Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-23595

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-15 Jan, 2023 | 00:00
Updated At-08 Apr, 2025 | 20:24
Rejected At-
Credits

BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as "machine example.com login daniel password qwerty" in the documentation example for the .netrc file format. NOTE: 2.x versions are no longer supported. There is no available information about whether any later version is affected.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:15 Jan, 2023 | 00:00
Updated At:08 Apr, 2025 | 20:24
Rejected At:
▼CVE Numbering Authority (CNA)

BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as "machine example.com login daniel password qwerty" in the documentation example for the .netrc file format. NOTE: 2.x versions are no longer supported. There is no available information about whether any later version is affected.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/colemanjp/XXE-Vulnerability-in-Bluecat-Device-Registration-Portal-DRP
N/A
https://bluecatnetworks.com/integrations/adaptive-application/device-registration-portal-drp/
N/A
https://everything.curl.dev/usingcurl/netrc
N/A
Hyperlink: https://github.com/colemanjp/XXE-Vulnerability-in-Bluecat-Device-Registration-Portal-DRP
Resource: N/A
Hyperlink: https://bluecatnetworks.com/integrations/adaptive-application/device-registration-portal-drp/
Resource: N/A
Hyperlink: https://everything.curl.dev/usingcurl/netrc
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/colemanjp/XXE-Vulnerability-in-Bluecat-Device-Registration-Portal-DRP
x_transferred
https://bluecatnetworks.com/integrations/adaptive-application/device-registration-portal-drp/
x_transferred
https://everything.curl.dev/usingcurl/netrc
x_transferred
Hyperlink: https://github.com/colemanjp/XXE-Vulnerability-in-Bluecat-Device-Registration-Portal-DRP
Resource:
x_transferred
Hyperlink: https://bluecatnetworks.com/integrations/adaptive-application/device-registration-portal-drp/
Resource:
x_transferred
Hyperlink: https://everything.curl.dev/usingcurl/netrc
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-611CWE-611 Improper Restriction of XML External Entity Reference
Type: CWE
CWE ID: CWE-611
Description: CWE-611 Improper Restriction of XML External Entity Reference
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:15 Jan, 2023 | 07:15
Updated At:24 Jan, 2023 | 16:35

BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as "machine example.com login daniel password qwerty" in the documentation example for the .netrc file format. NOTE: 2.x versions are no longer supported. There is no available information about whether any later version is affected.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CPE Matches

bluecatnetworks
bluecatnetworks
>>device_registration_portal>>2.2
cpe:2.3:a:bluecatnetworks:device_registration_portal:2.2:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-611Primarynvd@nist.gov
CWE ID: CWE-611
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://bluecatnetworks.com/integrations/adaptive-application/device-registration-portal-drp/cve@mitre.org
Product
Vendor Advisory
https://everything.curl.dev/usingcurl/netrccve@mitre.org
Technical Description
Third Party Advisory
https://github.com/colemanjp/XXE-Vulnerability-in-Bluecat-Device-Registration-Portal-DRPcve@mitre.org
Exploit
Third Party Advisory
Hyperlink: https://bluecatnetworks.com/integrations/adaptive-application/device-registration-portal-drp/
Source: cve@mitre.org
Resource:
Product
Vendor Advisory
Hyperlink: https://everything.curl.dev/usingcurl/netrc
Source: cve@mitre.org
Resource:
Technical Description
Third Party Advisory
Hyperlink: https://github.com/colemanjp/XXE-Vulnerability-in-Bluecat-Device-Registration-Portal-DRP
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

123Records found

CVE-2023-45139
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.13% / 33.49%
||
7 Day CHG~0.00%
Published-10 Jan, 2024 | 16:03
Updated-03 Jun, 2025 | 14:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
fonttools XML External Entity Injection (XXE) Vulnerability

fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.

Action-Not Available
Vendor-fonttoolsfonttools
Product-fonttoolsfonttools
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-21205
Matching Score-4
Assigner-Intel Corporation
ShareView Details
Matching Score-4
Assigner-Intel Corporation
CVSS Score-7.5||HIGH
EPSS-0.40% / 60.03%
||
7 Day CHG~0.00%
Published-09 Feb, 2022 | 22:04
Updated-05 May, 2025 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper restriction of XML external entity reference in DSP Builder Pro for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an unauthenticated user to potentially enable information disclosure via network access.

Action-Not Available
Vendor-n/aIntel Corporation
Product-quartus_primeIntel(R) Quartus(R) Prime Pro Edition
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-25186
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-0.22% / 44.15%
||
7 Day CHG~0.00%
Published-22 Oct, 2020 | 20:09
Updated-04 Aug, 2024 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XXE vulnerability exists within LeviStudioU Release Build 2019-09-21 and prior when processing parameter entities, which may allow file disclosure.

Action-Not Available
Vendor-we-conn/a
Product-levistudiouWECON Technology Co., Ltd (WECON) LeviStudioU
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-1700
Matching Score-4
Assigner-Forcepoint
ShareView Details
Matching Score-4
Assigner-Forcepoint
CVSS Score-7.5||HIGH
EPSS-0.08% / 23.44%
||
7 Day CHG~0.00%
Published-12 Sep, 2022 | 18:07
Updated-03 Aug, 2024 | 00:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Restriction of XML External Entity Reference ('XXE') vulnerability in the Policy Engine of Forcepoint Data Loss Prevention (DLP), which is also leveraged by Forcepoint One Endpoint (F1E), Web Security Content Gateway, Email Security with DLP enabled, and Cloud Security Gateway prior to June 20, 2022. The XML parser in the Policy Engine was found to be improperly configured to support external entities and external DTD (Document Type Definitions), which can lead to an XXE attack. This issue affects: Forcepoint Data Loss Prevention (DLP) versions prior to 8.8.2. Forcepoint One Endpoint (F1E) with Policy Engine versions prior to 8.8.2. Forcepoint Web Security Content Gateway versions prior to 8.5.5. Forcepoint Email Security with DLP enabled versions prior to 8.5.5. Forcepoint Cloud Security Gateway prior to June 20, 2022.

Action-Not Available
Vendor-forcepointForcepoint
Product-data_loss_preventionemail_securityone_endpoint_with_policy_engineweb_security_content_gatewaycloud_security_gatewayCloud Security Gateway One Endpoint (F1E) with Policy EngineEmail Security with DLP enabledWeb Security Content GatewayData Loss Prevention (DLP)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-47621
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.08% / 23.62%
||
7 Day CHG~0.00%
Published-21 Jun, 2024 | 00:00
Updated-13 Mar, 2025 | 20:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks.

Action-Not Available
Vendor-n/aclassgraph
Product-n/aclassgraph
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2005-1306
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-16.06% / 94.52%
||
7 Day CHG~0.00%
Published-15 Jun, 2005 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Adobe Reader control in Adobe Reader and Acrobat 7.0 and 7.0.1 allows remote attackers to determine the existence of files via Javascript containing XML script, aka the "XML External Entity vulnerability."

Action-Not Available
Vendor-n/aAdobe Inc.
Product-acrobatacrobat_readern/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-40500
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-7.5||HIGH
EPSS-1.21% / 78.18%
||
7 Day CHG~0.00%
Published-12 Oct, 2021 | 14:04
Updated-04 Aug, 2024 | 02:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation can enable the attacker to retrieve arbitrary files from the server.

Action-Not Available
Vendor-SAP SE
Product-businessobjects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platform (Crystal Reports)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-40356
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-7.5||HIGH
EPSS-0.31% / 53.36%
||
7 Day CHG~0.00%
Published-14 Sep, 2021 | 10:48
Updated-04 Aug, 2024 | 02:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All versions < 13.2.0.2). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem.

Action-Not Available
Vendor-Siemens AG
Product-teamcenter_visualizationTeamcenter V12.4Teamcenter V13.0Teamcenter V13.2Teamcenter V13.1
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-44477
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-0.25% / 48.39%
||
7 Day CHG~0.00%
Published-25 Mar, 2022 | 18:02
Updated-16 Apr, 2025 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GE Gas Power ToolBoxST Improper Restriction of XML External Entity Reference

GE Gas Power ToolBoxST Version v04.07.05C suffers from an XML external entity (XXE) vulnerability using the DTD parameter entities technique that could result in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project/template file.

Action-Not Available
Vendor-geGE Gas Power
Product-toolboxstToolBoxST
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-31497
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.09% / 26.85%
||
7 Day CHG~0.00%
Published-15 Apr, 2025 | 20:00
Updated-16 Apr, 2025 | 13:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TEIGarage XML External Entity (XXE) Injection in Document Conversion Service

TEIGarage is a webservice and RESTful service to transform, convert and validate various formats, focussing on the TEI format. The Document Conversion Service contains a critical XML External Entity (XXE) Injection vulnerability in its document conversion functionality. The service processes XML files during the conversion process but fails to disable external entity processing, allowing an attacker to read arbitrary files from the server's filesystem. This vulnerability could allow attackers to read sensitive files from the server's filesystem, potentially exposing configuration files, credentials, or other confidential information. Additionally, depending on the server configuration, this could potentially be used to perform server-side request forgery (SSRF) attacks by making the server connect to internal services. This issue is patched in version 1.2.4. A workaround for this vulnerability includes disabling external entity processing in the XML parser by setting the appropriate security features (e.g., XMLConstants.FEATURE_SECURE_PROCESSING).

Action-Not Available
Vendor-TEIC
Product-TEIGarage
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-40239
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.18% / 39.73%
||
7 Day CHG~0.00%
Published-01 Sep, 2023 | 00:00
Updated-01 Oct, 2024 | 14:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain Lexmark devices (such as CS310) before 2023-08-25 allow XXE attacks, leading to information disclosure. The fixed firmware version is LW80.*.P246, i.e., '*' indicates that the full version specification varies across product model family, but firmware level P246 (or higher) is required to remediate the vulnerability.

Action-Not Available
Vendor-n/aLexmark International, Inc.
Product-ms812de_firmwarem1145_firmwarexm1140xm5170xm7163ms812dn_firmwarecx510mx911cs517_firmwarems711_firmwarexm7170_firmwarexm9165_firmwarems810dnms810dn_firmwarems415_firmwaremx717_firmwarem5163dn_firmwarecs417cx510_firmwarecs417_firmwarecx410_firmwaremx510xm1145cs410_firmwarexm5170_firmwarems610dnxm5270ms610dn_firmwarem3150de_firmwarecs510xm7163_firmwarems810de_firmwarems315xm3150_firmwaremx617xm7270_firmwarecx410mx711_firmwaremx812xm5163m5170_firmwaremx810_firmwarexm7263mx317_firmwarecx317_firmwarecs517ms415cx310mx711xm1135_firmwaremx410_firmwarems817_firmwarecs317_firmwaremx310mx718_firmwarems812dnmx710ms417ms817mx910_firmwaremx710_firmwarec2132_firmwarecx417ms811mx912_firmwarems911_firmwarexm5270_firmwarem3150decx517_firmwarexm9145ms317cs510_firmwarems310_firmwarecs410ms517_firmwarems911cx517mx611_firmwarems410_firmwaremx812_firmwaremx910ms711xm5263mx510_firmwarexm5263_firmwarems317_firmwaremx811_firmwaremx517_firmwarem3150dn_firmwarexm7155_firmwaremx317ms810dem5163demx517mx611mx410ms410m1140_firmwarem5155_firmwarems811_firmwarexc2132_firmwarexm9165ms818_firmwarecx310_firmwarems517cs310xc2132ms312_firmwarem1140\+ms617_firmwarexm9155_firmwarexm1145_firmwaremx717xc2130ms617m5170ms312xm1135xm3150ms610dems710_firmwarem1140ms710mx610_firmwarexm7270cs310_firmwarem3150dnms510_firmwarems417_firmwaremx718xm9145_firmwaremx417_firmwarexm1140_firmwarexm7155m5155mx912xm5163_firmwaremx811ms812dems510mx810m5163de_firmwarem1145xc2130_firmwarexm7263_firmwarem5163dnmx911_firmwarems818m1140\+_firmwarexm9155ms310xm7170mx310_firmwaremx617_firmwarems315_firmwarec2132mx610mx511cx317mx511_firmwarecx417_firmwarecs317mx417ms610de_firmwaren/acs310
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-3869
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.6||HIGH
EPSS-0.32% / 54.74%
||
7 Day CHG~0.00%
Published-19 Oct, 2021 | 12:30
Updated-03 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

Action-Not Available
Vendor-stanfordstanfordnlp
Product-corenlpstanfordnlp/corenlp
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-39239
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.32% / 54.41%
||
7 Day CHG~0.00%
Published-16 Sep, 2021 | 14:40
Updated-04 Aug, 2024 | 02:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XML External Entity (XXE) vulnerability

A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.

Action-Not Available
Vendor-The Apache Software Foundation
Product-jenaApache Jena
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-39371
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.45% / 62.56%
||
7 Day CHG~0.00%
Published-23 Aug, 2021 | 00:03
Updated-04 Aug, 2024 | 02:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.

Action-Not Available
Vendor-osgeon/aDebian GNU/Linux
Product-owslibdebian_linuxpywpsn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-3823
Matching Score-4
Assigner-PHP Group
ShareView Details
Matching Score-4
Assigner-PHP Group
CVSS Score-8.6||HIGH
EPSS-0.17% / 38.59%
||
7 Day CHG+0.08%
Published-11 Aug, 2023 | 05:42
Updated-13 Feb, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Security issue with external entity loading in XML without enabling it

In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.

Action-Not Available
Vendor-Debian GNU/LinuxFedora ProjectThe PHP Group
Product-fedoradebian_linuxphpPHP
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-42537
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-5.9||MEDIUM
EPSS-0.20% / 42.32%
||
7 Day CHG~0.00%
Published-27 Jul, 2022 | 20:20
Updated-17 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VISAM VBASE Editor Improper Restriction of XML

VISAM VBASE version 11.6.0.6 processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Action-Not Available
Vendor-visamVISAM
Product-vbase_web-remoteVBASE Pro-RT/ Server-RT (Web Remote)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-38343
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.46% / 63.35%
||
7 Day CHG~0.00%
Published-21 Sep, 2023 | 00:00
Updated-24 Sep, 2024 | 16:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery.

Action-Not Available
Vendor-n/aIvanti Software
Product-endpoint_managern/aendpoint_manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-33950
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.08% / 24.60%
||
7 Day CHG~0.00%
Published-17 Feb, 2023 | 00:00
Updated-18 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue discovered in OpenKM v6.3.10 allows attackers to obtain sensitive information via the XMLTextExtractor function.

Action-Not Available
Vendor-openkmn/a
Product-openkmn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-45727
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-7.5||HIGH
EPSS-20.60% / 95.36%
||
7 Day CHG~0.00%
Published-18 Oct, 2023 | 09:01
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-12-24||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to conduct XML External Entity (XXE) attacks. By processing a specially crafted request containing malformed XML data, arbitrary files on the server containing account information may be read by the attacker.

Action-Not Available
Vendor-northgridNorth Grid CorporationnorthgridNorth Grid
Product-proselfProself Mail Sanitize EditionProself Enterprise/Standard EditionProself Gateway EditionproselfProself
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-46590
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-7.5||HIGH
EPSS-0.08% / 23.90%
||
7 Day CHG~0.00%
Published-14 Nov, 2023 | 11:04
Updated-08 Jan, 2025 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Siemens OPC UA Modelling Editor (SiOME) (All versions < V2.8). Affected products suffer from a XML external entity (XXE) injection vulnerability. This vulnerability could allow an attacker to interfere with an application's processing of XML data and read arbitrary files in the system.

Action-Not Available
Vendor-Siemens AG
Product-siemens_opc_ua_modeling_editorSiemens OPC UA Modelling Editor (SiOME)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-30006
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.00% / 0.08%
||
7 Day CHG~0.00%
Published-11 May, 2021 | 11:24
Updated-03 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-intellij_idean/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-41770
Matching Score-4
Assigner-Ping Identity Corporation
ShareView Details
Matching Score-4
Assigner-Ping Identity Corporation
CVSS Score-7.5||HIGH
EPSS-0.28% / 50.97%
||
7 Day CHG~0.00%
Published-07 Oct, 2021 | 06:24
Updated-04 Aug, 2024 | 03:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure.

Action-Not Available
Vendor-n/aPing Identity Corp.
Product-pingfederaten/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-6893
Matching Score-4
Assigner-KoreLogic Security
ShareView Details
Matching Score-4
Assigner-KoreLogic Security
CVSS Score-7.5||HIGH
EPSS-89.95% / 99.55%
||
7 Day CHG~0.00%
Published-07 Aug, 2024 | 23:22
Updated-08 Aug, 2024 | 20:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Journyx Unauthenticated XML External Entities Injection

The "soap_cgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources.

Action-Not Available
Vendor-journyxJournyxjournyx
Product-journyxJournyx (jtime)journyx
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-40510
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.73% / 71.73%
||
7 Day CHG~0.00%
Published-21 Jun, 2022 | 16:10
Updated-04 Aug, 2024 | 02:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML eXternal Entity (XXE) in OBDA systems’ Mastro 1.0 allows remote attackers to read system files via custom DTDs.

Action-Not Available
Vendor-obdasystemsn/a
Product-mastron/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-22140
Matching Score-4
Assigner-Elastic
ShareView Details
Matching Score-4
Assigner-Elastic
CVSS Score-7.5||HIGH
EPSS-0.37% / 57.86%
||
7 Day CHG~0.00%
Published-13 May, 2021 | 17:35
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files.

Action-Not Available
Vendor-Elasticsearch BV
Product-elastic_app_searchElastic App Search
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-22274
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-7.5||HIGH
EPSS-0.29% / 52.18%
||
7 Day CHG~0.00%
Published-17 Nov, 2023 | 12:52
Updated-04 Sep, 2024 | 19:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ZDI-CAN-21305: Adobe RoboHelp Server UpdateCommandStream XML External Entity Processing Information Disclosure Vulnerability

Adobe RoboHelp Server versions 11.4 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to information disclosure by an unauthenticated attacker. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Microsoft CorporationAdobe Inc.
Product-robohelp_serverwindowsRoboHelprobohelp
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-1630
Matching Score-4
Assigner-Salesforce, Inc.
ShareView Details
Matching Score-4
Assigner-Salesforce, Inc.
CVSS Score-7.5||HIGH
EPSS-0.42% / 60.91%
||
7 Day CHG~0.00%
Published-05 Aug, 2021 | 20:29
Updated-03 Aug, 2024 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML external entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect CloudHub, GovCloud, Runtime Fabric, Pivotal Cloud Foundry, Private Cloud Edition, and on-premise customers.

Action-Not Available
Vendor-salesforcen/a
Product-muleMulesoft
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-22832
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.13% / 33.27%
||
7 Day CHG~0.00%
Published-10 Feb, 2023 | 07:45
Updated-24 Mar, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache NiFi: Improper Restriction of XML External Entity References in ExtractCCDAAttributes

The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.

Action-Not Available
Vendor-The Apache Software Foundation
Product-nifiApache NiFi
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-2324
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-7.5||HIGH
EPSS-0.15% / 35.74%
||
7 Day CHG~0.00%
Published-03 Dec, 2020 | 15:55
Updated-04 Aug, 2024 | 07:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Action-Not Available
Vendor-Jenkins
Product-cvsJenkins CVS Plugin
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2009-1699
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-5.63% / 89.98%
||
7 Day CHG~0.00%
Published-10 Jun, 2009 | 17:37
Updated-07 Aug, 2024 | 05:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an "XXE attack."

Action-Not Available
Vendor-n/aCanonical Ltd.openSUSEApple Inc.
Product-opensuseiphone_osubuntu_linuxsafarin/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2012-4399
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-24.92% / 95.94%
||
7 Day CHG~0.00%
Published-09 Oct, 2012 | 23:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

Action-Not Available
Vendor-cakefoundationn/a
Product-cakephpn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-5602
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-7.5||HIGH
EPSS-0.41% / 60.39%
||
7 Day CHG~0.00%
Published-30 Jun, 2020 | 10:20
Updated-04 Aug, 2024 | 08:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mitsubishi Electoric FA Engineering Software (CPU Module Logging Configuration Tool Ver. 1.94Y and earlier, CW Configurator Ver. 1.010L and earlier, EM Software Development Kit (EM Configurator) Ver. 1.010L and earlier, GT Designer3 (GOT2000) Ver. 1.221F and earlier, GX LogViewer Ver. 1.96A and earlier, GX Works2 Ver. 1.586L and earlier, GX Works3 Ver. 1.058L and earlier, M_CommDTM-HART Ver. 1.00A, M_CommDTM-IO-Link Ver. 1.02C and earlier, MELFA-Works Ver. 4.3 and earlier, MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool Ver.1.004E and earlier, MELSOFT FieldDeviceConfigurator Ver. 1.03D and earlier, MELSOFT iQ AppPortal Ver. 1.11M and earlier, MELSOFT Navigator Ver. 2.58L and earlier, MI Configurator Ver. 1.003D and earlier, Motion Control Setting Ver. 1.005F and earlier, MR Configurator2 Ver. 1.72A and earlier, MT Works2 Ver. 1.156N and earlier, RT ToolBox2 Ver. 3.72A and earlier, and RT ToolBox3 Ver. 1.50C and earlier) allows an attacker to conduct XML External Entity (XXE) attacks via unspecified vectors.

Action-Not Available
Vendor-Mitsubishi Electric Corporation
Product-melsoft_fielddeviceconfiguratorm_commdtm-hartgx_works3melfa-worksmelsoft_iq_appportalgt_designer3gx_logviewermt_works2motion_control_settingcw_configuratormelsec-l_flexible_high-speed_i\/o_control_module_configuration_toolcpu_module_logging_configuration_toolmelsoft_navigatorgx_works2m_commdtm-io-linkmr_configurator2mi_configuratorrt_toolbox2em_configuratorrt_toolbox3Mitsubishi Electoric FA Engineering Software
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-4643
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.5||HIGH
EPSS-0.34% / 55.70%
||
7 Day CHG~0.00%
Published-21 Sep, 2020 | 17:10
Updated-17 Sep, 2024 | 01:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information. IBM X-Force ID: 185590.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-23195
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.12% / 31.15%
||
7 Day CHG~0.00%
Published-21 Jan, 2025 | 21:22
Updated-09 Jun, 2025 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Ambari: XML External Entity (XXE) Vulnerability in Ambari/Oozie

An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the `DocumentBuilderFactory` class without disabling external entity resolution. An attacker can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch.

Action-Not Available
Vendor-The Apache Software Foundation
Product-ambariApache Ambari
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-22624
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.79% / 72.99%
||
7 Day CHG~0.00%
Published-17 Jan, 2023 | 00:00
Updated-04 Apr, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine Exchange Reporter Plus before 5708 allows attackers to conduct XXE attacks.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_exchange_reporter_plusn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-45293
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-21.47% / 95.49%
||
7 Day CHG~0.00%
Published-07 Oct, 2024 | 20:03
Updated-07 Mar, 2025 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XML External Entity Reference (XXE) in PHPSpreadsheet's XLSX reader

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet. The security scan function in src/PhpSpreadsheet/Reader/Security/XmlScanner.php contains a flawed XML encoding check to retrieve the input file's XML encoding in the toUtf8 function. The function searches for the XML encoding through a defined regex which looks for `encoding="*"` and/or `encoding='*'`, if not found, it defaults to the UTF-8 encoding which bypasses the conversion logic. This logic can be used to pass a UTF-7 encoded XXE payload, by utilizing a whitespace before or after the = in the attribute definition. Sensitive information disclosure through the XXE on sites that allow users to upload their own excel spreadsheets, and parse them using PHPSpreadsheet's Excel parser. This issue has been addressed in release versions 1.29.1, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-PHPOffice
Product-phpspreadsheetPhpSpreadsheetphpspreadsheet
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-53674
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.3||HIGH
EPSS-0.22% / 44.59%
||
7 Day CHG~0.00%
Published-26 Nov, 2024 | 21:55
Updated-12 Dec, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)
Product-insight_remote_supportHPE Insight Remote Supportinsight_remote_support
CWE ID-CWE-91
XML Injection (aka Blind XPath Injection)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-53675
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.3||HIGH
EPSS-4.16% / 88.23%
||
7 Day CHG~0.00%
Published-26 Nov, 2024 | 22:01
Updated-12 Dec, 2024 | 19:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)
Product-insight_remote_supportHPE Insight Remote Supportinsight_remote_support
CWE ID-CWE-91
XML Injection (aka Blind XPath Injection)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2012-1102
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.29% / 52.02%
||
7 Day CHG~0.00%
Published-09 Jul, 2021 | 10:42
Updated-06 Aug, 2024 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was discovered that the XML::Atom Perl module before version 0.39 did not disable external entities when parsing XML from potentially untrusted sources. This may allow attackers to gain read access to otherwise protected resources, depending on how the library is used.

Action-Not Available
Vendor-xml\n/a
Product-\perl-xml-atom
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-1288
Matching Score-4
Assigner-Dassault Systèmes
ShareView Details
Matching Score-4
Assigner-Dassault Systèmes
CVSS Score-6.8||MEDIUM
EPSS-0.08% / 25.59%
||
7 Day CHG~0.00%
Published-09 Mar, 2023 | 16:33
Updated-27 Feb, 2025 | 21:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ENOVIA Live Collaboration V6R2013xE is affected by an XML External Entity injection (XXE) vulnerability

An XML External Entity injection (XXE) vulnerability in ENOVIA Live Collaboration V6R2013xE allows an attacker to read local files on the server.

Action-Not Available
Vendor-Dassault Systèmes S.E. (3DS)
Product-enovia_live_collaborationENOVIA Live Collaboration
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-3276
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.5||MEDIUM
EPSS-0.10% / 28.21%
||
7 Day CHG~0.00%
Published-15 Jun, 2023 | 13:00
Updated-21 Nov, 2024 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Dromara HuTool XML Parsing Module XmlUtil.java readBySax xml external entity reference

A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference. The exploit has been disclosed to the public and may be used. VDB-231626 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-dromaraDromara
Product-hutoolHuTool
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-43430
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-7.5||HIGH
EPSS-0.26% / 48.65%
||
7 Day CHG~0.00%
Published-19 Oct, 2022 | 00:00
Updated-08 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Action-Not Available
Vendor-Jenkins
Product-compuware_topaz_for_total_testJenkins Compuware Topaz for Total Test Plugin
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-42341
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-7.5||HIGH
EPSS-4.58% / 88.80%
||
7 Day CHG~0.00%
Published-14 Oct, 2022 | 19:42
Updated-23 Apr, 2025 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe ColdFusion Improper Restriction of XML External Entity Reference Arbitrary file system read

Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Adobe Inc.
Product-coldfusionColdFusion
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2015-1811
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.12% / 32.51%
||
7 Day CHG~0.00%
Published-15 Jan, 2020 | 18:05
Updated-06 Aug, 2024 | 04:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via a crafted XML document.

Action-Not Available
Vendor-CloudBeesJenkins
Product-cloudbeesJenkinsJenkins LTS
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-38840
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.68% / 81.42%
||
7 Day CHG~0.00%
Published-16 Apr, 2023 | 00:00
Updated-06 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cgi-bin/xmlstatus.cgi in Güralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity (XXE) issue via XML file upload, which leads to local file disclosure.

Action-Not Available
Vendor-guralpn/a
Product-man-eam-0003n/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-32458
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-7.5||HIGH
EPSS-1.34% / 79.26%
||
7 Day CHG~0.00%
Published-20 Jul, 2022 | 02:01
Updated-16 Sep, 2024 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Data Systems Consulting Co., Ltd. BPM - XML External Entity (XXE) Injection

Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files.

Action-Not Available
Vendor-digiwinData Systems Consulting Co., Ltd.
Product-business_process_managementBPM
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-47873
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.05% / 13.38%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 17:03
Updated-07 Mar, 2025 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PhpSpreadsheet XmlScanner bypass leads to XXE

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the `scan` method and the findCharSet method can be bypassed by using UCS-4 and encoding guessing. An attacker can bypass the sanitizer and achieve an XML external entity attack. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 fix the issue.

Action-Not Available
Vendor-PHPOffice
Product-phpspreadsheetPhpSpreadsheetphpspreadsheet
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-31447
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.43% / 61.83%
||
7 Day CHG~0.00%
Published-14 Jun, 2022 | 02:46
Updated-03 Aug, 2024 | 07:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML external entity (XXE) injection vulnerability in Magicpin v3.4 allows attackers to access sensitive database information via a crafted SVG file.

Action-Not Available
Vendor-magicpinn/a
Product-magicpinn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-31471
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-7.5||HIGH
EPSS-1.52% / 80.51%
||
7 Day CHG~0.00%
Published-26 Jul, 2022 | 05:10
Updated-03 Aug, 2024 | 07:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts XML external entity references. By exploiting this vulnerability, a remote unauthenticated attacker may read the contents of local files.

Action-Not Available
Vendor-untangle_projectChristian Stefanescu
Product-untangleuntangle
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-46985
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.15% / 36.25%
||
7 Day CHG~0.00%
Published-23 Sep, 2024 | 15:12
Updated-27 Sep, 2024 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DataEase has an XXE vulnerability

DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, there is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading. The vulnerability has been fixed in v2.10.1.

Action-Not Available
Vendor-DataEase (FIT2CLOUD Inc.)
Product-dataeasedataease
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found