Skip to main content

XXE

1231 CVEs technique

Monthly

CVE-2024-25129 MEDIUM This Month

The CodeQL CLI repo holds binaries for the CodeQL command line interface (CLI). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Codeql Cli
NVD GitHub
CVSS 3.1
5.5
EPSS
0.8%
CVE-2024-25606 Maven HIGH PATCH This Week

XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Digital Experience Platform Liferay Portal
NVD
CVSS 3.1
8.7
EPSS
0.5%
CVE-2024-22024 HIGH POC THREAT This Week

An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Ivanti XXE Connect Secure Policy Secure Zero Trust Access Gateway
NVD
CVSS 3.1
8.3
EPSS
94.7%
CVE-2024-24743 HIGH This Week

SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java XXE SAP Netweaver Application Server Java
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-1167 HIGH This Week

When SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Movitools Motionstudio
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-22380 MEDIUM This Month

Electronic Delivery Check System (Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version) March, Heisei 31 era edition Ver.14.0.001.002 and earlier. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Electronic Delivery Check System
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-21796 MEDIUM This Month

Electronic Deliverables Creation Support Tool (Construction Edition) prior to Ver1.0.4 and Electronic Deliverables Creation Support Tool (Design & Survey Edition) prior to Ver1.0.4 improperly. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Electronic Deliverables Creation Support Tool
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-21765 MEDIUM This Month

Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier,. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Electronic Delivery Check System Electronic Delivery Item Inspection Support System
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-23525 MEDIUM POC This Month

The Spreadsheet::ParseXLSX package before 0.30 for Perl allows XXE attacks because it neglects to use the no_xxe option of XML::Twig. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Spreadsheet
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2023-45139 PyPI HIGH POC PATCH This Week

fontTools is a library for manipulating fonts, written in Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python XXE Fonttools
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2023-6149 Maven MEDIUM PATCH This Month

Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Jenkins Web Application Screening
NVD
CVSS 3.1
5.7
EPSS
0.2%
CVE-2023-6147 Maven MEDIUM PATCH This Month

Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Jenkins Policy Compliance
NVD
CVSS 3.1
5.7
EPSS
0.2%
CVE-2023-26999 CRITICAL POC Act Now

An issue found in NetScout nGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service XXE RCE Ngeniusone
NVD VulDB
CVSS 3.1
9.8
EPSS
1.2%
CVE-2023-52252 CRITICAL POC Act Now

Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the Remote upload endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Unified Remote
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
1.1%
CVE-2023-46265 CRITICAL Act Now

An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Avalanche
NVD
CVSS 3.1
9.8
EPSS
4.0%
CVE-2023-6280 HIGH This Week

An XXE (XML External Entity) vulnerability has been detected in 52North WPS affecting versions prior to 4.0.0-beta.11. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Wps
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-6836 Maven HIGH PATCH This Week

Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Api Manager Api Manager Analytics Api Microgateway Enterprise Integrator +3
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2023-6721 HIGH This Week

An XEE vulnerability has been found in Repox, which allows a remote attacker to interfere with the application's XML data processing in the fileupload function, resulting in interaction between the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Repox
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-6194 HIGH POC This Week

In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

XXE Memory Analyzer
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2023-49735 Maven HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal XXE SSRF Tiles
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2023-49733 Maven CRITICAL PATCH Act Now

Improper Restriction of XML External Entity Reference vulnerability in Apache Cocoon.2.0 before 2.3.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Cocoon
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2023-49656 Maven CRITICAL PATCH Act Now

Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Matlab
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2023-22274 HIGH This Week

Adobe RoboHelp Server versions 11.4 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to information disclosure by an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Adobe XXE Information Disclosure Robohelp Server
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2023-46590 HIGH PATCH This Week

A vulnerability has been identified in Siemens OPC UA Modelling Editor (SiOME) (All versions < V2.8). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Siemens Siemens Opc Ua Modeling Editor
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2023-4218 Maven MEDIUM POC PATCH This Month

In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. Rated medium severity (CVSS 5.0), this vulnerability is low attack complexity. Public exploit code available.

XXE Eclipse Ide Org Eclipse Core Runtime Pde
NVD GitHub
CVSS 3.1
5.0
EPSS
0.4%
CVE-2023-5136 MEDIUM This Month

An incorrect permission assignment in the TopoGrafix DataPlugin for GPX could result in information disclosure. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE Topografix Data Plugin Diadem Veristand +1
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2023-46802 MEDIUM This Month

e-Tax software Version3.0.10 and earlier improperly restricts XML external entity references (XXE) due to the configuration of the embedded XML parser. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE E Tax
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2023-46502 Maven CRITICAL PATCH Act Now

An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Opencrx
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2023-43067 MEDIUM This Month

Dell Unity prior to 5.3 contains an XML External Entity injection vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Dell Unity Operating Environment Unity Xt Operating Environment Unityvsa Operating Environment
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-43624 MEDIUM This Month

CX-Designer Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4) contains an improper restriction of XML external entity reference (XXE) vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Cx Designer
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2023-45727 HIGH KEV THREAT This Week

Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Proself
NVD
CVSS 3.1
7.5
EPSS
3.5%
CVE-2023-36419 CRITICAL PATCH Act Now

Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Apache XXE Microsoft Azure Hdinsight
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2023-41365 MEDIUM This Month

SAP Business One (B1i) - version 10.0, allows an authorized attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure XXE Business One
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2023-45612 CRITICAL PATCH Act Now

In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Ktor
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2023-42445 MEDIUM This Month

Gradle is a build tool with a focus on build automation and support for multi-language development. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Gradle
NVD GitHub
CVSS 3.1
5.3
EPSS
0.7%
CVE-2023-42132 MEDIUM This Month

FD Application Apr. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Fd Application
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2023-38343 HIGH This Week

An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti SSRF XXE Endpoint Manager
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2023-3892 HIGH This Week

Improper Restriction of XML External Entity Reference vulnerability in MIM Assistant and Client DICOM RTst Loading modules allows XML Entity Linking / XML External Entities Blowup. Rated high severity (CVSS 7.4), this vulnerability is low attack complexity. No vendor patch available.

XXE Assistant Client
NVD
CVSS 3.1
7.4
EPSS
0.2%
CVE-2023-41369 PyPI MEDIUM This Month

The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP XXE S 4 Hana
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2023-41933 Maven HIGH PATCH This Week

Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Job Configuration History
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2023-41932 Maven MEDIUM PATCH This Month

Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Job Configuration History
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-35892 CRITICAL Act Now

IBM Financial Transaction Manager for SWIFT Services 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE IBM Financial Transaction Manager
NVD
CVSS 3.1
9.1
EPSS
0.8%
CVE-2023-40239 HIGH This Week

Certain Lexmark devices (such as CS310) before 2023-08-25 allow XXE attacks, leading to information disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE C2132 Firmware Cs310 Firmware Cs317 Firmware +78
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2023-41034 Maven CRITICAL PATCH Act Now

Eclipse Leshan is a device management server and client Java implementation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Java XXE Leshan
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2023-41635 MEDIUM POC This Month

A XML External Entity (XXE) vulnerability in the VerifichePeriodiche.aspx component of GruppoSCAI RealGimm v1.1.37p38 allows attackers to read any file in the filesystem via supplying a crafted XML. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Realgimm
NVD GitHub
CVSS 3.1
6.5
EPSS
0.7%
CVE-2023-24620 Maven MEDIUM POC This Month

An issue was discovered in Esoteric YamlBeans through 1.15. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java XXE Yamlbeans
NVD GitHub
CVSS 3.1
5.5
EPSS
0.4%
CVE-2023-40612 HIGH PATCH This Week

In OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2, the file editor which is accessible to any user with ROLE_FILESYSTEM_EDITOR privileges is vulnerable to XXE injection attacks. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity.

XXE Horizon Meridian
NVD GitHub
CVSS 3.1
8.0
EPSS
0.4%
CVE-2023-0871 Maven MEDIUM PATCH This Month

XXE injection in /rtc/post/ endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to XML external entity (XXE) injection, which can be used for. Rated medium severity (CVSS 6.1), this vulnerability is no authentication required, low attack complexity.

XXE Horizon Meridian
NVD GitHub
CVSS 3.1
6.1
EPSS
0.5%
CVE-2023-3823 HIGH POC This Week

In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE PHP Fedora Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-32567 CRITICAL Act Now

Ivanti Avalanche decodeToMap XML External Entity Processing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti XXE Avalanche
NVD
CVSS 3.1
9.8
EPSS
2.1%
CVE-2023-35389 MEDIUM PATCH This Month

Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

RCE XXE Microsoft Dynamics 365
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2023-37497 HIGH This Week

The Unica application exposes an API which accepts arbitrary XML input. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Unica
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2023-30951 MEDIUM This Month

The Foundry Magritte plugin rest-source was found to be vulnerable to an an XML external Entity attack (XXE). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Magritte Rest Source Bundle
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-37364 CRITICAL Act Now

In WS-Inc J WBEM Server 4.7.4 before 4.7.5, the CIM-XML protocol adapter does not disable entity resolution. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE J Wbem
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2023-38490 PHP CRITICAL PATCH Act Now

Kirby is a content management system. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Kirby
NVD GitHub
CVSS 3.1
10.0
EPSS
1.5%
CVE-2023-32639 MEDIUM This Month

Applicant Programme Ver.7.06 and earlier improperly restricts XML external entity references (XXE). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Applicant Programme
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2023-32635 MEDIUM This Month

XBRL data create application version 7.0 and earlier improperly restricts XML external entity references (XXE). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Xbrl Data Create
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2023-20918 CRITICAL PATCH Act Now

In getPendingIntentLaunchFlags of ActivityOptions.java, there is a possible elevation of privilege due to a confused deputy with no additional execution privileges needed. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Android
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2023-37942 Maven MEDIUM PATCH This Month

Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE External Monitor Job Type
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-37200 MEDIUM This Month

A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause loss of confidentiality when replacing a project file on the local filesystem and after manual. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Ecostruxure Opc Ua Server Expert
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2023-35786 MEDIUM This Month

Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Zoho Manageengine Admanager Plus
NVD
CVSS 3.1
4.9
EPSS
3.0%
CVE-2023-3113 HIGH This Week

An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA's Common Information Model (CIM) server that could result in read-only access to specific files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Xclarity Administrator
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2023-3276 Maven HIGH POC This Week

A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java XXE Hutool
NVD VulDB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2023-24470 CRITICAL Act Now

Potential XML External Entity Injection in ArcSight Logger versions prior to 7.3.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Arcsight Logger
NVD
CVSS 3.1
9.1
EPSS
0.9%
CVE-2023-29498 MEDIUM This Month

Improper restriction of XML external entity reference (XXE) vulnerability exists in FRENIC RHC Loader v1.1.0.3 and earlier. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Frenic Rhc Loader
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2023-34411 Cargo HIGH POC PATCH This Week

The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <!. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service XXE Xml Library
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-32706 MEDIUM This Month

On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Splunk Denial Of Service XXE Splunk Cloud Platform
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-2806 HIGH POC This Week

A vulnerability classified as problematic was found in Weaver e-cology up to 9.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE E Cology
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
1.0%
CVE-2023-20174 MEDIUM This Month

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco XXE SSRF Identity Services Engine
NVD
CVSS 3.1
4.9
EPSS
0.7%
CVE-2023-20173 MEDIUM This Month

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco XXE SSRF Identity Services Engine
NVD
CVSS 3.1
4.9
EPSS
0.8%
CVE-2023-2161 MEDIUM This Month

A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

XXE Opc Factory Server
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2023-27554 MEDIUM PATCH This Month

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Websphere Application Server
NVD
CVSS 3.1
6.3
EPSS
0.9%
CVE-2023-27527 HIGH This Week

Shinseiyo Sogo Soft (7.9A) and earlier improperly restricts XML external entity references (XXE). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Shinseiyo Sogo Soft
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2023-30467 CRITICAL Act Now

This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to improper authorization at the Milesight NVR. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Authentication Bypass Ms N5008 Uc Firmware Ms N1008 Unc Firmware Ms N1008 Uc Firmware +18
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2023-30466 CRITICAL Act Now

This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to a weak password reset mechanism at the Milesight. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Ms N5008 Uc Firmware Ms N1008 Unc Firmware Ms N1008 Uc Firmware Ms N1004 Uc Firmware +17
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2023-29443 MEDIUM This Month

Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Zoho Manageengine Assetexplorer Manageengine Servicedesk Plus Manageengine Servicedesk Plus Msp +1
NVD
CVSS 3.1
4.9
EPSS
3.0%
CVE-2023-28009 HIGH This Week

HCL Workload Automation is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Workload Automation
NVD
CVSS 3.1
8.1
EPSS
0.8%
CVE-2023-28008 HIGH This Week

HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Workload Automation
NVD
CVSS 3.1
8.1
EPSS
0.8%
CVE-2023-26058 MEDIUM This Month

An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Nokia CSRF Netact
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2023-26057 MEDIUM This Month

An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Nokia CSRF Netact
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2023-26264 MEDIUM This Month

All versions of Talend Data Catalog before 8.0-20220907 are potentially vulnerable to XML External Entity (XXE) attacks in the license parsing code. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Data Catalog
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2023-26263 MEDIUM This Month

All versions of Talend Data Catalog before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Data Catalog
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2023-28828 MEDIUM This Month

A vulnerability has been identified in Polarion ALM (All versions < V22R2). Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Polarion Alm
NVD
CVSS 3.1
5.9
EPSS
0.6%
CVE-2023-25955 MEDIUM This Month

National land numerical information data conversion tool all versions improperly restricts XML external entity references (XXE). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE National Land Numerical Information Data Conversion Tool
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2023-28340 MEDIUM PATCH This Month

Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Zoho Manageengine Applications Manager
NVD
CVSS 3.1
6.5
EPSS
3.2%
CVE-2023-27876 HIGH PATCH This Week

IBM TRIRIGA 4.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Tririga Application Platform
NVD
CVSS 3.1
7.1
EPSS
0.9%
CVE-2023-20030 MEDIUM This Month

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information, conduct a server-side. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco XXE SSRF Identity Services Engine
NVD
CVSS 3.1
6.0
EPSS
0.8%
CVE-2023-28684 Maven MEDIUM This Month

Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Remote Jobs View
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2023-28683 Maven HIGH This Week

Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Phabricator Differential
NVD
CVSS 3.1
8.2
EPSS
0.6%
CVE-2023-28682 Maven HIGH This Week

Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Performance Publisher
NVD
CVSS 3.1
8.2
EPSS
0.6%
EPSS 1% CVSS 5.5
MEDIUM This Month

The CodeQL CLI repo holds binaries for the CodeQL command line interface (CLI). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Codeql Cli
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Digital Experience Platform Liferay Portal
NVD
EPSS 95% CVSS 8.3
HIGH POC THREAT This Week

An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Ivanti XXE Connect Secure +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java XXE SAP +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

When SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Movitools Motionstudio
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Electronic Delivery Check System (Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version) March, Heisei 31 era edition Ver.14.0.001.002 and earlier. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Electronic Delivery Check System
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Electronic Deliverables Creation Support Tool (Construction Edition) prior to Ver1.0.4 and Electronic Deliverables Creation Support Tool (Design & Survey Edition) prior to Ver1.0.4 improperly. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Electronic Deliverables Creation Support Tool
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier,. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Electronic Delivery Check System Electronic Delivery Item Inspection Support System
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The Spreadsheet::ParseXLSX package before 0.30 for Perl allows XXE attacks because it neglects to use the no_xxe option of XML::Twig. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Spreadsheet
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

fontTools is a library for manipulating fonts, written in Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python XXE Fonttools
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Jenkins Web Application Screening
NVD
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Jenkins Policy Compliance
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue found in NetScout nGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service XXE RCE +1
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the Remote upload endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Unified Remote
NVD Exploit-DB
EPSS 4% CVSS 9.8
CRITICAL Act Now

An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Avalanche
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An XXE (XML External Entity) vulnerability has been detected in 52North WPS affecting versions prior to 4.0.0-beta.11. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Wps
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Api Manager Api Manager Analytics +5
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An XEE vulnerability has been found in Repox, which allows a remote attacker to interfere with the application's XML data processing in the fileupload function, resulting in interaction between the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Repox
NVD
EPSS 0% CVSS 7.1
HIGH POC This Week

In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

XXE Memory Analyzer
NVD
EPSS 1% CVSS 7.5
HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal XXE +2
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Improper Restriction of XML External Entity Reference vulnerability in Apache Cocoon.2.0 before 2.3.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Cocoon
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Matlab
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Adobe RoboHelp Server versions 11.4 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to information disclosure by an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Adobe XXE Information Disclosure +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A vulnerability has been identified in Siemens OPC UA Modelling Editor (SiOME) (All versions < V2.8). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Siemens Siemens Opc Ua Modeling Editor
NVD
EPSS 0% CVSS 5.0
MEDIUM POC PATCH This Month

In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. Rated medium severity (CVSS 5.0), this vulnerability is low attack complexity. Public exploit code available.

XXE Eclipse Ide Org Eclipse Core Runtime +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

An incorrect permission assignment in the TopoGrafix DataPlugin for GPX could result in information disclosure. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE Topografix Data Plugin +3
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

e-Tax software Version3.0.10 and earlier improperly restricts XML external entity references (XXE) due to the configuration of the embedded XML parser. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE E Tax
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Opencrx
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Dell Unity prior to 5.3 contains an XML External Entity injection vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Dell Unity Operating Environment +2
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

CX-Designer Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4) contains an improper restriction of XML external entity reference (XXE) vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Cx Designer
NVD
EPSS 4% CVSS 7.5
HIGH KEV THREAT This Week

Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Proself
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Apache XXE Microsoft +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

SAP Business One (B1i) - version 10.0, allows an authorized attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP Information Disclosure XXE +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Ktor
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Gradle is a build tool with a focus on build automation and support for multi-language development. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Gradle
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

FD Application Apr. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Fd Application
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti SSRF XXE +1
NVD GitHub
EPSS 0% CVSS 7.4
HIGH This Week

Improper Restriction of XML External Entity Reference vulnerability in MIM Assistant and Client DICOM RTst Loading modules allows XML Entity Linking / XML External Entities Blowup. Rated high severity (CVSS 7.4), this vulnerability is low attack complexity. No vendor patch available.

XXE Assistant Client
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP XXE S 4 Hana
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Job Configuration History
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Job Configuration History
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

IBM Financial Transaction Manager for SWIFT Services 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE IBM Financial Transaction Manager
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Certain Lexmark devices (such as CS310) before 2023-08-25 allow XXE attacks, leading to information disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE C2132 Firmware +80
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Eclipse Leshan is a device management server and client Java implementation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Java XXE Leshan
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

A XML External Entity (XXE) vulnerability in the VerifichePeriodiche.aspx component of GruppoSCAI RealGimm v1.1.37p38 allows attackers to read any file in the filesystem via supplying a crafted XML. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Realgimm
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

An issue was discovered in Esoteric YamlBeans through 1.15. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java XXE Yamlbeans
NVD GitHub
EPSS 0% CVSS 8.0
HIGH PATCH This Week

In OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2, the file editor which is accessible to any user with ROLE_FILESYSTEM_EDITOR privileges is vulnerable to XXE injection attacks. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity.

XXE Horizon Meridian
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

XXE injection in /rtc/post/ endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to XML external entity (XXE) injection, which can be used for. Rated medium severity (CVSS 6.1), this vulnerability is no authentication required, low attack complexity.

XXE Horizon Meridian
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE PHP Fedora +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

Ivanti Avalanche decodeToMap XML External Entity Processing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti XXE Avalanche
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

RCE XXE Microsoft +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The Unica application exposes an API which accepts arbitrary XML input. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Unica
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The Foundry Magritte plugin rest-source was found to be vulnerable to an an XML external Entity attack (XXE). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Magritte Rest Source Bundle
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

In WS-Inc J WBEM Server 4.7.4 before 4.7.5, the CIM-XML protocol adapter does not disable entity resolution. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE J Wbem
NVD
EPSS 2% CVSS 10.0
CRITICAL PATCH Act Now

Kirby is a content management system. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Kirby
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Applicant Programme Ver.7.06 and earlier improperly restricts XML external entity references (XXE). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Applicant Programme
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

XBRL data create application version 7.0 and earlier improperly restricts XML external entity references (XXE). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Xbrl Data Create
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

In getPendingIntentLaunchFlags of ActivityOptions.java, there is a possible elevation of privilege due to a confused deputy with no additional execution privileges needed. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Android
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE External Monitor Job Type
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause loss of confidentiality when replacing a project file on the local filesystem and after manual. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Ecostruxure Opc Ua Server Expert
NVD
EPSS 3% CVSS 4.9
MEDIUM This Month

Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Zoho Manageengine Admanager Plus
NVD
EPSS 0% CVSS 7.5
HIGH This Week

An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA's Common Information Model (CIM) server that could result in read-only access to specific files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Xclarity Administrator
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java XXE Hutool
NVD VulDB
EPSS 1% CVSS 9.1
CRITICAL Act Now

Potential XML External Entity Injection in ArcSight Logger versions prior to 7.3.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Arcsight Logger
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Improper restriction of XML external entity reference (XXE) vulnerability exists in FRENIC RHC Loader v1.1.0.3 and earlier. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Frenic Rhc Loader
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <!. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service XXE Xml Library
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Splunk Denial Of Service XXE +1
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

A vulnerability classified as problematic was found in Weaver e-cology up to 9.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE E Cology
NVD GitHub VulDB
EPSS 1% CVSS 4.9
MEDIUM This Month

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco XXE SSRF +1
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco XXE SSRF +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

XXE Opc Factory Server
NVD
EPSS 1% CVSS 6.3
MEDIUM PATCH This Month

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Websphere Application Server
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Shinseiyo Sogo Soft (7.9A) and earlier improperly restricts XML external entity references (XXE). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Shinseiyo Sogo Soft
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to improper authorization at the Milesight NVR. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Authentication Bypass Ms N5008 Uc Firmware +20
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to a weak password reset mechanism at the Milesight. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Ms N5008 Uc Firmware Ms N1008 Unc Firmware +19
NVD
EPSS 3% CVSS 4.9
MEDIUM This Month

Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Zoho Manageengine Assetexplorer +3
NVD
EPSS 1% CVSS 8.1
HIGH This Week

HCL Workload Automation is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Workload Automation
NVD
EPSS 1% CVSS 8.1
HIGH This Week

HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Workload Automation
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Nokia CSRF +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Nokia CSRF +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

All versions of Talend Data Catalog before 8.0-20220907 are potentially vulnerable to XML External Entity (XXE) attacks in the license parsing code. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Data Catalog
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

All versions of Talend Data Catalog before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Data Catalog
NVD
EPSS 1% CVSS 5.9
MEDIUM This Month

A vulnerability has been identified in Polarion ALM (All versions < V22R2). Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Polarion Alm
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

National land numerical information data conversion tool all versions improperly restricts XML external entity references (XXE). Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE National Land Numerical Information Data Conversion Tool
NVD
EPSS 3% CVSS 6.5
MEDIUM PATCH This Month

Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Zoho Manageengine Applications Manager
NVD
EPSS 1% CVSS 7.1
HIGH PATCH This Week

IBM TRIRIGA 4.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Tririga Application Platform
NVD
EPSS 1% CVSS 6.0
MEDIUM This Month

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information, conduct a server-side. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco XXE SSRF +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Remote Jobs View
NVD
EPSS 1% CVSS 8.2
HIGH This Week

Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Phabricator Differential
NVD
EPSS 1% CVSS 8.2
HIGH This Week

Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Performance Publisher
NVD
Prev Page 4 of 14 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy