024 | 16:46
Updated-21 Jan, 2025 | 17:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XML External Entity injection vulnerability in iManager

XML External Entity injection vulnerability found in OpenText™ iManager 3.2.6.0200. This could lead to information disclosure and remote code execution.

Action-Not Available
Vendor-Micro Focus International LimitedOpen Text Corporation
Product-imanageriManagerimanager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-46455
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.08% / 24.57%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 00:00
Updated-12 Dec, 2024 | 02:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-1628
Matching Score-4
Assigner-Salesforce, Inc.
ShareView Details
Matching Score-4
Assigner-Salesforce, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.35% / 56.79%
||
7 Day CHG~0.00%
Published-26 Mar, 2021 | 16:19
Updated-03 Aug, 2024 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MuleSoft is aware of a XML External Entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Affected versions: Mule 4.x runtime released before February 2, 2021.

Action-Not Available
Vendor-salesforcen/a
Product-muleMulesoft
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-8540
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-22.47% / 95.62%
||
7 Day CHG~0.00%
Published-11 Mar, 2020 | 16:15
Updated-04 Aug, 2024 | 10:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_desktop_centraln/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2020-36640
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.5||MEDIUM
EPSS-0.11% / 29.72%
||
7 Day CHG~0.00%
Published-05 Jan, 2023 | 09:09
Updated-10 Apr, 2025 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
bonitasoft bonita-connector-webservice SecureWSConnector.java TransformerConfigurationException xml external entity reference

A vulnerability, which was classified as problematic, was found in bonitasoft bonita-connector-webservice up to 1.3.0. This affects the function TransformerConfigurationException of the file src/main/java/org/bonitasoft/connectors/ws/SecureWSConnector.java. The manipulation leads to xml external entity reference. Upgrading to version 1.3.1 is able to address this issue. The patch is named a12ad691c05af19e9061d7949b6b828ce48815d5. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217443.

Action-Not Available
Vendor-bonitasoftbonitasoft
Product-webservice_connectorbonita-connector-webservice
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found