Skip to main content

XXE

1233 CVEs technique

Monthly

CVE-2014-0644 HIGH POC THREAT Act Now

EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity declaration in conjunction with an entity. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 74.0%.

XXE Information Disclosure Cloud Tiering Appliance Software Cloud Tiering Appliance
NVD GitHub Exploit-DB VulDB
CVSS 2.0
7.8
EPSS
74.0%
Threat
5.3
CVE-2014-0002 Maven HIGH POC PATCH THREAT Act Now

The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 28.7%.

XXE Privilege Escalation Apache Camel
NVD VulDB
CVSS 2.0
7.5
EPSS
28.7%
CVE-2014-2205 MEDIUM POC This Month

The Import and Export Framework in McAfee ePolicy Orchestrator (ePO) before 4.6.7 Hotfix 940148 allows remote authenticated users with permissions to add dashboards to read arbitrary files by. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Privilege Escalation XXE Epolicy Orchestrator
NVD
CVSS 2.0
6.3
EPSS
0.4%
CVE-2013-4590 Maven MEDIUM PATCH This Month

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Tomcat Apache Information Disclosure XXE Debian Linux +1
NVD
CVSS 2.0
4.3
EPSS
0.9%
CVE-2014-0854 MEDIUM This Month

The server in IBM Cognos Business Intelligence (BI) 8.4.1, 10.1 before IF6, 10.1.1 before IF5, 10.2 before IF7, 10.2.1 before IF4, and 10.2.1.1 before IF4 allows remote authenticated users to read. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation XXE IBM Cognos Business Intelligence
NVD
CVSS 2.0
5.0
EPSS
0.2%
CVE-2013-6948 HIGH This Week

The peerAddresses API in the Belkin WeMo Home Automation firmware before 3949 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection XXE RCE Wemo Home Automation Firmware
NVD
CVSS 2.0
7.8
EPSS
0.5%
CVE-2014-1962 MEDIUM This Month

Gwsync in SAP CRM 7.02 EHP 2 allows remote attackers to obtain sensitive information via unspecified vectors, related to an XML External Entity (XXE) issue. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure XXE SAP Customer Relationship Management
NVD
CVSS 2.0
5.0
EPSS
0.5%
CVE-2013-6440 Maven MEDIUM PATCH This Month

The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure XXE Java Opensaml
NVD
CVSS 2.0
5.0
EPSS
0.8%
CVE-2013-5014 HIGH POC THREAT Act Now

The management console in Symantec Endpoint Protection Manager (SEPM) 11.0 before 11.0.7405.1424 and 12.1 before 12.1.4023.4080, and Symantec Protection Center Small Business Edition 12.x before. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 86.2%.

XXE Endpoint Protection Manager Protection Center
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
86.2%
Threat
5.6
CVE-2014-1439 MEDIUM This Month

The libxml_disable_entity_loader function in runtime/ext/ext_simplexml.cpp in HipHop Virtual Machine for PHP (HHVM) before 2.4.0 and 2.3.x before 2.3.3 does not properly disable a certain libxml. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP XXE Hiphop Virtual Machine For Php
NVD GitHub
CVSS 2.0
5.0
EPSS
0.4%
CVE-2013-7140 MEDIUM This Month

XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal XXE Open Xchange Appsuite
NVD
CVSS 2.0
4.0
EPSS
0.5%
CVE-2013-6429 Maven MEDIUM PATCH This Month

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Epss exploitation probability 38.7%.

CSRF Denial Of Service Java XXE Spring Framework
NVD
CVSS 2.0
6.8
EPSS
38.7%
CVE-2014-1626 MEDIUM This Month

XML External Entity (XXE) vulnerability in MARC::File::XML module before 1.0.2 for Perl, as used in Evergreen, Koha, perl4lib, and possibly other products, allows context-dependent attackers to read. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation XXE Marc Xml
NVD
CVSS 2.0
5.0
EPSS
0.7%
CVE-2013-7315 Maven MEDIUM POC PATCH This Month

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

CSRF Privilege Escalation Java Denial Of Service XXE +1
NVD
CVSS 2.0
6.8
EPSS
0.2%
CVE-2013-4152 Maven MEDIUM POC PATCH THREAT This Month

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 72.3%.

CSRF Privilege Escalation Java Denial Of Service XXE +1
NVD GitHub
CVSS 2.0
6.8
EPSS
72.3%
Threat
5.0
CVE-2013-6447 MEDIUM PATCH This Month

Multiple XML External Entity (XXE) vulnerabilities in the (1) ExecutionHandler, (2) PollHandler, and (3) SubscriptionHandler classes in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure XXE Jboss Seam 2 Framework
NVD GitHub
CVSS 2.0
5.0
EPSS
1.4%
CVE-2013-0340 MEDIUM POC This Month

expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Denial Of Service XXE Libexpat Python Ipados +4
NVD GitHub
CVSS 2.0
6.8
EPSS
0.1%
CVE-2013-0339 MEDIUM POC This Month

libxml2 through 2.9.1 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Privilege Escalation Denial Of Service XXE Libxml2 Ubuntu Linux +2
NVD
CVSS 2.0
6.8
EPSS
1.8%
CVE-2012-2997 MEDIUM POC This Month

XML External Entity (XXE) vulnerability in sam/admin/vpe2/public/php/server.php in F5 BIG-IP 10.0.0 through 10.2.4 and 11.0.0 through 11.2.1 allows remote authenticated users to read arbitrary files. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure XXE Big Ip Configuration Utility
NVD Exploit-DB
CVSS 2.0
4.0
EPSS
8.8%
CVE-2014-0423 MEDIUM This Month

Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote authenticated users to affect confidentiality and. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Oracle XXE Jrockit Jre +1
NVD
CVSS 2.0
5.5
EPSS
0.4%
CVE-2013-4069 MEDIUM This Month

The Portal application in IBM SPSS Collaboration and Deployment Services 4.2.1 before 4.2.1.3 IF3 and 5.0 before FP3 allows remote attackers to read arbitrary files via an XML external entity. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure XXE IBM Spss Collaboration And Deployment Services
NVD
CVSS 2.0
5.0
EPSS
0.3%
CVE-2013-5452 LOW Monitor

IBM FileNet Business Process Framework 4.1.0 allows remote authenticated users to read arbitrary files or send TCP requests to intranet servers via XML data containing an external entity declaration. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure XXE IBM Filenet Business Process Framework
NVD
CVSS 2.0
3.5
EPSS
0.3%
CVE-2013-7095 CRITICAL Act Now

The XML parser (crm_flex_data) in SAP Customer Relationship Management (CRM) 7.02 EHP 2 has unknown impact and attack vectors related to an XML External Entity (XXE) issue. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Customer Relationship Management
NVD
CVSS 2.0
10.0
EPSS
1.3%
CVE-2012-6612 Maven HIGH PATCH This Week

The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Apache XXE Solr
NVD
CVSS 2.0
7.5
EPSS
1.4%
CVE-2013-6408 Maven MEDIUM PATCH This Month

The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 11.4%.

Apache XXE Solr
NVD
CVSS 2.0
6.4
EPSS
11.4%
CVE-2013-6407 Maven MEDIUM PATCH This Month

The UpdateRequestHandler for XML in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 11.4%.

Apache XXE Solr
NVD
CVSS 2.0
6.4
EPSS
11.4%
CVE-2013-6397 Maven MEDIUM POC PATCH THREAT This Month

Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 90.9%.

Apache Path Traversal XXE Solr
NVD
CVSS 2.0
4.3
EPSS
90.9%
Threat
5.1
CVE-2013-6822 CRITICAL Act Now

GRMGApp in SAP NetWeaver allows remote attackers to have unspecified impact and attack vectors, related to an XML External Entity (XXE) issue. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Netweaver
NVD
CVSS 2.0
10.0
EPSS
1.5%
CVE-2013-6815 MEDIUM This Month

The SHSTI_UPLOAD_XML function in the Application Server for ABAP (AS ABAP) in SAP NetWeaver 7.31 and earlier allows remote attackers to cause a denial of service via unspecified vectors, related to. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE SAP Netweaver
NVD
CVSS 2.0
5.0
EPSS
0.7%
CVE-2013-4034 MEDIUM POC This Month

IBM Cognos Business Intelligence 8.4.1 before IF3, 10.1.0 before IF4, 10.1.1 before IF4, 10.2.0 before IF4, 10.2.1 before IF2, and 10.2.1.1 before IF1 allows remote authenticated users to read. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation XXE IBM Cognos Business Intelligence
NVD Exploit-DB
CVSS 2.0
4.0
EPSS
8.7%
CVE-2013-3617 LOW POC THREAT Monitor

The XML API in Openbravo ERP 2.5, 3.0, and earlier allows remote authenticated users to read arbitrary files via an XML document with an external entity declaration in conjunction with an entity. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 56.7%.

Privilege Escalation XXE Openbravo Erp
NVD Exploit-DB
CVSS 2.0
3.5
EPSS
56.7%
CVE-2013-4295 Maven MEDIUM POC PATCH THREAT This Month

The gadget renderer in Apache Shindig 2.5.0 for PHP allows remote attackers to obtain sensitive information via an XML document containing an external entity declaration in conjunction with an entity. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 17.0%.

PHP Apache Information Disclosure XXE Shindig
NVD Exploit-DB
CVSS 2.0
5.0
EPSS
17.0%
CVE-2013-6244 MEDIUM This Month

The Live Update webdynpro application (webdynpro/dispatcher/sap.com/tc~slm~ui_lup/LUP) in SAP NetWeaver 7.31 and earlier allows remote attackers to read arbitrary files and directories via an XML. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Netweaver
NVD
CVSS 2.0
5.0
EPSS
0.7%
CVE-2013-6025 MEDIUM POC This Month

The XMLParse procedure in SAP Sybase Adaptive Server Enterprise (ASE) 15.7 ESD 2 allows remote authenticated users to read arbitrary files via a SQL statement containing an XML document with an. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection XXE SAP RCE Adaptive Server Enterprise
NVD Exploit-DB
CVSS 2.0
4.0
EPSS
8.5%
CVE-2012-4709 MEDIUM This Month

Invensys Wonderware InTouch HMI 2012 R2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption). Rated medium severity (CVSS 6.9). No vendor patch available.

Buffer Overflow Denial Of Service XXE Wonderware Intouch
NVD
CVSS 2.0
6.9
EPSS
0.2%
CVE-2013-1881 MEDIUM This Month

GNOME libsvg before 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XXE Librsvg
NVD
CVSS 2.0
4.3
EPSS
7.8%
CVE-2013-5490 HIGH This Week

Cisco Prime Data Center Network Manager (DCNM) before 6.2(1) allows remote attackers to read arbitrary text files via an XML external entity declaration in conjunction with an entity reference,. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure XXE Cisco Prime Data Center Network Manager
NVD
CVSS 2.0
7.8
EPSS
0.6%
CVE-2013-1824 MEDIUM PATCH This Month

The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

PHP XXE Enterprise Linux Mac Os X
NVD
CVSS 2.0
4.3
EPSS
2.1%
CVE-2013-3160 MEDIUM This Month

Microsoft Office 2003 SP3 and 2007 SP3, Word 2003 SP3 and 2007 SP3, and Word Viewer allow remote attackers to read arbitrary files via an XML document containing an external entity declaration in. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 27.6% and no vendor patch available.

Information Disclosure XXE Microsoft Office Word +1
NVD
CVSS 2.0
5.0
EPSS
27.6%
CVE-2013-3159 MEDIUM This Month

Microsoft Excel 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Excel Viewer; and Microsoft Office Compatibility Pack SP3 allow remote attackers to read arbitrary files via an XML document containing an. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 25.4% and no vendor patch available.

XXE Microsoft Excel
NVD
CVSS 2.0
4.3
EPSS
25.4%
CVE-2013-4701 PHP HIGH POC PATCH This Week

Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP Denial Of Service XXE Php Openid
NVD GitHub
CVSS 2.0
7.5
EPSS
0.9%
CVE-2013-2796 MEDIUM PATCH This Month

Schneider Electric Vijeo Citect 7.20 and earlier, CitectSCADA 7.20 and earlier, and PowerLogic SCADA 7.20 and earlier allow remote attackers to read arbitrary files, send HTTP requests to intranet. Rated medium severity (CVSS 6.9).

Privilege Escalation Denial Of Service Schneider Electric XXE Citectscada +2
NVD
CVSS 2.0
6.9
EPSS
0.1%
CVE-2013-2202 MEDIUM This Month

WordPress before 3.5.2 allows remote attackers to read arbitrary files via an oEmbed XML provider response containing an external entity declaration in conjunction with an entity reference, related. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

WordPress Information Disclosure XXE
NVD
CVSS 2.0
4.3
EPSS
1.4%
CVE-2013-3925 MEDIUM POC This Month

Atlassian Crowd 2.5.x before 2.5.4, 2.6.x before 2.6.3, 2.3.8, and 2.4.9 allows remote attackers to read arbitrary files and send HTTP requests to intranet servers via a request to (1) /services/2 or. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Atlassian XXE Crowd
NVD
CVSS 2.0
5.8
EPSS
0.3%
CVE-2013-1225 HIGH This Week

Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 allows remote attackers to read arbitrary files via a Resource Manager (1) HTTP or (2) HTTPS request containing an external. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation XXE Cisco Unified Customer Voice Portal
NVD
CVSS 2.0
7.8
EPSS
0.6%
CVE-2013-0686 CRITICAL Act Now

Invensys Wonderware Information Server (WIS) 4.0 SP1SP1, 4.5- Portal, and 5.0- Portal allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service XXE Wonderware Information Server
NVD
CVSS 2.0
9.3
EPSS
0.5%
CVE-2013-3503 LOW Monitor

The Profile Importer feature in monarch.cgi in the MONARCH component in GroundWork Monitor Enterprise 6.7.0 allows remote authenticated users to read arbitrary files via an XML document containing an. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation XXE Groundwork Monitor
NVD
CVSS 2.0
3.5
EPSS
0.8%
CVE-2012-5657 PHP MEDIUM PATCH This Month

The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Denial Of Service Information Disclosure XXE Zend Framework
NVD
CVSS 2.0
5.0
EPSS
0.7%
CVE-2013-1915 HIGH PATCH This Week

ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE Modsecurity Opensuse Fedora +1
NVD GitHub
CVSS 2.0
7.5
EPSS
4.8%
CVE-2012-4710 CRITICAL Act Now

Invensys Wonderware Win-XML Exporter 1522.148.0.0 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption). Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service XXE Wonderware Win Xml Exporter
NVD
CVSS 2.0
9.3
EPSS
0.5%
CVE-2013-1665 PyPI MEDIUM PATCH This Month

The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure XXE Folsom Keystone Essex
NVD
CVSS 2.0
5.0
EPSS
3.0%
CVE-2013-1643 MEDIUM This Month

The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure XXE
NVD
CVSS 2.0
5.0
EPSS
1.2%
CVE-2013-1140 MEDIUM This Month

The XML parser in Cisco Security Monitoring, Analysis, and Response System (MARS) allows remote attackers to read arbitrary files via an external entity declaration in conjunction with an entity. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure XXE Cisco Security Monitoring Analysis And Response System
NVD
CVSS 2.0
4.3
EPSS
0.4%
CVE-2012-6531 PHP MEDIUM PATCH This Month

(1) Zend_Dom, (2) Zend_Feed, and (3) Zend_Soap in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 do not properly handle SimpleXMLElement classes, which allow remote attackers to read. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

XXE Zend Framework
NVD
CVSS 2.0
6.4
EPSS
0.9%
CVE-2012-3363 PHP CRITICAL POC PATCH THREAT Act Now

Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 55.1%.

XXE Zend Framework Fedora Debian Linux
NVD Exploit-DB
CVSS 3.1
9.1
EPSS
55.1%
Threat
5.0
CVE-2012-5656 MEDIUM POC PATCH This Month

The rasterization process in Inkscape before 0.48.4 allows local users to read arbitrary files via an external entity in a SVG file, aka an XML external entity (XXE) injection attack. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

XXE Inkscape Fedora Ubuntu Linux Opensuse
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2012-5769 MEDIUM This Month

IBM SPSS Modeler 14.0, 14.1, 14.2 through FP3, and 15.0 before FP2 allows remote attackers to read arbitrary files, and possibly send HTTP requests to intranet servers or cause a denial of service. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service XXE IBM Spss Modeler
NVD
CVSS 2.0
5.8
EPSS
0.6%
CVE-2012-2239 CRITICAL PATCH Act Now

Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack, as demonstrated by. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP XXE Mahara Debian Linux
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2012-0818 Maven MEDIUM PATCH This Month

RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure XXE Resteasy
NVD
CVSS 2.0
5.0
EPSS
1.4%
CVE-2012-4399 PHP HIGH POC PATCH THREAT Act Now

The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 24.9%.

XXE Cakephp
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
24.9%
CVE-2012-3489 MEDIUM PATCH This Month

The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE PostgreSQL Opensuse Mac Os X Server Ubuntu Linux +5
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2012-3488 MEDIUM This Month

The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation XXE PostgreSQL
NVD
CVSS 2.0
4.9
EPSS
0.2%
CVE-2012-0037 MEDIUM POC PATCH This Month

Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 and 3.4 Beta, LibreOffice before 3.4.6 and 3.5.x before 3.5.1, and other products, allows user-assisted remote attackers to read. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Raptor Libreoffice Openoffice Fedora +9
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
EPSS 74% 5.3 CVSS 7.8
HIGH POC THREAT Act Now

EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity declaration in conjunction with an entity. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 74.0%.

XXE Information Disclosure Cloud Tiering Appliance Software +1
NVD GitHub Exploit-DB VulDB
EPSS 29% CVSS 7.5
HIGH POC PATCH THREAT Act Now

The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 28.7%.

XXE Privilege Escalation Apache +1
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM POC This Month

The Import and Export Framework in McAfee ePolicy Orchestrator (ePO) before 4.6.7 Hotfix 940148 allows remote authenticated users with permissions to add dashboards to read arbitrary files by. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Privilege Escalation XXE Epolicy Orchestrator
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Tomcat Apache Information Disclosure +3
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

The server in IBM Cognos Business Intelligence (BI) 8.4.1, 10.1 before IF6, 10.1.1 before IF5, 10.2 before IF7, 10.2.1 before IF4, and 10.2.1.1 before IF4 allows remote authenticated users to read. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation XXE IBM +1
NVD
EPSS 1% CVSS 7.8
HIGH This Week

The peerAddresses API in the Belkin WeMo Home Automation firmware before 3949 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection XXE RCE +1
NVD
EPSS 1% CVSS 5.0
MEDIUM This Month

Gwsync in SAP CRM 7.02 EHP 2 allows remote attackers to obtain sensitive information via unspecified vectors, related to an XML External Entity (XXE) issue. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure XXE SAP +1
NVD
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure XXE Java +1
NVD
EPSS 86% 5.6 CVSS 7.5
HIGH POC THREAT Act Now

The management console in Symantec Endpoint Protection Manager (SEPM) 11.0 before 11.0.7405.1424 and 12.1 before 12.1.4023.4080, and Symantec Protection Center Small Business Edition 12.x before. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 86.2%.

XXE Endpoint Protection Manager Protection Center
NVD Exploit-DB
EPSS 0% CVSS 5.0
MEDIUM This Month

The libxml_disable_entity_loader function in runtime/ext/ext_simplexml.cpp in HipHop Virtual Machine for PHP (HHVM) before 2.4.0 and 2.3.x before 2.3.3 does not properly disable a certain libxml. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP XXE Hiphop Virtual Machine For Php
NVD GitHub
EPSS 0% CVSS 4.0
MEDIUM This Month

XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal XXE Open Xchange Appsuite
NVD
EPSS 39% CVSS 6.8
MEDIUM PATCH This Month

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Epss exploitation probability 38.7%.

CSRF Denial Of Service Java +2
NVD
EPSS 1% CVSS 5.0
MEDIUM This Month

XML External Entity (XXE) vulnerability in MARC::File::XML module before 1.0.2 for Perl, as used in Evergreen, Koha, perl4lib, and possibly other products, allows context-dependent attackers to read. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation XXE Marc Xml
NVD
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

CSRF Privilege Escalation Java +3
NVD
EPSS 72% 5.0 CVSS 6.8
MEDIUM POC PATCH THREAT This Month

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 72.3%.

CSRF Privilege Escalation Java +3
NVD GitHub
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

Multiple XML External Entity (XXE) vulnerabilities in the (1) ExecutionHandler, (2) PollHandler, and (3) SubscriptionHandler classes in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure XXE Jboss Seam 2 Framework
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM POC This Month

expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Denial Of Service XXE Libexpat +6
NVD GitHub
EPSS 2% CVSS 6.8
MEDIUM POC This Month

libxml2 through 2.9.1 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Privilege Escalation Denial Of Service XXE +4
NVD
EPSS 9% CVSS 4.0
MEDIUM POC This Month

XML External Entity (XXE) vulnerability in sam/admin/vpe2/public/php/server.php in F5 BIG-IP 10.0.0 through 10.2.4 and 11.0.0 through 11.2.1 allows remote authenticated users to read arbitrary files. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure XXE +1
NVD Exploit-DB
EPSS 0% CVSS 5.5
MEDIUM This Month

Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote authenticated users to affect confidentiality and. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Oracle XXE +3
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

The Portal application in IBM SPSS Collaboration and Deployment Services 4.2.1 before 4.2.1.3 IF3 and 5.0 before FP3 allows remote attackers to read arbitrary files via an XML external entity. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure XXE IBM +1
NVD
EPSS 0% CVSS 3.5
LOW Monitor

IBM FileNet Business Process Framework 4.1.0 allows remote authenticated users to read arbitrary files or send TCP requests to intranet servers via XML data containing an external entity declaration. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure XXE IBM +1
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

The XML parser (crm_flex_data) in SAP Customer Relationship Management (CRM) 7.02 EHP 2 has unknown impact and attack vectors related to an XML External Entity (XXE) issue. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Customer Relationship Management
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Apache XXE Solr
NVD
EPSS 11% CVSS 6.4
MEDIUM PATCH This Month

The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 11.4%.

Apache XXE Solr
NVD
EPSS 11% CVSS 6.4
MEDIUM PATCH This Month

The UpdateRequestHandler for XML in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 11.4%.

Apache XXE Solr
NVD
EPSS 91% 5.1 CVSS 4.3
MEDIUM POC PATCH THREAT This Month

Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 90.9%.

Apache Path Traversal XXE +1
NVD
EPSS 2% CVSS 10.0
CRITICAL Act Now

GRMGApp in SAP NetWeaver allows remote attackers to have unspecified impact and attack vectors, related to an XML External Entity (XXE) issue. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Netweaver
NVD
EPSS 1% CVSS 5.0
MEDIUM This Month

The SHSTI_UPLOAD_XML function in the Application Server for ABAP (AS ABAP) in SAP NetWeaver 7.31 and earlier allows remote attackers to cause a denial of service via unspecified vectors, related to. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE SAP +1
NVD
EPSS 9% CVSS 4.0
MEDIUM POC This Month

IBM Cognos Business Intelligence 8.4.1 before IF3, 10.1.0 before IF4, 10.1.1 before IF4, 10.2.0 before IF4, 10.2.1 before IF2, and 10.2.1.1 before IF1 allows remote authenticated users to read. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation XXE IBM +1
NVD Exploit-DB
EPSS 57% CVSS 3.5
LOW POC THREAT Monitor

The XML API in Openbravo ERP 2.5, 3.0, and earlier allows remote authenticated users to read arbitrary files via an XML document with an external entity declaration in conjunction with an entity. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 56.7%.

Privilege Escalation XXE Openbravo Erp
NVD Exploit-DB
EPSS 17% CVSS 5.0
MEDIUM POC PATCH THREAT This Month

The gadget renderer in Apache Shindig 2.5.0 for PHP allows remote attackers to obtain sensitive information via an XML document containing an external entity declaration in conjunction with an entity. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 17.0%.

PHP Apache Information Disclosure +2
NVD Exploit-DB
EPSS 1% CVSS 5.0
MEDIUM This Month

The Live Update webdynpro application (webdynpro/dispatcher/sap.com/tc~slm~ui_lup/LUP) in SAP NetWeaver 7.31 and earlier allows remote attackers to read arbitrary files and directories via an XML. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Netweaver
NVD
EPSS 8% CVSS 4.0
MEDIUM POC This Month

The XMLParse procedure in SAP Sybase Adaptive Server Enterprise (ASE) 15.7 ESD 2 allows remote authenticated users to read arbitrary files via a SQL statement containing an XML document with an. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection XXE SAP +2
NVD Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM This Month

Invensys Wonderware InTouch HMI 2012 R2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption). Rated medium severity (CVSS 6.9). No vendor patch available.

Buffer Overflow Denial Of Service XXE +1
NVD
EPSS 8% CVSS 4.3
MEDIUM This Month

GNOME libsvg before 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XXE Librsvg
NVD
EPSS 1% CVSS 7.8
HIGH This Week

Cisco Prime Data Center Network Manager (DCNM) before 6.2(1) allows remote attackers to read arbitrary text files via an XML external entity declaration in conjunction with an entity reference,. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure XXE Cisco +1
NVD
EPSS 2% CVSS 4.3
MEDIUM PATCH This Month

The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

PHP XXE Enterprise Linux +1
NVD
EPSS 28% CVSS 5.0
MEDIUM This Month

Microsoft Office 2003 SP3 and 2007 SP3, Word 2003 SP3 and 2007 SP3, and Word Viewer allow remote attackers to read arbitrary files via an XML document containing an external entity declaration in. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 27.6% and no vendor patch available.

Information Disclosure XXE Microsoft +3
NVD
EPSS 25% CVSS 4.3
MEDIUM This Month

Microsoft Excel 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Excel Viewer; and Microsoft Office Compatibility Pack SP3 allow remote attackers to read arbitrary files via an XML document containing an. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 25.4% and no vendor patch available.

XXE Microsoft Excel
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP Denial Of Service XXE +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Schneider Electric Vijeo Citect 7.20 and earlier, CitectSCADA 7.20 and earlier, and PowerLogic SCADA 7.20 and earlier allow remote attackers to read arbitrary files, send HTTP requests to intranet. Rated medium severity (CVSS 6.9).

Privilege Escalation Denial Of Service Schneider Electric +4
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

WordPress before 3.5.2 allows remote attackers to read arbitrary files via an oEmbed XML provider response containing an external entity declaration in conjunction with an entity reference, related. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

WordPress Information Disclosure XXE
NVD
EPSS 0% CVSS 5.8
MEDIUM POC This Month

Atlassian Crowd 2.5.x before 2.5.4, 2.6.x before 2.6.3, 2.3.8, and 2.4.9 allows remote attackers to read arbitrary files and send HTTP requests to intranet servers via a request to (1) /services/2 or. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Atlassian XXE Crowd
NVD
EPSS 1% CVSS 7.8
HIGH This Week

Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 allows remote attackers to read arbitrary files via a Resource Manager (1) HTTP or (2) HTTPS request containing an external. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation XXE Cisco +1
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Invensys Wonderware Information Server (WIS) 4.0 SP1SP1, 4.5- Portal, and 5.0- Portal allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service XXE Wonderware Information Server
NVD
EPSS 1% CVSS 3.5
LOW Monitor

The Profile Importer feature in monarch.cgi in the MONARCH component in GroundWork Monitor Enterprise 6.7.0 allows remote authenticated users to read arbitrary files via an XML document containing an. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation XXE Groundwork Monitor
NVD
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Denial Of Service Information Disclosure XXE +1
NVD
EPSS 5% CVSS 7.5
HIGH PATCH This Week

ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE Modsecurity +3
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

Invensys Wonderware Win-XML Exporter 1522.148.0.0 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption). Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service XXE Wonderware Win Xml Exporter
NVD
EPSS 3% CVSS 5.0
MEDIUM PATCH This Month

The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure XXE +2
NVD
EPSS 1% CVSS 5.0
MEDIUM This Month

The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure XXE
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The XML parser in Cisco Security Monitoring, Analysis, and Response System (MARS) allows remote attackers to read arbitrary files via an external entity declaration in conjunction with an entity. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure XXE Cisco +1
NVD
EPSS 1% CVSS 6.4
MEDIUM PATCH This Month

(1) Zend_Dom, (2) Zend_Feed, and (3) Zend_Soap in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 do not properly handle SimpleXMLElement classes, which allow remote attackers to read. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

XXE Zend Framework
NVD
EPSS 55% 5.0 CVSS 9.1
CRITICAL POC PATCH THREAT Act Now

Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 55.1%.

XXE Zend Framework Fedora +1
NVD Exploit-DB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

The rasterization process in Inkscape before 0.48.4 allows local users to read arbitrary files via an external entity in a SVG file, aka an XML external entity (XXE) injection attack. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

XXE Inkscape Fedora +2
NVD
EPSS 1% CVSS 5.8
MEDIUM This Month

IBM SPSS Modeler 14.0, 14.1, 14.2 through FP3, and 15.0 before FP2 allows remote attackers to read arbitrary files, and possibly send HTTP requests to intranet servers or cause a denial of service. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service XXE IBM +1
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack, as demonstrated by. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP XXE Mahara +1
NVD
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure XXE Resteasy
NVD
EPSS 25% CVSS 7.5
HIGH POC PATCH THREAT Act Now

The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 24.9%.

XXE Cakephp
NVD Exploit-DB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE PostgreSQL Opensuse +7
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation XXE PostgreSQL
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 and 3.4 Beta, LibreOffice before 3.4.6 and 3.5.x before 3.5.1, and other products, allows user-assisted remote attackers to read. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Raptor Libreoffice +11
NVD GitHub
Prev Page 14 of 14

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy