Skip to main content

XXE

1233 CVEs technique

Monthly

CVE-2019-4062 HIGH This Week

IBM i2 Intelligent Analyis Platform 9.0.0 through 9.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE IBM I2 Intelligent Analysis Platform
NVD
CVSS 3.1
7.1
EPSS
1.6%
CVE-2019-10266 HIGH POC THREAT This Week

An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Cloud Backup Suite
NVD Exploit-DB
CVSS 3.0
7.5
EPSS
13.3%
CVE-2019-10264 HIGH POC This Week

An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Cloud Backup Suite
NVD
CVSS 3.0
7.2
EPSS
1.3%
CVE-2019-13990 Maven CRITICAL PATCH Act Now

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Java Quartz Apache Batik Mapviewer Banking Enterprise Originations +28
NVD GitHub
CVSS 3.1
9.8
EPSS
16.2%
CVE-2019-14277 CRITICAL POC Act Now

Axway SecureTransport 5.x through 5.3 (or 5.x through 5.5 with certain API configuration) is vulnerable to unauthenticated blind XML injection (and XXE) in the resetPassword functionality via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE SSRF RCE Securetransport
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
7.3%
CVE-2019-10976 MEDIUM This Month

Mitsubishi Electric FR Configurator2, Version 1.16S and prior. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Electric Fr Configurator2 Firmware
NVD
CVSS 3.0
5.5
EPSS
1.0%
CVE-2019-2861 MEDIUM POC PATCH This Month

Vulnerability in the Oracle Hyperion Planning component of Oracle Hyperion (subcomponent: Security). Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable. Public exploit code available.

XXE Oracle Hyperion Planning
NVD Exploit-DB
CVSS 3.0
4.2
EPSS
4.3%
CVE-2019-1010202 MEDIUM POC This Month

Jeesite 1.2.7 is affected by: XML External Entity (XXE). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Java Information Disclosure Jeesite
NVD GitHub
CVSS 3.0
6.5
EPSS
1.3%
CVE-2019-7847 HIGH This Week

Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Adobe Campaign
NVD
CVSS 3.0
7.5
EPSS
3.3%
CVE-2019-1010268 PyPI CRITICAL POC PATCH Act Now

Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Information Disclosure Ladon
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
5.7%
CVE-2019-13625 CRITICAL POC Act Now

NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as demonstrated by a project.prp file. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Ghidra
NVD GitHub
CVSS 3.0
9.1
EPSS
2.4%
CVE-2019-12924 CRITICAL Act Now

MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Mailenable
NVD
CVSS 3.0
9.8
EPSS
0.9%
CVE-2019-13358 HIGH POC THREAT This Week

lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE PHP Opencats
NVD GitHub Exploit-DB
CVSS 3.1
7.5
EPSS
23.8%
CVE-2019-13031 HIGH This Week

LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Lemonldap Debian Linux
NVD
CVSS 3.0
8.1
EPSS
1.9%
CVE-2019-9843 Maven HIGH PATCH This Week

In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Gradle Maven
NVD GitHub
CVSS 3.0
7.5
EPSS
1.5%
CVE-2019-11392 HIGH POC This Week

BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Blogengine Net
NVD
CVSS 3.0
7.5
EPSS
1.6%
CVE-2019-10718 HIGH POC This Week

BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Blind Injection, related to pingback.axd and BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Blogengine Net
NVD
CVSS 3.0
7.5
EPSS
2.7%
CVE-2019-1903 CRITICAL Act Now

A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to access sensitive information or cause a denial of service (DoS) condition. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Denial Of Service Cisco Security Manager
NVD
CVSS 3.0
9.1
EPSS
2.2%
CVE-2019-0948 MEDIUM POC PATCH THREAT This Month

An information disclosure vulnerability exists in the Windows Event Viewer (eventvwr.msc) when it improperly parses XML input containing a reference to an external entity. Rated medium severity (CVSS 4.7), this vulnerability is no authentication required. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Microsoft Information Disclosure Windows 10 Windows 7 +6
NVD Exploit-DB
CVSS 3.1
4.7
EPSS
12.7%
CVE-2019-12154 CRITICAL Act Now

XXE in the XML parser library in RealObjects PDFreactor before 10.1.10722 allows attackers to supply malicious XML content in externally referenced resources, leading to disclosure of local file. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Denial Of Service Pdfreactor
NVD
CVSS 3.0
9.1
EPSS
2.3%
CVE-2019-10337 Maven HIGH PATCH This Week

An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro to have Jenkins. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE SSRF Jenkins Token Macro
NVD
CVSS 3.0
7.5
EPSS
2.0%
CVE-2019-3722 HIGH This Week

Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1.0.3 and prior to 9.2.0.4 contain an XML external entity (XXE) injection vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Dell Emc Openmanage Server Administrator
NVD
CVSS 3.0
7.5
EPSS
3.8%
CVE-2019-10327 Maven HIGH PATCH This Week

An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SSRF Jenkins Pipeline Maven Integration
NVD
CVSS 3.0
8.1
EPSS
1.5%
CVE-2019-0188 Maven HIGH PATCH This Week

Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Apache Camel Enterprise Data Quality Enterprise Manager Base Platform +2
NVD GitHub
CVSS 3.1
7.5
EPSS
8.5%
CVE-2019-7442 CRITICAL POC THREAT Act Now

An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault <=10.7 allows remote attackers to read arbitrary files or potentially bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Hashicorp Enterprise Password Vault
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
40.0%
CVE-2019-4208 HIGH PATCH This Week

IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Tririga Application Platform
NVD
CVSS 3.1
7.1
EPSS
1.9%
CVE-2019-11677 CRITICAL Act Now

The Custom Report import function in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to XML External Entity (XXE) Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Zoho Manageengine Firewall Analyzer
NVD
CVSS 3.0
9.8
EPSS
9.4%
CVE-2019-10309 Maven CRITICAL Act Now

Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Jenkins Self Organizing Swarm Modules
NVD
CVSS 3.0
9.3
EPSS
1.8%
CVE-2019-11519 MEDIUM POC PATCH This Month

Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XXE Nopcommerce
NVD GitHub
CVSS 3.0
4.9
EPSS
1.2%
CVE-2019-8999 HIGH PATCH This Week

An XML External Entity vulnerability in the UEM Core of BlackBerry UEM version(s) earlier than 12.10.1a could allow an attacker to potentially gain read access to files on any system reachable by the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Unified Endpoint Management
NVD
CVSS 3.0
7.5
EPSS
1.5%
CVE-2019-0228 Maven CRITICAL PATCH Act Now

Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Apache Pdfbox James Fedora +11
NVD
CVSS 3.1
9.8
EPSS
9.5%
CVE-2019-0284 MEDIUM This Month

SLD Registration in SAP HANA (fixed in versions 1.0, 2.0) does not sufficiently validate an XML document accepted from an untrusted source. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.

XXE SAP Hana
NVD
CVSS 3.0
6.0
EPSS
0.4%
CVE-2019-0795 HIGH PATCH This Week

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Microsoft RCE Windows 10 Windows 7 +6
NVD
CVSS 3.0
8.8
EPSS
21.3%
CVE-2019-0793 HIGH PATCH This Week

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Microsoft RCE Windows 10 Windows 7 +6
NVD
CVSS 3.0
8.8
EPSS
17.2%
CVE-2019-0792 HIGH PATCH This Week

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Microsoft RCE Windows 10 Windows 7 +6
NVD
CVSS 3.0
8.8
EPSS
17.2%
CVE-2019-0791 HIGH PATCH This Week

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Microsoft RCE Windows 10 Windows 7 +6
NVD
CVSS 3.0
8.8
EPSS
17.2%
CVE-2019-0790 HIGH PATCH This Week

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Microsoft RCE Windows 10 Windows 7 +5
NVD
CVSS 3.0
8.8
EPSS
16.2%
CVE-2019-10244 HIGH This Week

In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Kura
NVD
CVSS 3.0
7.5
EPSS
1.8%
CVE-2019-0756 HIGH PATCH This Week

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Microsoft RCE Windows 10 Windows 7 +6
NVD
CVSS 3.0
8.8
EPSS
12.5%
CVE-2019-4043 HIGH PATCH This Week

IBM Sterling B2B Integrator Standard Edition 5.2.0 snf 6.0.0.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Sterling B2b Integrator
NVD
CVSS 3.1
7.1
EPSS
2.5%
CVE-2019-3481 HIGH This Week

Mitigates a XML External Entity Parsing issue in ArcSight Logger versions prior to 6.7. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Arcsight Logger
NVD
CVSS 3.0
7.1
EPSS
1.7%
CVE-2019-8997 MEDIUM This Month

An XML External Entity Injection (XXE) vulnerability in the Management System (console) of BlackBerry AtHoc versions earlier than 7.6 HF-567 could allow an attacker to potentially read arbitrary. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Athoc
NVD
CVSS 3.0
5.9
EPSS
2.3%
CVE-2019-9761 HIGH POC This Week

An XXE issue was discovered in PHPSHE 1.7, which can be used to read any file in the system or scan the internal network without authentication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE PHP Phpshe
NVD
CVSS 3.0
7.5
EPSS
1.7%
CVE-2019-5918 CRITICAL Act Now

Nablarch 5 (5, and 5u1 to 5u13) allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Nablarch
NVD
CVSS 3.0
9.1
EPSS
1.9%
CVE-2019-0277 MEDIUM This Month

SAP HANA extended application services, version 1, advanced does not sufficiently validate an XML document accepted from an authenticated developer with privileges to the SAP space (XML External. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Hana Extended Application Services
NVD
CVSS 3.0
6.5
EPSS
2.1%
CVE-2019-0271 MEDIUM This Month

ABAP Server (used in NetWeaver and Suite/ERP) and ABAP Platform does not sufficiently validate an XML document accepted from an untrusted source, leading to an XML External Entity (XEE). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Advanced Business Application Programming Platform Advanced Business Application Programming Server Sap Kernel
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2019-9658 Maven MEDIUM PATCH This Month

Checkstyle before 8.18 loads external DTDs by default. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Checkstyle Debian Linux Fedora
NVD GitHub
CVSS 3.0
5.3
EPSS
3.7%
CVE-2019-1698 MEDIUM This Month

A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Cisco Iot Field Network Director
NVD
CVSS 3.0
4.9
EPSS
3.1%
CVE-2019-0265 MEDIUM This Month

SLD Registration of ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Advanced Business Application Programming Platform Kernel Advanced Business Application Programming Platform Krnl32Nuc Advanced Business Application Programming Platform Krnl32Uc Advanced Business Application Programming Platform Krnl64Nuc +1
NVD
CVSS 3.0
4.9
EPSS
2.1%
CVE-2019-7722 Maven HIGH POC PATCH This Week

PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

XXE Denial Of Service Information Disclosure Pmd
NVD GitHub
CVSS 3.0
8.1
EPSS
1.2%
CVE-2019-1003015 Maven CRITICAL PATCH Act Now

An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Java Denial Of Service Jenkins Job Import
NVD
CVSS 3.0
9.1
EPSS
1.8%
CVE-2019-3774 Maven CRITICAL PATCH Act Now

Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Java Spring Batch
NVD
CVSS 3.0
9.8
EPSS
3.0%
CVE-2019-3773 Maven CRITICAL PATCH Act Now

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Java Spring Web Services Financial Services Analytical Applications Infrastructure Flexcube Private Banking
NVD
CVSS 3.1
9.8
EPSS
4.1%
CVE-2019-3772 Maven CRITICAL PATCH Act Now

Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Java Spring Integration Retail Customer Management And Segmentation Foundation
NVD
CVSS 3.0
9.8
EPSS
3.0%
CVE-2019-5748 CRITICAL PATCH Act Now

In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Java Server
NVD GitHub
CVSS 3.0
9.8
EPSS
1.7%
CVE-2019-5312 Maven CRITICAL POC PATCH Act Now

An issue was discovered in weixin-java-tools v3.3.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Java Wxjava
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2018-1000889 HIGH PATCH This Week

Logisim Evolution version 2.14.3 and earlier contains an XML External Entity (XXE) vulnerability in Circuit file loading functionality (loadXmlFrom in src/com/cburch/logisim/file/XmlReader.java) that. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Logisim Evolution
NVD GitHub
CVSS 3.0
8.8
EPSS
1.5%
CVE-2018-7837 HIGH This Week

An Improper Restriction of XML External Entity Reference ('XXE') vulnerability exists on numerous methods of the IIoT Monitor 3.1.38 software that could allow the software to resolve documents. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Iiot Monior
NVD
CVSS 3.0
7.5
EPSS
1.2%
CVE-2018-20433 Maven CRITICAL PATCH Act Now

c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Java XXE C3P0 Debian Linux
NVD GitHub
CVSS 3.0
9.8
EPSS
4.6%
CVE-2018-20318 CRITICAL POC Act Now

An issue was discovered in weixin-java-tools v3.2.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java XXE Wxjava
NVD GitHub
CVSS 3.0
9.8
EPSS
1.7%
CVE-2018-17247 Maven MEDIUM PATCH This Month

Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Elastic Java XXE Elasticsearch
NVD
CVSS 3.0
5.9
EPSS
1.4%
CVE-2018-1000844 Maven CRITICAL PATCH Act Now

Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE SSRF Retrofit
NVD GitHub
CVSS 3.0
9.1
EPSS
2.2%
CVE-2018-1000840 MEDIUM POC This Month

Processing Foundation Processing version 3.4 and earlier contains a XML External Entity (XXE) vulnerability in loadXML() function that can result in An attacker can read arbitrary files and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Processing
NVD GitHub
CVSS 3.0
6.5
EPSS
2.2%
CVE-2018-1000838 CRITICAL Act Now

autopsy version <= 4.9.0 contains a XML External Entity (XXE) vulnerability in CaseMetadata XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF Autopsy
NVD GitHub
CVSS 3.0
10.0
EPSS
2.5%
CVE-2018-1000837 CRITICAL Act Now

UML Designer version <= 8.0.0 contains a XML External Entity (XXE) vulnerability in XML parser for plugins that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF Uml Designer
NVD GitHub
CVSS 3.1
10.0
EPSS
1.8%
CVE-2018-1000836 Maven CRITICAL Act Now

bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service XXE SSRF Bw Calendar Engine
NVD GitHub
CVSS 3.0
9.0
EPSS
1.1%
CVE-2018-1000835 CRITICAL Act Now

KeePassDX version <= 2.5.0.0beta17 contains a XML External Entity (XXE) vulnerability in kdbx file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF Keepass Dx
NVD GitHub
CVSS 3.1
10.0
EPSS
1.8%
CVE-2018-1000834 CRITICAL Act Now

runelite version <= runelite-parent-1.4.23 contains a XML External Entity (XXE) vulnerability in Man in the middle runscape services call that can result in Disclosure of confidential data, denial of. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service XXE SSRF Runelite
NVD GitHub
CVSS 3.0
9.0
EPSS
1.4%
CVE-2018-1000831 CRITICAL Act Now

K9Mail version <= v5.600 contains a XML External Entity (XXE) vulnerability in WebDAV response parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF K 9 Mail
NVD GitHub
CVSS 3.0
10.0
EPSS
1.9%
CVE-2018-1000830 CRITICAL Act Now

XR3Player version <= V3.124 contains a XML External Entity (XXE) vulnerability in Playlist parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF Xr3Player
NVD GitHub
CVSS 3.0
10.0
EPSS
1.5%
CVE-2018-1000829 CRITICAL Act Now

Anyplace version before commit 80359b4 contains a XML External Entity (XXE) vulnerability in Man in the middle on map API call that can result in Disclosure of confidential data, denial of service,. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service XXE SSRF Anyplace
NVD GitHub
CVSS 3.0
9.0
EPSS
1.3%
CVE-2018-1000828 CRITICAL Act Now

FrostWire version <= frostwire-desktop-6.7.4-build-272 contains a XML External Entity (XXE) vulnerability in Man in the middle on update that can result in Disclosure of confidential data, denial of. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service XXE SSRF Frostwire
NVD GitHub
CVSS 3.1
9.0
EPSS
1.3%
CVE-2018-1000825 CRITICAL Act Now

FreeCol version <= nightly-2018-08-22 contains a XML External Entity (XXE) vulnerability in FreeColXMLReader parser that can result in Disclosure of confidential data, denial of service, SSRF, port. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF Freecol
NVD GitHub
CVSS 3.0
10.0
EPSS
1.9%
CVE-2018-1000823 Maven CRITICAL PATCH Act Now

exist version <= 5.0.0-RC4 contains a XML External Entity (XXE) vulnerability in XML Parser for REST Server that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF Exist
NVD GitHub
CVSS 3.1
10.0
EPSS
1.9%
CVE-2018-1000822 Maven CRITICAL PATCH Act Now

codelibs fess version before commit faa265b contains a XML External Entity (XXE) vulnerability in GSA XML file parser that can result in Disclosure of confidential data, denial of service, SSRF, port. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service XXE SSRF Fess
NVD GitHub
CVSS 3.0
10.0
EPSS
1.9%
CVE-2018-1000821 CRITICAL Act Now

MicroMathematics version before commit 5c05ac8 contains a XML External Entity (XXE) vulnerability in SMathStudio files that can result in Disclosure of confidential data, denial of service, SSRF,. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF Micromathematics
NVD GitHub
CVSS 3.0
10.0
EPSS
1.9%
CVE-2018-1000820 Maven CRITICAL POC PATCH Act Now

neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service XXE SSRF Awesome Procedures On Cyper
NVD GitHub
CVSS 3.0
10.0
EPSS
1.9%
CVE-2018-20298 MEDIUM This Month

S3 Browser before 8.1.5 contains an XML external entity (XXE) vulnerability, allowing remote attackers to read arbitrary files and obtain NTLMv2 hash values by tricking a user into connecting to a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE S3 Browser
NVD
CVSS 3.0
6.5
EPSS
1.4%
CVE-2018-20157 HIGH POC This Week

The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Openrefine
NVD GitHub
CVSS 3.0
7.5
EPSS
1.7%
CVE-2018-1821 CRITICAL POC THREAT Act Now

IBM Operational Decision Management 8.5, 8.6, 8.7, 8.8, and 8.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

IBM XXE Operational Decision Manager
NVD Exploit-DB
CVSS 3.0
9.1
EPSS
15.8%
CVE-2018-2492 HIGH This Week

SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Netweaver Application Server Java
NVD
CVSS 3.1
7.1
EPSS
1.1%
CVE-2018-20059 Maven CRITICAL POC PATCH Act Now

jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java XXE Pippo
NVD GitHub
CVSS 3.0
9.8
EPSS
1.5%
CVE-2018-15805 CRITICAL Act Now

Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML external entity (XXE) vulnerability, allowing an attacker to read arbitrary files or cause a denial of service (resource. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE Prizmdoc
NVD
CVSS 3.0
9.1
EPSS
1.6%
CVE-2018-20000 Maven HIGH PATCH This Week

Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Java XXE Bw Webdav
NVD GitHub
CVSS 3.0
7.5
EPSS
1.7%
CVE-2018-7063 HIGH This Week

In Aruba ClearPass, disabled API admins can still perform read/write operations. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Aruba XXE Authentication Bypass Clearpass Policy Manager
NVD
CVSS 3.0
8.1
EPSS
0.9%
CVE-2018-1920 HIGH This Week

IBM Marketing Platform 9.1.0, 9.1.2 and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XXE Marketing Platform
NVD
CVSS 3.0
7.1
EPSS
2.4%
CVE-2018-1424 HIGH This Week

IBM Marketing Platform 9.1.0, 9.1.2, and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XXE Marketing Platform
NVD
CVSS 3.0
7.1
EPSS
2.4%
CVE-2018-15362 CRITICAL Act Now

XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Cimplicity
NVD
CVSS 3.0
9.1
EPSS
2.7%
CVE-2018-16792 CRITICAL Act Now

SolarWinds SFTP/SCP server through 2018-09-10 is vulnerable to XXE via a world readable and writable configuration file that allows an attacker to exfiltrate data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Sftp Scp Server
NVD
CVSS 3.1
9.1
EPSS
1.4%
CVE-2018-1730 HIGH This Week

IBM QRadar SIEM 7.2 and 7.3 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XXE Qradar Security Information And Event Manager
NVD
CVSS 3.0
7.1
EPSS
1.9%
EPSS 2% CVSS 7.1
HIGH This Week

IBM i2 Intelligent Analyis Platform 9.0.0 through 9.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE IBM I2 Intelligent Analysis Platform
NVD
EPSS 13% CVSS 7.5
HIGH POC THREAT This Week

An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Cloud Backup Suite
NVD Exploit-DB
EPSS 1% CVSS 7.2
HIGH POC This Week

An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Cloud Backup Suite
NVD
EPSS 16% CVSS 9.8
CRITICAL PATCH Act Now

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Java Quartz +30
NVD GitHub
EPSS 7% CVSS 9.8
CRITICAL POC Act Now

Axway SecureTransport 5.x through 5.3 (or 5.x through 5.5 with certain API configuration) is vulnerable to unauthenticated blind XML injection (and XXE) in the resetPassword functionality via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE SSRF RCE +1
NVD Exploit-DB
EPSS 1% CVSS 5.5
MEDIUM This Month

Mitsubishi Electric FR Configurator2, Version 1.16S and prior. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Electric Fr Configurator2 Firmware
NVD
EPSS 4% CVSS 4.2
MEDIUM POC PATCH This Month

Vulnerability in the Oracle Hyperion Planning component of Oracle Hyperion (subcomponent: Security). Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable. Public exploit code available.

XXE Oracle Hyperion Planning
NVD Exploit-DB
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Jeesite 1.2.7 is affected by: XML External Entity (XXE). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Java Information Disclosure +1
NVD GitHub
EPSS 3% CVSS 7.5
HIGH This Week

Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Adobe Campaign
NVD
EPSS 6% CVSS 9.8
CRITICAL POC PATCH Act Now

Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Information Disclosure Ladon
NVD Exploit-DB
EPSS 2% CVSS 9.1
CRITICAL POC Act Now

NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as demonstrated by a project.prp file. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Ghidra
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Mailenable
NVD
EPSS 24% CVSS 7.5
HIGH POC THREAT This Week

lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE PHP Opencats
NVD GitHub Exploit-DB
EPSS 2% CVSS 8.1
HIGH This Week

LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Lemonldap Debian Linux
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Gradle Maven
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC This Week

BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Blogengine Net
NVD
EPSS 3% CVSS 7.5
HIGH POC This Week

BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Blind Injection, related to pingback.axd and BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Blogengine Net
NVD
EPSS 2% CVSS 9.1
CRITICAL Act Now

A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to access sensitive information or cause a denial of service (DoS) condition. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Denial Of Service Cisco +1
NVD
EPSS 13% CVSS 4.7
MEDIUM POC PATCH THREAT This Month

An information disclosure vulnerability exists in the Windows Event Viewer (eventvwr.msc) when it improperly parses XML input containing a reference to an external entity. Rated medium severity (CVSS 4.7), this vulnerability is no authentication required. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Microsoft Information Disclosure +8
NVD Exploit-DB
EPSS 2% CVSS 9.1
CRITICAL Act Now

XXE in the XML parser library in RealObjects PDFreactor before 10.1.10722 allows attackers to supply malicious XML content in externally referenced resources, leading to disclosure of local file. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Denial Of Service Pdfreactor
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro to have Jenkins. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE SSRF Jenkins +1
NVD
EPSS 4% CVSS 7.5
HIGH This Week

Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1.0.3 and prior to 9.2.0.4 contain an XML external entity (XXE) injection vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Dell Emc Openmanage Server Administrator
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SSRF Jenkins +1
NVD
EPSS 8% CVSS 7.5
HIGH PATCH This Week

Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Apache Camel +4
NVD GitHub
EPSS 40% CVSS 9.8
CRITICAL POC THREAT Act Now

An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault <=10.7 allows remote attackers to read arbitrary files or potentially bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Hashicorp Enterprise Password Vault
NVD Exploit-DB
EPSS 2% CVSS 7.1
HIGH PATCH This Week

IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Tririga Application Platform
NVD
EPSS 9% CVSS 9.8
CRITICAL Act Now

The Custom Report import function in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to XML External Entity (XXE) Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Zoho Manageengine Firewall Analyzer
NVD
EPSS 2% CVSS 9.3
CRITICAL Act Now

Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XXE Jenkins Self Organizing Swarm Modules
NVD
EPSS 1% CVSS 4.9
MEDIUM POC PATCH This Month

Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XXE Nopcommerce
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

An XML External Entity vulnerability in the UEM Core of BlackBerry UEM version(s) earlier than 12.10.1a could allow an attacker to potentially gain read access to files on any system reachable by the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Unified Endpoint Management
NVD
EPSS 9% CVSS 9.8
CRITICAL PATCH Act Now

Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Apache Pdfbox +13
NVD
EPSS 0% CVSS 6.0
MEDIUM This Month

SLD Registration in SAP HANA (fixed in versions 1.0, 2.0) does not sufficiently validate an XML document accepted from an untrusted source. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.

XXE SAP Hana
NVD
EPSS 21% CVSS 8.8
HIGH PATCH This Week

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Microsoft RCE +8
NVD
EPSS 17% CVSS 8.8
HIGH PATCH This Week

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Microsoft RCE +8
NVD
EPSS 17% CVSS 8.8
HIGH PATCH This Week

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Microsoft RCE +8
NVD
EPSS 17% CVSS 8.8
HIGH PATCH This Week

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Microsoft RCE +8
NVD
EPSS 16% CVSS 8.8
HIGH PATCH This Week

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Microsoft RCE +7
NVD
EPSS 2% CVSS 7.5
HIGH This Week

In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Kura
NVD
EPSS 12% CVSS 8.8
HIGH PATCH This Week

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Microsoft RCE +8
NVD
EPSS 2% CVSS 7.1
HIGH PATCH This Week

IBM Sterling B2B Integrator Standard Edition 5.2.0 snf 6.0.0.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE IBM Sterling B2b Integrator
NVD
EPSS 2% CVSS 7.1
HIGH This Week

Mitigates a XML External Entity Parsing issue in ArcSight Logger versions prior to 6.7. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Arcsight Logger
NVD
EPSS 2% CVSS 5.9
MEDIUM This Month

An XML External Entity Injection (XXE) vulnerability in the Management System (console) of BlackBerry AtHoc versions earlier than 7.6 HF-567 could allow an attacker to potentially read arbitrary. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Athoc
NVD
EPSS 2% CVSS 7.5
HIGH POC This Week

An XXE issue was discovered in PHPSHE 1.7, which can be used to read any file in the system or scan the internal network without authentication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE PHP Phpshe
NVD
EPSS 2% CVSS 9.1
CRITICAL Act Now

Nablarch 5 (5, and 5u1 to 5u13) allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Nablarch
NVD
EPSS 2% CVSS 6.5
MEDIUM This Month

SAP HANA extended application services, version 1, advanced does not sufficiently validate an XML document accepted from an authenticated developer with privileges to the SAP space (XML External. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Hana Extended Application Services
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

ABAP Server (used in NetWeaver and Suite/ERP) and ABAP Platform does not sufficiently validate an XML document accepted from an untrusted source, leading to an XML External Entity (XEE). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Advanced Business Application Programming Platform +2
NVD
EPSS 4% CVSS 5.3
MEDIUM PATCH This Month

Checkstyle before 8.18 loads external DTDs by default. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Checkstyle Debian Linux +1
NVD GitHub
EPSS 3% CVSS 4.9
MEDIUM This Month

A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Cisco Iot Field Network Director
NVD
EPSS 2% CVSS 4.9
MEDIUM This Month

SLD Registration of ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Advanced Business Application Programming Platform Kernel Advanced Business Application Programming Platform Krnl32Nuc +3
NVD
EPSS 1% CVSS 8.1
HIGH POC PATCH This Week

PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

XXE Denial Of Service Information Disclosure +1
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL PATCH Act Now

An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Java Denial Of Service +2
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Java Spring Batch
NVD
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Java Spring Web Services +2
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Java Spring Integration +1
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Java Server
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

An issue was discovered in weixin-java-tools v3.3.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Java Wxjava
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Logisim Evolution version 2.14.3 and earlier contains an XML External Entity (XXE) vulnerability in Circuit file loading functionality (loadXmlFrom in src/com/cburch/logisim/file/XmlReader.java) that. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Logisim Evolution
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

An Improper Restriction of XML External Entity Reference ('XXE') vulnerability exists on numerous methods of the IIoT Monitor 3.1.38 software that could allow the software to resolve documents. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Iiot Monior
NVD
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Java XXE C3P0 +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

An issue was discovered in weixin-java-tools v3.2.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java XXE Wxjava
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Elastic Java XXE +1
NVD
EPSS 2% CVSS 9.1
CRITICAL PATCH Act Now

Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE SSRF Retrofit
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM POC This Month

Processing Foundation Processing version 3.4 and earlier contains a XML External Entity (XXE) vulnerability in loadXML() function that can result in An attacker can read arbitrary files and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Processing
NVD GitHub
EPSS 3% CVSS 10.0
CRITICAL Act Now

autopsy version <= 4.9.0 contains a XML External Entity (XXE) vulnerability in CaseMetadata XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF +1
NVD GitHub
EPSS 2% CVSS 10.0
CRITICAL Act Now

UML Designer version <= 8.0.0 contains a XML External Entity (XXE) vulnerability in XML parser for plugins that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF +1
NVD GitHub
EPSS 1% CVSS 9.0
CRITICAL Act Now

bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service XXE SSRF +1
NVD GitHub
EPSS 2% CVSS 10.0
CRITICAL Act Now

KeePassDX version <= 2.5.0.0beta17 contains a XML External Entity (XXE) vulnerability in kdbx file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF +1
NVD GitHub
EPSS 1% CVSS 9.0
CRITICAL Act Now

runelite version <= runelite-parent-1.4.23 contains a XML External Entity (XXE) vulnerability in Man in the middle runscape services call that can result in Disclosure of confidential data, denial of. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service XXE SSRF +1
NVD GitHub
EPSS 2% CVSS 10.0
CRITICAL Act Now

K9Mail version <= v5.600 contains a XML External Entity (XXE) vulnerability in WebDAV response parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF +1
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL Act Now

XR3Player version <= V3.124 contains a XML External Entity (XXE) vulnerability in Playlist parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF +1
NVD GitHub
EPSS 1% CVSS 9.0
CRITICAL Act Now

Anyplace version before commit 80359b4 contains a XML External Entity (XXE) vulnerability in Man in the middle on map API call that can result in Disclosure of confidential data, denial of service,. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service XXE SSRF +1
NVD GitHub
EPSS 1% CVSS 9.0
CRITICAL Act Now

FrostWire version <= frostwire-desktop-6.7.4-build-272 contains a XML External Entity (XXE) vulnerability in Man in the middle on update that can result in Disclosure of confidential data, denial of. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service XXE SSRF +1
NVD GitHub
EPSS 2% CVSS 10.0
CRITICAL Act Now

FreeCol version <= nightly-2018-08-22 contains a XML External Entity (XXE) vulnerability in FreeColXMLReader parser that can result in Disclosure of confidential data, denial of service, SSRF, port. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF +1
NVD GitHub
EPSS 2% CVSS 10.0
CRITICAL PATCH Act Now

exist version <= 5.0.0-RC4 contains a XML External Entity (XXE) vulnerability in XML Parser for REST Server that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF +1
NVD GitHub
EPSS 2% CVSS 10.0
CRITICAL PATCH Act Now

codelibs fess version before commit faa265b contains a XML External Entity (XXE) vulnerability in GSA XML file parser that can result in Disclosure of confidential data, denial of service, SSRF, port. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service XXE SSRF +1
NVD GitHub
EPSS 2% CVSS 10.0
CRITICAL Act Now

MicroMathematics version before commit 5c05ac8 contains a XML External Entity (XXE) vulnerability in SMathStudio files that can result in Disclosure of confidential data, denial of service, SSRF,. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF +1
NVD GitHub
EPSS 2% CVSS 10.0
CRITICAL POC PATCH Act Now

neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service XXE SSRF +1
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

S3 Browser before 8.1.5 contains an XML external entity (XXE) vulnerability, allowing remote attackers to read arbitrary files and obtain NTLMv2 hash values by tricking a user into connecting to a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE S3 Browser
NVD
EPSS 2% CVSS 7.5
HIGH POC This Week

The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Openrefine
NVD GitHub
EPSS 16% CVSS 9.1
CRITICAL POC THREAT Act Now

IBM Operational Decision Management 8.5, 8.6, 8.7, 8.8, and 8.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

IBM XXE Operational Decision Manager
NVD Exploit-DB
EPSS 1% CVSS 7.1
HIGH This Week

SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE SAP Netweaver Application Server Java
NVD
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java XXE Pippo
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL Act Now

Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML external entity (XXE) vulnerability, allowing an attacker to read arbitrary files or cause a denial of service (resource. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE Prizmdoc
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Java XXE Bw Webdav
NVD GitHub
EPSS 1% CVSS 8.1
HIGH This Week

In Aruba ClearPass, disabled API admins can still perform read/write operations. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Aruba XXE Authentication Bypass +1
NVD
EPSS 2% CVSS 7.1
HIGH This Week

IBM Marketing Platform 9.1.0, 9.1.2 and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XXE Marketing Platform
NVD
EPSS 2% CVSS 7.1
HIGH This Week

IBM Marketing Platform 9.1.0, 9.1.2, and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XXE Marketing Platform
NVD
EPSS 3% CVSS 9.1
CRITICAL Act Now

XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Cimplicity
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

SolarWinds SFTP/SCP server through 2018-09-10 is vulnerable to XXE via a world readable and writable configuration file that allows an attacker to exfiltrate data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Sftp Scp Server
NVD
EPSS 2% CVSS 7.1
HIGH This Week

IBM QRadar SIEM 7.2 and 7.3 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XXE Qradar Security Information And Event Manager
NVD
Prev Page 9 of 14 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy