Skip to main content

XXE

1233 CVEs technique

Monthly

CVE-2014-0225 Maven HIGH PATCH This Week

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Java Spring Framework
NVD
CVSS 3.0
8.8
EPSS
0.2%
CVE-2017-8913 HIGH This Week

The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Java Netweaver Application Server Java
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2017-1289 HIGH PATCH This Week

IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Java Sdk
NVD
CVSS 3.0
8.2
EPSS
0.9%
CVE-2017-7907 MEDIUM This Month

An Improper XML Parser Configuration issue was discovered in Schneider Electric Wonderware Historian Client 2014 R2 SP1 and prior. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service XXE Schneider Electric Wonderware Historian Client
NVD
CVSS 3.0
6.6
EPSS
0.1%
CVE-2017-7503 CRITICAL Act Now

It was found that the Red Hat JBoss EAP 7.0.5 implementation of javax.xml.transform.TransformerFactory is vulnerable to XXE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Red Hat Jboss Enterprise Application Platform
NVD
CVSS 3.0
9.8
EPSS
0.7%
CVE-2017-1103 HIGH PATCH This Week

IBM Team Concert (RTC) is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE IBM Rational Team Concert Rational Quality Manager
NVD
CVSS 3.0
8.1
EPSS
0.4%
CVE-2016-9691 HIGH PATCH This Week

IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE IBM Websphere Cast Iron Solution
NVD
CVSS 3.0
8.6
EPSS
0.3%
CVE-2017-1149 HIGH This Week

IBM UrbanCode Deploy (UCD) 6.0, 6.1, and 6.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE IBM Urbancode Deploy
NVD
CVSS 3.0
8.1
EPSS
0.4%
CVE-2017-8110 CRITICAL Act Now

www.modified-shop.org modified eCommerce Shopsoftware 2.0.2.2 rev 10690 has XXE in api/it-recht-kanzlei/api-it-recht-kanzlei.php. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE PHP Modified Ecommerce Shopsoftware
NVD
CVSS 3.1
10.0
EPSS
0.3%
CVE-2017-3548 MEDIUM POC PATCH THREAT This Month

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 49.2%.

Denial Of Service XXE Oracle Peoplesoft Enterprise Peopletools
NVD Exploit-DB
CVSS 3.0
6.5
EPSS
49.2%
Threat
4.3
CVE-2017-8056 MEDIUM POC THREAT This Month

WatchGuard Fireware v11.12.1 and earlier mishandles requests referring to an XML External Entity (XXE), in the XML-RPC agent. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 11.4%.

Watchguard Denial Of Service XXE Fireware
NVD
CVSS 3.0
5.3
EPSS
11.4%
CVE-2017-5662 Maven HIGH PATCH This Week

In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE Apache Batik
NVD
CVSS 3.0
7.3
EPSS
0.3%
CVE-2017-5661 Maven HIGH PATCH This Week

In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE Apache Formatting Objects Processor
NVD
CVSS 3.0
7.3
EPSS
2.4%
CVE-2016-7051 Maven HIGH PATCH This Week

XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Jackson Dataformat Xml
NVD GitHub
CVSS 3.1
8.6
EPSS
0.9%
CVE-2017-7457 MEDIUM POC This Month

XML External Entity via ".AOP" files used by Moxa MX-AOPC Server 1.5 result in remote file disclosure. Rated medium severity (CVSS 5.0), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

XXE Mx Aopc Server
NVD Exploit-DB
CVSS 3.0
5.0
EPSS
0.5%
CVE-2015-7273 CRITICAL Act Now

Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has XXE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Dell XXE Integrated Remote Access Controller Firmware
NVD
CVSS 3.0
9.8
EPSS
0.7%
CVE-2016-6805 Maven MEDIUM PATCH This Month

Apache Ignite before 1.9 allows man-in-the-middle attackers to read arbitrary files via XXE in modified update-notifier documents. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Apache Ignite
NVD
CVSS 3.0
5.9
EPSS
0.9%
CVE-2016-9707 HIGH PATCH This Week

IBM Jazz Foundation is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE IBM Rational Rhapsody Design Manager Rational Quality Manager +5
NVD
CVSS 3.0
8.1
EPSS
0.4%
CVE-2016-6111 CRITICAL PATCH Act Now

IBM Curam Social Program Management 6.0 and 7.0 are vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE IBM Curam Social Program Management
NVD
CVSS 3.0
9.1
EPSS
0.4%
CVE-2016-9924 CRITICAL Act Now

Zimbra Collaboration Suite (ZCS) before 8.7.4 allows remote attackers to conduct XML External Entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Zimbra Collaboration Suite
NVD
CVSS 3.0
9.8
EPSS
0.7%
CVE-2016-10149 PyPI HIGH PATCH This Week

XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Pysaml2 Debian Linux
NVD GitHub
CVSS 3.0
7.5
EPSS
1.0%
CVE-2017-6895 CRITICAL POC Act Now

USB Pratirodh allows remote attackers to conduct XML External Entity (XXE) attacks via XML data in usb.xml. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Usb Pratirodh
NVD
CVSS 3.0
9.8
EPSS
4.1%
CVE-2016-5749 MEDIUM This Month

NetIQ Access Manager 4.1 before 4.1.2 HF 1 and 4.2 before 4.2.2 was parsing incoming SAML requests with external entity resolution enabled, which could lead to local file disclosure via an XML. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

XXE Access Manager
NVD
CVSS 3.0
5.5
EPSS
0.1%
CVE-2016-5748 MEDIUM This Month

External Entity Processing (XXE) vulnerability in the "risk score" application of NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to disclose the content of local. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

XXE Access Manager
NVD
CVSS 3.0
5.5
EPSS
0.1%
CVE-2016-4931 MEDIUM This Month

XML entity injection in Junos Space before 15.2R2 allows attackers to cause a denial of service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE Juniper Junos Space
NVD
CVSS 3.0
6.5
EPSS
0.3%
CVE-2017-3811 MEDIUM This Month

An XML External Entity vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to have read access to part of the information stored in the affected system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Cisco Webex Meetings Server
NVD
CVSS 3.0
6.5
EPSS
0.3%
CVE-2017-5643 Maven HIGH PATCH This Week

Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF XXE Apache Camel
NVD
CVSS 3.0
7.4
EPSS
1.4%
CVE-2016-9724 HIGH PATCH This Week

IBM QRadar 7.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE IBM Qradar Security Information And Event Manager
NVD
CVSS 3.0
8.1
EPSS
0.4%
CVE-2016-10127 PyPI CRITICAL PATCH Act Now

PySAML2 allows remote attackers to conduct XML external entity (XXE) attacks via a crafted SAML XML request or response. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity.

XXE Pysaml2
NVD GitHub
CVSS 3.0
9.0
EPSS
0.5%
CVE-2017-6344 MEDIUM POC This Month

XML External Entity (XXE) vulnerability in Grails PDF Plugin 0.6 allows remote attackers to read arbitrary files via a crafted XML document. Rated medium severity (CVSS 5.9), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

XXE Pdf Plugin
NVD
CVSS 3.0
5.9
EPSS
0.3%
CVE-2016-8974 HIGH PATCH This Week

IBM Rhapsody DM 4.0, 5.0 and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE IBM Rational Rhapsody Design Manager
NVD
CVSS 3.0
8.1
EPSS
0.4%
CVE-2017-3839 MEDIUM This Month

An XML External Entity vulnerability in the web-based user interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to have read access to part of the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Cisco Secure Access Control System
NVD
CVSS 3.0
4.3
EPSS
0.4%
CVE-2017-6055 HIGH This Week

XML external entity (XXE) vulnerability in eParakstitajs 3 before 1.3.9 and eParaksts Java lib before 2.5.13 allows remote attackers to read arbitrary files or possibly have unspecified other impact. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Java Eparakstitajs 3
NVD
CVSS 3.0
7.8
EPSS
0.5%
CVE-2016-4312 HIGH POC PATCH This Week

XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available.

Denial Of Service SSRF XXE Identity Server
NVD Exploit-DB
CVSS 3.0
7.5
EPSS
5.4%
CVE-2017-5992 PyPI HIGH PATCH This Week

Openpyxl 2.4.1 resolves external entities by default, which allows remote attackers to conduct XXE attacks via a crafted .xlsx document. Rated high severity (CVSS 8.2), this vulnerability is no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Openpyxl
NVD
CVSS 3.0
8.2
EPSS
0.5%
CVE-2016-9706 CRITICAL PATCH Act Now

IBM Integration Bus 9.0 and 10.0 and WebSphere Message Broker SOAP FLOWS is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE IBM Integration Bus Websphere Message Broker
NVD
CVSS 3.0
9.1
EPSS
0.4%
CVE-2016-8348 CRITICAL Act Now

An XML External Entity (XXE) issue was discovered in Emerson Liebert SiteScan Web Version 6.5, and prior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XXE Liebert Sitescan Web
NVD
CVSS 3.0
9.8
EPSS
0.6%
CVE-2016-8980 HIGH This Week

IBM BigFix Inventory v9 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE IBM License Metric Tool Bigfix Inventory
NVD
CVSS 3.0
8.1
EPSS
0.4%
CVE-2016-6059 HIGH PATCH This Week

IBM InfoSphere Information Server is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE IBM Infosphere Datastage Infosphere Information Server +1
NVD
CVSS 3.0
8.1
EPSS
0.4%
CVE-2016-3027 MEDIUM PATCH This Month

IBM Security Access Manager for Web is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE IBM Security Access Manager 9 0 Firmware Security Access Manager For Mobile 8 0 Firmware +1
NVD
CVSS 3.0
6.5
EPSS
0.6%
CVE-2016-2908 CRITICAL PATCH Act Now

IBM Single Sign On for Bluemix could allow a remote attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML parser. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service XXE IBM Security Access Manager 9 0 Firmware Security Access Manager For Mobile 8 0 Firmware +1
NVD
CVSS 3.0
9.1
EPSS
0.9%
CVE-2015-7743 MEDIUM POC This Month

XML external entity vulnerability in PRTG Network Monitor before 16.2.23.3077/3078 allows remote authenticated users to read arbitrary files by creating a new HTTP XML/REST Value sensor that accesses. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Prtg Network Monitor
NVD VulDB
CVSS 3.0
6.5
EPSS
0.3%
CVE-2016-10097 HIGH This Week

XML External Entity (XXE) Vulnerability in /SSOPOST/metaAlias/%realm%/idpv2 in OpenAM - Access Management 10.1.0 allows remote attackers to read arbitrary files via the SAMLRequest parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Openam
NVD
CVSS 3.0
7.5
EPSS
0.8%
CVE-2016-7460 CRITICAL Act Now

The Single Sign-On feature in VMware vCenter Server 5.5 before U3e and 6.0 before U2a and vRealize Automation 6.x before 6.2.5 allows remote attackers to read arbitrary files or cause a denial of. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE VMware Vrealize Automation
NVD
CVSS 3.0
9.1
EPSS
2.0%
CVE-2016-7459 HIGH PATCH This Week

VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read arbitrary files via a (1) Log Browser, (2) Distributed Switch setup, or (3) Content Library XML. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE VMware Vcenter Server
NVD
CVSS 3.0
7.7
EPSS
0.5%
CVE-2016-7458 MEDIUM This Month

VMware vSphere Client 5.5 before U3e and 6.0 before U2a allows remote vCenter Server and ESXi instances to read arbitrary files via an XML document containing an external entity declaration in. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE VMware Vsphere Client
NVD
CVSS 3.0
5.8
EPSS
0.4%
CVE-2016-9181 HIGH This Week

perl-Image-Info: When parsing an SVG file, external entity expansion (XXE) was not disabled. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE Information Disclosure Image Info For Perl
NVD
CVSS 3.0
7.1
EPSS
0.3%
CVE-2016-9180 CRITICAL Act Now

perl-XML-Twig: The option to `expand_external_ents`, documented as controlling external entity expansion in XML::Twig does not work. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Xml Twig For Perl
NVD
CVSS 3.0
9.1
EPSS
0.4%
CVE-2016-5851 PyPI HIGH PATCH This Week

python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted document. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python XXE Python Docx
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2016-3055 HIGH PATCH This Week

IBM FileNet Workplace 4.0.2 before 4.0.2.14 LA012 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM Denial Of Service XXE Filenet Workplace
NVD
CVSS 3.0
8.1
EPSS
0.5%
CVE-2016-3033 HIGH This Week

IBM AppScan Source 8.7 through 9.0.3.3 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an external entity. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Denial Of Service XXE Appscan Source
NVD
CVSS 3.0
8.1
EPSS
0.5%
CVE-2016-0319 HIGH PATCH This Week

The XML parser in Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service 6.0 and 6.0.1 before 6.0.1 iFix006 allows remote authenticated administrators to read arbitrary files or cause a denial of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Denial Of Service XXE Authentication Bypass Jazz Reporting Service
NVD
CVSS 3.0
7.5
EPSS
0.5%
CVE-2016-0284 MEDIUM This Month

The XML parser in IBM Rational Collaborative Lifecycle Management 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Quality Manager 3.0.1.6. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Denial Of Service XXE Rational Software Architect Design Manager Rational Collaborative Lifecycle Management +5
NVD
CVSS 3.0
5.4
EPSS
0.3%
CVE-2016-9563 MEDIUM POC KEV THREAT This Month

BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Java SAP XXE
NVD
CVSS 3.1
6.5
EPSS
58.4%
Threat
6.1
CVE-2016-9318 MEDIUM POC PATCH This Month

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened,. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

XXE Libxml2 Ubuntu Linux
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2015-1832 Maven CRITICAL PATCH Act Now

XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service XXE Java Apache Derby
NVD
CVSS 3.0
9.1
EPSS
0.8%
CVE-2016-5971 HIGH PATCH This Week

IBM Security Privileged Identity Manager (ISPIM) Virtual Appliance 2.x before 2.0.2 FP8 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

IBM Denial Of Service XXE Information Disclosure Security Privileged Identity Manager Virtual Appliance
NVD
CVSS 3.0
7.1
EPSS
0.4%
CVE-2016-6408 HIGH This Week

Cisco Prime Home 5.2.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco XXE Prime Home
NVD
CVSS 3.0
7.5
EPSS
0.4%
CVE-2016-6898 MEDIUM This Month

XML external entity (XXE) vulnerability in the Hyper Management Module (HMM) in Huawei E9000 rack servers with software before V100R001C00SPC296 allows remote authenticated users to read arbitrary. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service XXE Huawei Authentication Bypass E9000 Chassis
NVD
CVSS 3.0
6.6
EPSS
0.1%
CVE-2016-4264 HIGH POC THREAT Act Now

The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 55.4%.

Adobe XXE Microsoft Coldfusion
NVD Exploit-DB
CVSS 3.0
8.6
EPSS
55.4%
Threat
4.9
CVE-2016-5000 Maven MEDIUM PATCH This Month

The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Apache Poi
NVD
CVSS 3.0
5.5
EPSS
0.3%
CVE-2016-3039 HIGH This Week

IBM Traveler 8.x and 9.x before 9.0.1.12 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via XML data containing an external entity. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Denial Of Service XXE Traveler
NVD
CVSS 3.0
8.1
EPSS
0.7%
CVE-2016-4216 Maven HIGH PATCH This Week

XMPCore in Adobe XMP Toolkit for Java before 5.1.3 allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Adobe XXE Java Xmp Toolkit
NVD
CVSS 3.0
7.5
EPSS
0.7%
CVE-2016-3255 HIGH Act Now

Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1 allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 29.5% and no vendor patch available.

XXE Information Disclosure Microsoft Net Framework
NVD
CVSS 3.0
7.5
EPSS
29.5%
CVE-2016-2868 LOW PATCH Monitor

IBM Security QRadar SIEM 7.2.x before 7.2.7 allows remote authenticated administrators to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

IBM XXE Qradar Security Information And Event Manager
NVD
CVSS 3.0
2.7
EPSS
0.2%
CVE-2015-8698 HIGH This Week

CA Release Automation (formerly LISA Release Automation) 5.0.2 before 5.0.2-227, 5.5.1 before 5.5.1-1616, 5.5.2 before 5.5.2-434, and 6.1.0 before 6.1.0-1026 allows remote attackers to read arbitrary. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service XXE Release Automation
NVD
CVSS 3.0
7.1
EPSS
0.3%
CVE-2016-3720 Maven CRITICAL PATCH Act Now

XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Fedora Jackson Dataformat Xml
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2016-4449 HIGH This Week

XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE Debian Linux Ubuntu Linux Libxml2
NVD
CVSS 3.0
7.1
EPSS
0.1%
CVE-2016-2175 Maven HIGH PATCH This Week

Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

XXE Apache Pdfbox Debian Linux
NVD
CVSS 3.0
7.8
EPSS
5.9%
CVE-2016-0288 MEDIUM This Month

IBM Security AppScan Standard 8.7.x, 8.8.x, and 9.x before 9.0.3.2 and Security AppScan Enterprise allow remote authenticated users to read arbitrary files via an XML document containing an external. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XXE Security Appscan
NVD
CVSS 3.0
6.5
EPSS
0.2%
CVE-2015-8866 CRITICAL POC PATCH Act Now

ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE PHP Ubuntu Linux Leap Opensuse +2
NVD
CVSS 3.1
9.6
EPSS
3.5%
CVE-2016-3674 Maven HIGH PATCH This Week

Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Information Disclosure Jboss Middleware Debian Linux Fedora +1
NVD GitHub
CVSS 3.1
7.5
EPSS
8.2%
CVE-2016-1343 CRITICAL Act Now

The XML parser in Cisco Information Server (CIS) 6.2 allows remote attackers to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity declaration in. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco XXE Denial Of Service Information Server
NVD
CVSS 3.0
10.0
EPSS
0.6%
CVE-2016-4014 HIGH POC This Week

XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service (system hang) via a crafted DTD in an XML request to. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service XXE SAP Java Netweaver
NVD
CVSS 3.0
8.6
EPSS
6.9%
CVE-2016-3974 CRITICAL POC THREAT Emergency

XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.9%.

Denial Of Service XXE SAP Java Netweaver Application Server Java
NVD Exploit-DB
CVSS 3.1
9.1
EPSS
13.9%
CVE-2016-1789 MEDIUM This Month

Apple iBooks Author before 2.4.1 allows remote attackers to read arbitrary files via an iBooks Author file containing an XML external entity declaration in conjunction with an entity reference,. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apple XXE Ibooks Author
NVD
CVSS 3.0
5.5
EPSS
0.6%
CVE-2016-2340 MEDIUM PATCH This Month

The AMF framework in Granite Data Services 3.1.1-SNAPSHOT allows remote authenticated users to read arbitrary files, send TCP requests to intranet servers, or cause a denial of service via an XML. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service XXE Granite Data Services
NVD
CVSS 3.0
5.4
EPSS
0.3%
CVE-2016-1358 MEDIUM This Month

Cisco Prime Infrastructure 2.2, 3.0, and 3.1(0.0) allows remote authenticated users to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service Cisco XXE Buffer Overflow Prime Infrastructure
NVD
CVSS 3.0
6.4
EPSS
0.5%
CVE-2016-0245 MEDIUM PATCH This Month

The XML parser in IBM WebSphere Portal 8.0.x before 8.0.0.1 CF20 and 8.5.x before 8.5.0.0 CF10 allows remote authenticated users to read arbitrary files or cause a denial of service via an external. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

IBM Denial Of Service XXE Websphere Portal
NVD
CVSS 3.0
5.4
EPSS
0.3%
CVE-2016-0882 MEDIUM This Month

EMC Documentum xCP 2.1 before patch 23 and 2.2 before patch 11 allows remote authenticated users to read arbitrary files via a POST request containing an XML external entity declaration in. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Documentum Xcp
NVD
CVSS 3.0
5.4
EPSS
0.5%
CVE-2016-0457 MEDIUM POC This Month

Unspecified vulnerability in the Application Mgmt Pack for E-Business Suite component in Oracle E-Business Suite 12.1 and 12.2 allows remote attackers to affect confidentiality via vectors related to. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF Oracle E Business Suite
NVD
CVSS 2.0
5.0
EPSS
0.6%
CVE-2016-0456 MEDIUM This Month

Unspecified vulnerability in the Application Mgmt Pack for E-Business Suite component in Oracle E-Business Suite 12.1 and 12.2 allows remote attackers to affect confidentiality via vectors related to. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF Oracle E Business Suite
NVD
CVSS 2.0
5.0
EPSS
0.4%
CVE-2015-7400 HIGH This Week

The Lotus Mashups component in IBM Mashup Center 3.0.0.1 allows remote authenticated users to cause a denial of service (CPU consumption) via an XML external entity declaration in conjunction with an. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Denial Of Service XXE Mashups Center
NVD
CVSS 3.0
7.7
EPSS
0.8%
CVE-2015-7081 MEDIUM This Month

iBooks in Apple iOS before 9.2 and OS X before 10.11.2 allows remote attackers to read arbitrary files via an iBooks file containing an XML external entity declaration in conjunction with an entity. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apple XXE Mac Os X Iphone Os
NVD
CVSS 2.0
5.0
EPSS
0.5%
CVE-2015-5319 Maven MEDIUM PATCH This Month

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

XXE Jenkins Openshift
NVD
CVSS 2.0
5.0
EPSS
0.3%
CVE-2015-6096 MEDIUM This Month

The XML DTD parser in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, 4.5.2, and 4.6 allows remote attackers to read arbitrary files via an external entity declaration in conjunction. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 27.9% and no vendor patch available.

XXE Information Disclosure Microsoft Net Framework
NVD
CVSS 2.0
4.3
EPSS
27.9%
CVE-2015-4886 MEDIUM PATCH This Month

Unspecified vulnerability in the Oracle Report Manager component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service XXE Oracle E Business Suite
NVD
CVSS 2.0
6.4
EPSS
0.6%
CVE-2015-4851 MEDIUM PATCH This Month

Unspecified vulnerability in the Oracle iSupplier Portal component in Oracle E-Business Suite 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality, integrity, and. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

Denial Of Service XXE Oracle E Business Suite
NVD
CVSS 2.0
6.8
EPSS
1.4%
CVE-2015-4849 MEDIUM PATCH This Month

Unspecified vulnerability in the Oracle Payments component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality, integrity, and. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

Denial Of Service XXE Oracle E Business Suite
NVD
CVSS 2.0
6.8
EPSS
1.4%
CVE-2015-2556 MEDIUM This Month

The InfoPath Forms Services component in Microsoft SharePoint Server 2007 SP3 and 2010 SP2 misparses DTDs, which allows remote attackers to read arbitrary files via an XML document containing an. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 29.6% and no vendor patch available.

XXE Information Disclosure Microsoft Sharepoint Server
NVD
CVSS 2.0
4.3
EPSS
29.6%
EPSS 0% CVSS 8.8
HIGH PATCH This Week

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Java Spring Framework
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Java +1
NVD
EPSS 1% CVSS 8.2
HIGH PATCH This Week

IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Java +1
NVD
EPSS 0% CVSS 6.6
MEDIUM This Month

An Improper XML Parser Configuration issue was discovered in Schneider Electric Wonderware Historian Client 2014 R2 SP1 and prior. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service XXE Schneider Electric +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

It was found that the Red Hat JBoss EAP 7.0.5 implementation of javax.xml.transform.TransformerFactory is vulnerable to XXE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Red Hat +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

IBM Team Concert (RTC) is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE IBM +2
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE IBM +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

IBM UrbanCode Deploy (UCD) 6.0, 6.1, and 6.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE IBM +1
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

www.modified-shop.org modified eCommerce Shopsoftware 2.0.2.2 rev 10690 has XXE in api/it-recht-kanzlei/api-it-recht-kanzlei.php. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE PHP Modified Ecommerce Shopsoftware
NVD
EPSS 49% 4.3 CVSS 6.5
MEDIUM POC PATCH THREAT This Month

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 49.2%.

Denial Of Service XXE Oracle +1
NVD Exploit-DB
EPSS 11% CVSS 5.3
MEDIUM POC THREAT This Month

WatchGuard Fireware v11.12.1 and earlier mishandles requests referring to an XML External Entity (XXE), in the XML-RPC agent. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 11.4%.

Watchguard Denial Of Service XXE +1
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE Apache +1
NVD
EPSS 2% CVSS 7.3
HIGH PATCH This Week

In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE Apache +1
NVD
EPSS 1% CVSS 8.6
HIGH PATCH This Week

XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Jackson Dataformat Xml
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM POC This Month

XML External Entity via ".AOP" files used by Moxa MX-AOPC Server 1.5 result in remote file disclosure. Rated medium severity (CVSS 5.0), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

XXE Mx Aopc Server
NVD Exploit-DB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has XXE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Dell XXE Integrated Remote Access Controller Firmware
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

Apache Ignite before 1.9 allows man-in-the-middle attackers to read arbitrary files via XXE in modified update-notifier documents. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Apache Ignite
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

IBM Jazz Foundation is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE IBM +7
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

IBM Curam Social Program Management 6.0 and 7.0 are vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE IBM +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Zimbra Collaboration Suite (ZCS) before 8.7.4 allows remote attackers to conduct XML External Entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Zimbra Collaboration Suite
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Pysaml2 Debian Linux
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL POC Act Now

USB Pratirodh allows remote attackers to conduct XML External Entity (XXE) attacks via XML data in usb.xml. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Usb Pratirodh
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

NetIQ Access Manager 4.1 before 4.1.2 HF 1 and 4.2 before 4.2.2 was parsing incoming SAML requests with external entity resolution enabled, which could lead to local file disclosure via an XML. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

XXE Access Manager
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

External Entity Processing (XXE) vulnerability in the "risk score" application of NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to disclose the content of local. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

XXE Access Manager
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

XML entity injection in Junos Space before 15.2R2 allows attackers to cause a denial of service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE Juniper +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

An XML External Entity vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to have read access to part of the information stored in the affected system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Cisco Webex Meetings Server
NVD
EPSS 1% CVSS 7.4
HIGH PATCH This Week

Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF XXE Apache +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

IBM QRadar 7.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE IBM +1
NVD
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

PySAML2 allows remote attackers to conduct XML external entity (XXE) attacks via a crafted SAML XML request or response. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity.

XXE Pysaml2
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM POC This Month

XML External Entity (XXE) vulnerability in Grails PDF Plugin 0.6 allows remote attackers to read arbitrary files via a crafted XML document. Rated medium severity (CVSS 5.9), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

XXE Pdf Plugin
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

IBM Rhapsody DM 4.0, 5.0 and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE IBM +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

An XML External Entity vulnerability in the web-based user interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to have read access to part of the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Cisco Secure Access Control System
NVD
EPSS 1% CVSS 7.8
HIGH This Week

XML external entity (XXE) vulnerability in eParakstitajs 3 before 1.3.9 and eParaksts Java lib before 2.5.13 allows remote attackers to read arbitrary files or possibly have unspecified other impact. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Java Eparakstitajs 3
NVD
EPSS 5% CVSS 7.5
HIGH POC PATCH This Week

XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available.

Denial Of Service SSRF XXE +1
NVD Exploit-DB
EPSS 1% CVSS 8.2
HIGH PATCH This Week

Openpyxl 2.4.1 resolves external entities by default, which allows remote attackers to conduct XXE attacks via a crafted .xlsx document. Rated high severity (CVSS 8.2), this vulnerability is no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Openpyxl
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

IBM Integration Bus 9.0 and 10.0 and WebSphere Message Broker SOAP FLOWS is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE IBM +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An XML External Entity (XXE) issue was discovered in Emerson Liebert SiteScan Web Version 6.5, and prior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XXE Liebert Sitescan Web
NVD
EPSS 0% CVSS 8.1
HIGH This Week

IBM BigFix Inventory v9 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE IBM +2
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

IBM InfoSphere Information Server is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE IBM +3
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

IBM Security Access Manager for Web is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE IBM +3
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

IBM Single Sign On for Bluemix could allow a remote attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML parser. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service XXE IBM +3
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

XML external entity vulnerability in PRTG Network Monitor before 16.2.23.3077/3078 allows remote authenticated users to read arbitrary files by creating a new HTTP XML/REST Value sensor that accesses. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Prtg Network Monitor
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

XML External Entity (XXE) Vulnerability in /SSOPOST/metaAlias/%realm%/idpv2 in OpenAM - Access Management 10.1.0 allows remote attackers to read arbitrary files via the SAMLRequest parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Openam
NVD
EPSS 2% CVSS 9.1
CRITICAL Act Now

The Single Sign-On feature in VMware vCenter Server 5.5 before U3e and 6.0 before U2a and vRealize Automation 6.x before 6.2.5 allows remote attackers to read arbitrary files or cause a denial of. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE VMware +1
NVD
EPSS 1% CVSS 7.7
HIGH PATCH This Week

VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read arbitrary files via a (1) Log Browser, (2) Distributed Switch setup, or (3) Content Library XML. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE VMware Vcenter Server
NVD
EPSS 0% CVSS 5.8
MEDIUM This Month

VMware vSphere Client 5.5 before U3e and 6.0 before U2a allows remote vCenter Server and ESXi instances to read arbitrary files via an XML document containing an external entity declaration in. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE VMware Vsphere Client
NVD
EPSS 0% CVSS 7.1
HIGH This Week

perl-Image-Info: When parsing an SVG file, external entity expansion (XXE) was not disabled. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE Information Disclosure +1
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

perl-XML-Twig: The option to `expand_external_ents`, documented as controlling external entity expansion in XML::Twig does not work. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Xml Twig For Perl
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted document. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python XXE Python Docx
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

IBM FileNet Workplace 4.0.2 before 4.0.2.14 LA012 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM Denial Of Service XXE +1
NVD
EPSS 1% CVSS 8.1
HIGH This Week

IBM AppScan Source 8.7 through 9.0.3.3 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an external entity. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Denial Of Service XXE +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The XML parser in Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service 6.0 and 6.0.1 before 6.0.1 iFix006 allows remote authenticated administrators to read arbitrary files or cause a denial of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Denial Of Service XXE +2
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The XML parser in IBM Rational Collaborative Lifecycle Management 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Quality Manager 3.0.1.6. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Denial Of Service XXE +7
NVD
EPSS 58% 6.1 CVSS 6.5
MEDIUM POC KEV THREAT This Month

BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Java SAP XXE
NVD
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened,. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

XXE Libxml2 Ubuntu Linux
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service XXE Java +2
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

IBM Security Privileged Identity Manager (ISPIM) Virtual Appliance 2.x before 2.0.2 FP8 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

IBM Denial Of Service XXE +2
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Cisco Prime Home 5.2.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco XXE Prime Home
NVD
EPSS 0% CVSS 6.6
MEDIUM This Month

XML external entity (XXE) vulnerability in the Hyper Management Module (HMM) in Huawei E9000 rack servers with software before V100R001C00SPC296 allows remote authenticated users to read arbitrary. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service XXE Huawei +2
NVD
EPSS 55% 4.9 CVSS 8.6
HIGH POC THREAT Act Now

The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 55.4%.

Adobe XXE Microsoft +1
NVD Exploit-DB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Apache Poi
NVD
EPSS 1% CVSS 8.1
HIGH This Week

IBM Traveler 8.x and 9.x before 9.0.1.12 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via XML data containing an external entity. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Denial Of Service XXE +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

XMPCore in Adobe XMP Toolkit for Java before 5.1.3 allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Adobe XXE Java +1
NVD
EPSS 29% CVSS 7.5
HIGH Act Now

Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1 allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 29.5% and no vendor patch available.

XXE Information Disclosure Microsoft +1
NVD
EPSS 0% CVSS 2.7
LOW PATCH Monitor

IBM Security QRadar SIEM 7.2.x before 7.2.7 allows remote authenticated administrators to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

IBM XXE Qradar Security Information And Event Manager
NVD
EPSS 0% CVSS 7.1
HIGH This Week

CA Release Automation (formerly LISA Release Automation) 5.0.2 before 5.0.2-227, 5.5.1 before 5.5.1-1616, 5.5.2 before 5.5.2-434, and 6.1.0 before 6.1.0-1026 allows remote attackers to read arbitrary. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service XXE Release Automation
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Fedora Jackson Dataformat Xml
NVD
EPSS 0% CVSS 7.1
HIGH This Week

XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE Debian Linux +2
NVD
EPSS 6% CVSS 7.8
HIGH PATCH This Week

Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

XXE Apache Pdfbox +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

IBM Security AppScan Standard 8.7.x, 8.8.x, and 9.x before 9.0.3.2 and Security AppScan Enterprise allow remote authenticated users to read arbitrary files via an XML document containing an external. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XXE Security Appscan
NVD
EPSS 4% CVSS 9.6
CRITICAL POC PATCH Act Now

ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE PHP Ubuntu Linux +4
NVD
EPSS 8% CVSS 7.5
HIGH PATCH This Week

Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Information Disclosure Jboss Middleware +3
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL Act Now

The XML parser in Cisco Information Server (CIS) 6.2 allows remote attackers to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity declaration in. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco XXE Denial Of Service +1
NVD
EPSS 7% CVSS 8.6
HIGH POC This Week

XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service (system hang) via a crafted DTD in an XML request to. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service XXE SAP +2
NVD
EPSS 14% CVSS 9.1
CRITICAL POC THREAT Emergency

XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.9%.

Denial Of Service XXE SAP +2
NVD Exploit-DB
EPSS 1% CVSS 5.5
MEDIUM This Month

Apple iBooks Author before 2.4.1 allows remote attackers to read arbitrary files via an iBooks Author file containing an XML external entity declaration in conjunction with an entity reference,. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apple XXE Ibooks Author
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

The AMF framework in Granite Data Services 3.1.1-SNAPSHOT allows remote authenticated users to read arbitrary files, send TCP requests to intranet servers, or cause a denial of service via an XML. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service XXE Granite Data Services
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Cisco Prime Infrastructure 2.2, 3.0, and 3.1(0.0) allows remote authenticated users to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service Cisco XXE +2
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

The XML parser in IBM WebSphere Portal 8.0.x before 8.0.0.1 CF20 and 8.5.x before 8.5.0.0 CF10 allows remote authenticated users to read arbitrary files or cause a denial of service via an external. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

IBM Denial Of Service XXE +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

EMC Documentum xCP 2.1 before patch 23 and 2.2 before patch 11 allows remote authenticated users to read arbitrary files via a POST request containing an XML external entity declaration in. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Documentum Xcp
NVD
EPSS 1% CVSS 5.0
MEDIUM POC This Month

Unspecified vulnerability in the Application Mgmt Pack for E-Business Suite component in Oracle E-Business Suite 12.1 and 12.2 allows remote attackers to affect confidentiality via vectors related to. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF +2
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

Unspecified vulnerability in the Application Mgmt Pack for E-Business Suite component in Oracle E-Business Suite 12.1 and 12.2 allows remote attackers to affect confidentiality via vectors related to. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF +2
NVD
EPSS 1% CVSS 7.7
HIGH This Week

The Lotus Mashups component in IBM Mashup Center 3.0.0.1 allows remote authenticated users to cause a denial of service (CPU consumption) via an XML external entity declaration in conjunction with an. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Denial Of Service XXE +1
NVD
EPSS 1% CVSS 5.0
MEDIUM This Month

iBooks in Apple iOS before 9.2 and OS X before 10.11.2 allows remote attackers to read arbitrary files via an iBooks file containing an XML external entity declaration in conjunction with an entity. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apple XXE Mac Os X +1
NVD
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

XXE Jenkins Openshift
NVD
EPSS 28% CVSS 4.3
MEDIUM This Month

The XML DTD parser in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, 4.5.2, and 4.6 allows remote attackers to read arbitrary files via an external entity declaration in conjunction. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 27.9% and no vendor patch available.

XXE Information Disclosure Microsoft +1
NVD
EPSS 1% CVSS 6.4
MEDIUM PATCH This Month

Unspecified vulnerability in the Oracle Report Manager component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service XXE Oracle +1
NVD
EPSS 1% CVSS 6.8
MEDIUM PATCH This Month

Unspecified vulnerability in the Oracle iSupplier Portal component in Oracle E-Business Suite 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality, integrity, and. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

Denial Of Service XXE Oracle +1
NVD
EPSS 1% CVSS 6.8
MEDIUM PATCH This Month

Unspecified vulnerability in the Oracle Payments component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality, integrity, and. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

Denial Of Service XXE Oracle +1
NVD
EPSS 30% CVSS 4.3
MEDIUM This Month

The InfoPath Forms Services component in Microsoft SharePoint Server 2007 SP3 and 2010 SP2 misparses DTDs, which allows remote attackers to read arbitrary files via an XML document containing an. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 29.6% and no vendor patch available.

XXE Information Disclosure Microsoft +1
NVD
Prev Page 12 of 14 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy