Skip to main content

XXE

1233 CVEs technique

Monthly

CVE-2021-28684 MEDIUM POC This Month

The XML parser used in ConeXware PowerArchiver before 20.10.02 allows processing of external entities, which might lead to exfiltration of local files over the network (via an XXE attack). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Powerarchiver
NVD
CVSS 3.1
4.3
EPSS
0.9%
CVE-2021-21669 Maven CRITICAL PATCH Act Now

Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Generic Webhook Trigger
NVD
CVSS 3.1
9.8
EPSS
25.7%
CVE-2021-33813 Maven HIGH POC PATCH THREAT This Week

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service XXE Jdom Solr Tika +3
NVD GitHub
CVSS 3.1
7.5
EPSS
19.4%
CVE-2021-27635 MEDIUM PATCH This Month

SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE SAP Netweaver Application Server For Java
NVD
CVSS 3.1
6.5
EPSS
1.6%
CVE-2021-27492 MEDIUM This Month

When opening a specially crafted 3DXML file, the application containing Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Crosscadware Keyshot Solid Edge Se2020 Firmware Solid Edge Se2021 Firmware
NVD
CVSS 3.1
5.5
EPSS
1.7%
CVE-2021-20492 HIGH PATCH This Week

IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Java Websphere Application Server
NVD
CVSS 3.1
8.2
EPSS
2.1%
CVE-2021-21659 Maven HIGH PATCH This Week

Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Urltrigger
NVD
CVSS 3.1
8.1
EPSS
66.8%
CVE-2021-21658 Maven CRITICAL PATCH Act Now

Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Nuget
NVD
CVSS 3.1
9.1
EPSS
1.5%
CVE-2021-21657 Maven HIGH PATCH This Week

Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Filesystem Trigger
NVD
CVSS 3.1
8.8
EPSS
1.6%
CVE-2021-32925 MEDIUM POC PATCH This Month

admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP XXE Chamilo
NVD GitHub
CVSS 3.1
6.5
EPSS
1.9%
CVE-2021-22140 HIGH This Week

Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic XXE Elastic App Search
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2021-21656 Maven HIGH PATCH This Week

Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Xcode Integration
NVD
CVSS 3.1
7.1
EPSS
1.5%
CVE-2021-30006 HIGH This Week

In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Information Disclosure Intellij Idea
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-1530 HIGH This Week

A vulnerability in the web-based management interface of Cisco BroadWorks Messaging Server Software could allow an authenticated, remote attacker to access sensitive information or cause a partial. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Denial Of Service XXE Broadworks Messaging Server
NVD
CVSS 3.1
7.1
EPSS
1.1%
CVE-2021-1369 MEDIUM This Month

A vulnerability in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Denial Of Service XXE Firepower Device Manager
NVD
CVSS 3.1
5.4
EPSS
1.0%
CVE-2021-29140 HIGH This Week

A remote XML external entity (XXE) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.9, 6.7.14-HF1. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Aruba Clearpass
NVD
CVSS 3.1
8.2
EPSS
1.6%
CVE-2021-25163 HIGH This Week

A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Aruba Airwave
NVD
CVSS 3.1
8.1
EPSS
1.2%
CVE-2021-25165 HIGH This Week

A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Aruba Airwave
NVD
CVSS 3.1
8.1
EPSS
1.2%
CVE-2021-25164 MEDIUM This Month

A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Aruba Airwave
NVD
CVSS 3.1
6.5
EPSS
1.3%
CVE-2021-27736 MEDIUM POC PATCH This Month

FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XXE Saml V2
NVD GitHub
CVSS 3.1
6.5
EPSS
1.3%
CVE-2021-21642 Maven HIGH PATCH This Week

Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Config File Provider
NVD
CVSS 3.1
8.1
EPSS
37.8%
CVE-2021-20454 HIGH This Week

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM XXE Websphere Application Server
NVD
CVSS 3.1
8.2
EPSS
2.9%
CVE-2021-20453 HIGH PATCH This Week

IBM WebSphere Application Server 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Websphere Application Server
NVD
CVSS 3.1
8.2
EPSS
2.6%
CVE-2021-29447 MEDIUM POC THREAT This Month

Wordpress is an open source CMS. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XXE Debian Linux
NVD GitHub Exploit-DB
CVSS 3.1
6.5
EPSS
85.7%
CVE-2021-27604 MEDIUM This Month

In order to prevent XML External Entity vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Enterprise Service Repository JAVA Mappings), versions - 7.10, 7.20, 7.30,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Java Netweaver Process Integration
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2021-28973 MEDIUM POC This Month

The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Helix Alm
NVD
CVSS 3.1
4.9
EPSS
0.9%
CVE-2021-22158 HIGH This Week

The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) is vulnerable to XML external entity (XXE) injection in the Web Console. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Insider Threat Management
NVD
CVSS 3.1
7.2
EPSS
0.6%
CVE-2021-29421 PyPI HIGH PATCH This Week

models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Python XXE Pikepdf Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2021-20502 HIGH PATCH This Week

IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Engineering Insights Engineering Lifecycle Management Engineering Requirements Quality Assistant On Premises +3
NVD
CVSS 3.1
7.1
EPSS
1.4%
CVE-2021-20482 HIGH This Week

IBM Cloud Pak for Automation 20.0.2 and 20.0.3 IF002 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XXE Cloud Pak For Automation
NVD
CVSS 3.1
7.1
EPSS
1.4%
CVE-2021-1628 CRITICAL Act Now

MuleSoft is aware of a XML External Entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Mule
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-28110 HIGH This Week

/exec in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in its XML parser. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Tranzware E Commerce Payment Gateway
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2021-26969 MEDIUM This Month

A remote authenticated authenticated xml external entity (xxe) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE Aruba Airwave
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2021-27931 CRITICAL POC THREAT Act Now

LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service XXE Lumis Experience Platform
NVD GitHub
CVSS 3.1
9.1
EPSS
18.6%
CVE-2021-26703 CRITICAL POC PATCH Act Now

EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted JSON/XML input to a cgi/ajax/phrase URI. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Eprints
NVD GitHub
CVSS 3.1
9.8
EPSS
4.0%
CVE-2021-21517 HIGH This Week

SRS Policy Manager 6.X is affected by an XML External Entity Injection (XXE) vulnerability due to a misconfigured XML parser that processes user-supplied DTD input without sufficient validation. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Emc Srs Policy Manager
NVD
CVSS 3.1
7.2
EPSS
1.4%
CVE-2021-27184 HIGH POC This Week

Pelco Digital Sentry Server 7.18.72.11464 has an XML External Entity vulnerability (exploitable via the DTD parameter entities technique), resulting in disclosure and retrieval of arbitrary data on. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Digital Sentry Server
NVD GitHub
CVSS 3.1
7.5
EPSS
1.6%
CVE-2021-20353 HIGH PATCH This Week

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Websphere Application Server
NVD
CVSS 3.1
8.2
EPSS
5.2%
CVE-2021-21266 MEDIUM PATCH This Month

openHAB is a vendor and technology agnostic open source automation software for your home. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Openhab
NVD GitHub
CVSS 3.1
5.0
EPSS
1.1%
CVE-2021-23901 Maven CRITICAL PATCH Act Now

An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache XXE Nutch Snap Creator Framework
NVD
CVSS 3.1
9.1
EPSS
4.4%
CVE-2021-22498 HIGH This Week

XML External Entity Injection vulnerability in Micro Focus Application Lifecycle Management (Previously known as Quality Center) product. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Application Lifecycle Management
NVD
CVSS 3.1
8.1
EPSS
1.0%
CVE-2021-23899 Maven CRITICAL PATCH Act Now

OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Json Sanitizer
NVD GitHub
CVSS 3.1
9.8
EPSS
2.1%
CVE-2021-21470 MEDIUM This Month

SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Microsoft XXE SAP Enterprise Performance Management
NVD
CVSS 3.1
4.4
EPSS
0.2%
CVE-2020-28736 PyPI HIGH PATCH This Week

Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Plone
NVD GitHub
CVSS 3.1
8.8
EPSS
1.1%
CVE-2020-28734 PyPI HIGH PATCH This Week

Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Plone
NVD GitHub
CVSS 3.1
8.8
EPSS
1.1%
CVE-2020-26247 Ruby MEDIUM PATCH This Month

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Nokogiri Debian Linux
NVD GitHub
CVSS 3.1
4.3
EPSS
1.1%
CVE-2020-35604 CRITICAL POC Act Now

An XXE attack can occur in Kronos WebTA 5.0.4 when SAML is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Web Time And Attendance
NVD
CVSS 3.1
9.8
EPSS
1.6%
CVE-2020-35123 MEDIUM This Month

In Zimbra Collaboration Suite Network Edition versions < 9.0.0 P10 and 8.8.15 P17, there exists an XXE vulnerability in the saml consumer store extension, which is vulnerable to XXE attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Collaboration
NVD
CVSS 3.1
6.5
EPSS
1.5%
CVE-2020-29436 MEDIUM This Month

Sonatype Nexus Repository Manager 3.x before 3.29.0 allows a user with admin privileges to configure the system to gain access to content outside of NXRM via an XXE vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Nexus Repository Manager
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2020-26513 MEDIUM POC This Month

An issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Codebeamer
NVD
CVSS 3.1
5.5
EPSS
0.9%
CVE-2020-25649 Maven HIGH PATCH This Week

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Jackson Databind Oncommand Api Services Oncommand Workflow Automation Service Level Manager +35
NVD GitHub
CVSS 3.1
7.5
EPSS
17.6%
CVE-2020-2324 Maven HIGH PATCH This Week

Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Cvs
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2017-15685 Maven HIGH PATCH This Week

Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE). Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Crafter Cms
NVD VulDB
CVSS 3.1
8.6
EPSS
1.7%
CVE-2020-26229 PHP LOW PATCH Monitor

TYPO3 is an open source PHP based web content management system. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable. No vendor patch available.

XXE PHP Typo3
NVD GitHub
CVSS 3.1
3.7
EPSS
0.6%
CVE-2020-7572 HIGH PATCH This Week

A CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service SSRF XXE Webreports
NVD
CVSS 3.1
8.8
EPSS
1.8%
CVE-2020-7032 MEDIUM POC This Month

An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XXE Aura System Manager Weblm
NVD
CVSS 3.1
6.5
EPSS
3.5%
CVE-2020-24454 HIGH PATCH This Week

Improper Restriction of XML External Entity Reference in subsystem forIntel(R) Quartus(R) Prime Pro Edition before version 20.3 and Intel(R) Quartus(R) Prime Standard Edition before version 20.2 may. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Intel XXE Information Disclosure Quartus Prime
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2020-27017 MEDIUM POC This Month

Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Trend Micro XXE Interscan Messaging Security Virtual Appliance
NVD
CVSS 3.1
4.9
EPSS
6.4%
CVE-2020-2315 Maven MEDIUM PATCH This Month

Jenkins Visualworks Store Plugin 1.1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Jenkins Visualworks Store
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2020-2305 Maven MEDIUM PATCH This Month

Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Jenkins Mercurial
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2020-2304 Maven MEDIUM PATCH This Month

Jenkins Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Jenkins Subversion
NVD
CVSS 3.1
6.5
EPSS
1.5%
CVE-2020-15352 HIGH This Week

An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF XXE Connect Secure Pulse Connect Secure Policy Secure +1
NVD
CVSS 3.1
7.2
EPSS
3.2%
CVE-2020-25186 HIGH This Week

An XXE vulnerability exists within LeviStudioU Release Build 2019-09-21 and prior when processing parameter entities, which may allow file disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Levistudiou
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2020-4772 HIGH This Week

An XML External Entity Injection (XXE) vulnerability may impact IBM Curam Social Program Management 7.0.9 and 7.0.10. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Denial Of Service IBM XXE Curam Social Program Management
NVD
CVSS 3.1
8.1
EPSS
1.5%
CVE-2020-2298 Maven MEDIUM This Month

Jenkins Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Jenkins Nerrvana
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2020-15232 Maven CRITICAL PATCH Act Now

In mapfish-print before version 3.24, a user can do to an XML External Entity (XXE) attack with the provided SDL style. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Print
NVD GitHub
CVSS 3.1
9.1
EPSS
1.3%
CVE-2020-13940 Maven MEDIUM PATCH This Month

In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apache XXE Nifi
NVD
CVSS 3.1
5.5
EPSS
1.9%
CVE-2020-8256 MEDIUM POC This Month

A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to gain arbitrary file reading access through Pulse Collaboration via XML External. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Connect Secure Pulse Connect Secure
NVD
CVSS 3.1
4.9
EPSS
3.4%
CVE-2020-21524 CRITICAL POC Act Now

There is a XML external entity (XXE) vulnerability in halo v1.1.3, The function of importing other blogs in the background(/api/admin/migrations/wordpress) needs to parse the xml file, but it is not. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XXE Halo
NVD GitHub
CVSS 3.1
9.1
EPSS
1.5%
CVE-2020-2284 Maven HIGH PATCH This Week

Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Liquibase Runner
NVD
CVSS 3.1
7.1
EPSS
0.9%
CVE-2020-4643 HIGH PATCH This Week

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Websphere Application Server
NVD
CVSS 3.1
7.5
EPSS
2.8%
CVE-2020-14029 HIGH POC This Week

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XXE Ozeki Ng Sms Gateway
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2020-15772 MEDIUM This Month

An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF XXE Enterprise
NVD GitHub
CVSS 3.1
4.9
EPSS
1.2%
CVE-2020-25750 PHP HIGH POC PATCH This Week

An issue was discovered in DotPlant2 before 2020-09-14. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE PHP Dotplant2
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2020-25215 CRITICAL Act Now

yWorks yEd Desktop before 3.20.1 allows XXE attacks via an XML or GraphML document. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Yed
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2020-11991 HIGH POC THREAT This Week

When using the StreamGenerator, the code parse a user-provided XML. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Cocoon
NVD
CVSS 3.1
7.5
EPSS
72.5%
CVE-2020-25257 CRITICAL Act Now

An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Onbase
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2020-17408 HIGH PATCH This Week

This vulnerability allows remote attackers to disclose sensitive information on affected installations of NEC ExpressCluster 4.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Expresscluster X
NVD
CVSS 3.1
7.5
EPSS
74.0%
CVE-2020-24379 CRITICAL POC PATCH Act Now

WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Yaws Ubuntu Linux Debian Linux
NVD GitHub
CVSS 3.1
9.8
EPSS
3.4%
CVE-2020-2247 Maven MEDIUM PATCH This Month

Jenkins Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Klocwork Analysis
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2020-2245 Maven HIGH This Week

Jenkins Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Valgrind
NVD
CVSS 3.1
7.1
EPSS
0.9%
CVE-2020-25020 Maven CRITICAL PATCH Act Now

MPXJ through 8.1.3 allows XXE attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Mpxj Primavera Unifier
NVD GitHub
CVSS 3.1
9.8
EPSS
2.6%
CVE-2020-17376 PyPI HIGH POC PATCH This Week

An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XXE Nova
NVD
CVSS 3.1
8.3
EPSS
1.7%
CVE-2020-24656 MEDIUM POC This Month

Maltego before 4.2.12 allows XXE attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Maltego
NVD
CVSS 3.1
6.5
EPSS
3.7%
CVE-2020-24591 MEDIUM This Month

The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Api Manager Api Manager Analytics Api Microgateway Enterprise Integrator +1
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2020-24589 CRITICAL POC PATCH THREAT Act Now

The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Api Manager Api Microgateway
NVD
CVSS 3.1
9.1
EPSS
26.9%
CVE-2020-24052 CRITICAL POC Act Now

Several XML External Entity (XXE) vulnerabilities in the Moog EXO Series EXVF5C-2 and EXVP7C2-3 units allow remote unauthenticated users to read arbitrary files via a crafted Document Type Definition. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Exvf5C 2 Firmware Exvp7C2 3 Firmware
NVD
CVSS 3.1
9.1
EPSS
1.9%
CVE-2020-4481 HIGH This Week

IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM XXE Urbancode Deploy
NVD
CVSS 3.1
8.2
EPSS
2.0%
CVE-2020-4377 CRITICAL Act Now

IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM XXE Cognos Analytics
NVD
CVSS 3.1
9.1
EPSS
2.1%
CVE-2020-4463 HIGH POC PATCH THREAT This Week

IBM Maximo Asset Management 7.6.0.1 and 7.6.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Maximo Asset Management
NVD
CVSS 3.1
8.2
EPSS
31.6%
EPSS 1% CVSS 4.3
MEDIUM POC This Month

The XML parser used in ConeXware PowerArchiver before 20.10.02 allows processing of external entities, which might lead to exfiltration of local files over the network (via an XXE attack). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Powerarchiver
NVD
EPSS 26% CVSS 9.8
CRITICAL PATCH Act Now

Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Generic Webhook Trigger
NVD
EPSS 19% CVSS 7.5
HIGH POC PATCH THREAT This Week

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service XXE Jdom +5
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE SAP Netweaver Application Server For Java
NVD
EPSS 2% CVSS 5.5
MEDIUM This Month

When opening a specially crafted 3DXML file, the application containing Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Crosscadware Keyshot +2
NVD
EPSS 2% CVSS 8.2
HIGH PATCH This Week

IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Java +1
NVD
EPSS 67% CVSS 8.1
HIGH PATCH This Week

Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Urltrigger
NVD
EPSS 2% CVSS 9.1
CRITICAL PATCH Act Now

Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Nuget
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Filesystem Trigger
NVD
EPSS 2% CVSS 6.5
MEDIUM POC PATCH This Month

admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP XXE Chamilo
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic XXE Elastic App Search
NVD
EPSS 2% CVSS 7.1
HIGH PATCH This Week

Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Xcode Integration
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Information Disclosure Intellij Idea
NVD
EPSS 1% CVSS 7.1
HIGH This Week

A vulnerability in the web-based management interface of Cisco BroadWorks Messaging Server Software could allow an authenticated, remote attacker to access sensitive information or cause a partial. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Denial Of Service XXE +1
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

A vulnerability in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Denial Of Service XXE +1
NVD
EPSS 2% CVSS 8.2
HIGH This Week

A remote XML external entity (XXE) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.9, 6.7.14-HF1. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Aruba Clearpass
NVD
EPSS 1% CVSS 8.1
HIGH This Week

A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Aruba Airwave
NVD
EPSS 1% CVSS 8.1
HIGH This Week

A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Aruba Airwave
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Aruba Airwave
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XXE Saml V2
NVD GitHub
EPSS 38% CVSS 8.1
HIGH PATCH This Week

Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Config File Provider
NVD
EPSS 3% CVSS 8.2
HIGH This Week

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM XXE Websphere Application Server
NVD
EPSS 3% CVSS 8.2
HIGH PATCH This Week

IBM WebSphere Application Server 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Websphere Application Server
NVD
EPSS 86% CVSS 6.5
MEDIUM POC THREAT This Month

Wordpress is an open source CMS. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XXE +1
NVD GitHub Exploit-DB
EPSS 1% CVSS 6.5
MEDIUM This Month

In order to prevent XML External Entity vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Enterprise Service Repository JAVA Mappings), versions - 7.10, 7.20, 7.30,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Java +1
NVD
EPSS 1% CVSS 4.9
MEDIUM POC This Month

The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Helix Alm
NVD
EPSS 1% CVSS 7.2
HIGH This Week

The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) is vulnerable to XML external entity (XXE) injection in the Web Console. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Insider Threat Management
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Python XXE Pikepdf +1
NVD GitHub
EPSS 1% CVSS 7.1
HIGH PATCH This Week

IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Engineering Insights +5
NVD
EPSS 1% CVSS 7.1
HIGH This Week

IBM Cloud Pak for Automation 20.0.2 and 20.0.3 IF002 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XXE Cloud Pak For Automation
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

MuleSoft is aware of a XML External Entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Mule
NVD
EPSS 1% CVSS 7.5
HIGH This Week

/exec in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in its XML parser. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Tranzware E Commerce Payment Gateway
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

A remote authenticated authenticated xml external entity (xxe) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service XXE Aruba +1
NVD
EPSS 19% CVSS 9.1
CRITICAL POC THREAT Act Now

LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service XXE Lumis Experience Platform
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL POC PATCH Act Now

EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted JSON/XML input to a cgi/ajax/phrase URI. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Eprints
NVD GitHub
EPSS 1% CVSS 7.2
HIGH This Week

SRS Policy Manager 6.X is affected by an XML External Entity Injection (XXE) vulnerability due to a misconfigured XML parser that processes user-supplied DTD input without sufficient validation. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Emc Srs Policy Manager
NVD
EPSS 2% CVSS 7.5
HIGH POC This Week

Pelco Digital Sentry Server 7.18.72.11464 has an XML External Entity vulnerability (exploitable via the DTD parameter entities technique), resulting in disclosure and retrieval of arbitrary data on. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Digital Sentry Server
NVD GitHub
EPSS 5% CVSS 8.2
HIGH PATCH This Week

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Websphere Application Server
NVD
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

openHAB is a vendor and technology agnostic open source automation software for your home. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Openhab
NVD GitHub
EPSS 4% CVSS 9.1
CRITICAL PATCH Act Now

An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache XXE Nutch +1
NVD
EPSS 1% CVSS 8.1
HIGH This Week

XML External Entity Injection vulnerability in Micro Focus Application Lifecycle Management (Previously known as Quality Center) product. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Application Lifecycle Management
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Json Sanitizer
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM This Month

SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Microsoft XXE SAP +1
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Plone
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Plone
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Nokogiri +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

An XXE attack can occur in Kronos WebTA 5.0.4 when SAML is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Web Time And Attendance
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

In Zimbra Collaboration Suite Network Edition versions < 9.0.0 P10 and 8.8.15 P17, there exists an XXE vulnerability in the saml consumer store extension, which is vulnerable to XXE attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Collaboration
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Sonatype Nexus Repository Manager 3.x before 3.29.0 allows a user with admin privileges to configure the system to gain access to content outside of NXRM via an XXE vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Nexus Repository Manager
NVD
EPSS 1% CVSS 5.5
MEDIUM POC This Month

An issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Codebeamer
NVD
EPSS 18% CVSS 7.5
HIGH PATCH This Week

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Jackson Databind Oncommand Api Services +37
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Cvs
NVD
EPSS 2% CVSS 8.6
HIGH PATCH This Week

Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE). Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Crafter Cms
NVD VulDB
EPSS 1% CVSS 3.7
LOW PATCH Monitor

TYPO3 is an open source PHP based web content management system. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable. No vendor patch available.

XXE PHP Typo3
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

A CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service SSRF XXE +1
NVD
EPSS 4% CVSS 6.5
MEDIUM POC This Month

An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XXE Aura System Manager +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Improper Restriction of XML External Entity Reference in subsystem forIntel(R) Quartus(R) Prime Pro Edition before version 20.3 and Intel(R) Quartus(R) Prime Standard Edition before version 20.2 may. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Intel XXE Information Disclosure +1
NVD
EPSS 6% CVSS 4.9
MEDIUM POC This Month

Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Trend Micro XXE Interscan Messaging Security Virtual Appliance
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Jenkins Visualworks Store Plugin 1.1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Jenkins Visualworks Store
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Jenkins Mercurial
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Jenkins Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Jenkins Subversion
NVD
EPSS 3% CVSS 7.2
HIGH This Week

An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF XXE Connect Secure +3
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An XXE vulnerability exists within LeviStudioU Release Build 2019-09-21 and prior when processing parameter entities, which may allow file disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Levistudiou
NVD
EPSS 1% CVSS 8.1
HIGH This Week

An XML External Entity Injection (XXE) vulnerability may impact IBM Curam Social Program Management 7.0.9 and 7.0.10. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Denial Of Service IBM +2
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Jenkins Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Jenkins Nerrvana
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

In mapfish-print before version 3.24, a user can do to an XML External Entity (XXE) attack with the provided SDL style. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Print
NVD GitHub
EPSS 2% CVSS 5.5
MEDIUM PATCH This Month

In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apache XXE Nifi
NVD
EPSS 3% CVSS 4.9
MEDIUM POC This Month

A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to gain arbitrary file reading access through Pulse Collaboration via XML External. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Connect Secure Pulse Connect Secure
NVD
EPSS 2% CVSS 9.1
CRITICAL POC Act Now

There is a XML external entity (XXE) vulnerability in halo v1.1.3, The function of importing other blogs in the background(/api/admin/migrations/wordpress) needs to parse the xml file, but it is not. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XXE Halo
NVD GitHub
EPSS 1% CVSS 7.1
HIGH PATCH This Week

Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Liquibase Runner
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Websphere Application Server
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XXE Ozeki Ng Sms Gateway
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM This Month

An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF XXE Enterprise
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

An issue was discovered in DotPlant2 before 2020-09-14. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE PHP Dotplant2
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

yWorks yEd Desktop before 3.20.1 allows XXE attacks via an XML or GraphML document. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Yed
NVD
EPSS 72% CVSS 7.5
HIGH POC THREAT This Week

When using the StreamGenerator, the code parse a user-provided XML. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Cocoon
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Onbase
NVD
EPSS 74% CVSS 7.5
HIGH PATCH This Week

This vulnerability allows remote attackers to disclose sensitive information on affected installations of NEC ExpressCluster 4.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Expresscluster X
NVD
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Yaws Ubuntu Linux +1
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Jenkins Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Klocwork Analysis
NVD
EPSS 1% CVSS 7.1
HIGH This Week

Jenkins Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins XXE Valgrind
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

MPXJ through 8.1.3 allows XXE attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Mpxj Primavera Unifier
NVD GitHub
EPSS 2% CVSS 8.3
HIGH POC PATCH This Week

An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XXE Nova
NVD
EPSS 4% CVSS 6.5
MEDIUM POC This Month

Maltego before 4.2.12 allows XXE attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Maltego
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Api Manager Api Manager Analytics +3
NVD
EPSS 27% CVSS 9.1
CRITICAL POC PATCH THREAT Act Now

The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Api Manager Api Microgateway
NVD
EPSS 2% CVSS 9.1
CRITICAL POC Act Now

Several XML External Entity (XXE) vulnerabilities in the Moog EXO Series EXVF5C-2 and EXVP7C2-3 units allow remote unauthenticated users to read arbitrary files via a crafted Document Type Definition. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Exvf5C 2 Firmware Exvp7C2 3 Firmware
NVD
EPSS 2% CVSS 8.2
HIGH This Week

IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM XXE Urbancode Deploy
NVD
EPSS 2% CVSS 9.1
CRITICAL Act Now

IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM XXE Cognos Analytics
NVD
EPSS 32% CVSS 8.2
HIGH POC PATCH THREAT This Week

IBM Maximo Asset Management 7.6.0.1 and 7.6.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Maximo Asset Management
NVD
Prev Page 7 of 14 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy