CWE-611
Improper Restriction of XML External Entity Reference
Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-221
CVEs mapped to this weakness (684)
page 11 of 35| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-17762 | Hig | 0.49 | 7.5 | 0.05 | Aug 29, 2018 | XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request involving util/xmlrpc/Handler.ashx. | ||
| CVE-2018-12408 | Hig | 0.49 | 7.5 | 0.02 | Aug 8, 2018 | The BusinessWorks engine component of TIBCO Software Inc.'s TIBCO ActiveMatrix BusinessWorks, TIBCO ActiveMatrix BusinessWorks for z/Linux, and TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric contains a vulnerability that may allow XML eXternal Entity (XXE)… | ||
| CVE-2017-8316 | Hig | 0.49 | 7.5 | 0.02 | Aug 3, 2018 | IntelliJ IDEA XML parser was found vulnerable to XML External Entity attack, an attacker can exploit the vulnerability by implementing malicious code on both Androidmanifest.xml. | ||
| CVE-2018-13439 | — | Hig | 0.49 | 7.5 | 0.02 | Jul 8, 2018 | WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a merchant notification URL. | |
| CVE-2018-7783 | Hig | 0.49 | 7.5 | 0.02 | Jul 3, 2018 | Schneider Electric SoMachine Basic prior to v1.6 SP1 suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is… | ||
| CVE-2018-1000515 | Hig | 0.49 | 7.5 | 0.01 | Jun 26, 2018 | ventrian News-Articles version NewsArticles.00.09.11 contains a XML External Entity (XXE) vulnerability in News-Articles/API/MetaWebLog/Handler.ashx.vb that can result in Attacker can read any file in the server or use smbrelay attack to access to server.. | ||
| CVE-2018-8819 | Hig | 0.49 | 7.5 | 0.03 | Jun 14, 2018 | An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying… | ||
| CVE-2018-4942 | Hig | 0.49 | 7.5 | 0.04 | May 19, 2018 | Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Unsafe XML External Entity Processing vulnerability. Successful exploitation could lead to information disclosure. | ||
| CVE-2018-1259 | — | Hig | 0.49 | 7.5 | 0.05 | May 11, 2018 | Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does… | |
| CVE-2018-0765 | — | Hig | 0.49 | 7.5 | 0.08 | May 9, 2018 | A denial of service vulnerability exists when .NET and .NET Core improperly process XML documents, aka ".NET and .NET Core Denial of Service Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.7.1, Microsoft .NET… | |
| CVE-2017-8315 | — | Hig | 0.49 | 7.5 | 0.02 | Apr 20, 2018 | Eclipse XML parser for the Eclipse IDE versions 2017.2.5 and earlier was found vulnerable to an XML External Entity attack. An attacker can exploit the vulnerability by implementing malicious code on Androidmanifest.xml. | |
| CVE-2018-1077 | Hig | 0.49 | 7.5 | 0.01 | Mar 14, 2018 | Spacewalk 2.6 contains an API which has an XXE flaw allowing for the disclosure of potentially sensitive information from the server. | ||
| CVE-2018-1000090 | Hig | 0.49 | 7.5 | 0.01 | Mar 13, 2018 | textpattern version version 4.6.2 contains a XML Injection vulnerability in Import XML feature that can result in Denial of service in context to the web server by exhausting server memory resources. This attack appear to be exploitable via Uploading a specially crafted XML file. | ||
| CVE-2018-5789 | Hig | 0.49 | 7.5 | 0.01 | Feb 5, 2018 | An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is a Remote, Unauthenticated XML Entity Expansion Denial of Service on the WiNG Access Point / Controller via crafted XML entities to the Web User Interface. | ||
| CVE-2017-1000477 | — | Hig | 0.49 | 7.5 | 0.01 | Jan 3, 2018 | XMLBundle version 0.1.7 is vulnerable to XXE attacks which can result in denial of service attacks. | |
| CVE-2017-11286 | Hig | 0.49 | 7.5 | 0.08 | Dec 1, 2017 | Adobe ColdFusion has an XML external entity (XXE) injection vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11. | ||
| CVE-2017-14868 | Hig | 0.49 | 7.5 | 0.03 | Nov 30, 2017 | Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension. | ||
| CVE-2010-2245 | Hig | 0.49 | 7.4 | 0.12 | Aug 8, 2017 | XML External Entity (XXE) vulnerability in Apache Wink 1.1.1 and earlier allows remote attackers to read arbitrary files or cause a denial of service via a crafted XML document. | ||
| CVE-2017-11390 | Hig | 0.49 | 7.5 | 0.02 | Aug 2, 2017 | XML external entity (XXE) processing vulnerability in Trend Micro Control Manager 6.0, if exploited, could lead to information disclosure. Formerly ZDI-CAN-4706. | ||
| CVE-2017-9233 | Hig | 0.49 | 7.5 | 0.09 | Jul 25, 2017 | XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD. |
- risk 0.49cvss 7.5epss 0.05
XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request involving util/xmlrpc/Handler.ashx.
- risk 0.49cvss 7.5epss 0.02
The BusinessWorks engine component of TIBCO Software Inc.'s TIBCO ActiveMatrix BusinessWorks, TIBCO ActiveMatrix BusinessWorks for z/Linux, and TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric contains a vulnerability that may allow XML eXternal Entity (XXE)…
- risk 0.49cvss 7.5epss 0.02
IntelliJ IDEA XML parser was found vulnerable to XML External Entity attack, an attacker can exploit the vulnerability by implementing malicious code on both Androidmanifest.xml.
- risk 0.49cvss 7.5epss 0.02
WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a merchant notification URL.
- risk 0.49cvss 7.5epss 0.02
Schneider Electric SoMachine Basic prior to v1.6 SP1 suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is…
- risk 0.49cvss 7.5epss 0.01
ventrian News-Articles version NewsArticles.00.09.11 contains a XML External Entity (XXE) vulnerability in News-Articles/API/MetaWebLog/Handler.ashx.vb that can result in Attacker can read any file in the server or use smbrelay attack to access to server..
- risk 0.49cvss 7.5epss 0.03
An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying…
- risk 0.49cvss 7.5epss 0.04
Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Unsafe XML External Entity Processing vulnerability. Successful exploitation could lead to information disclosure.
- risk 0.49cvss 7.5epss 0.05
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does…
- risk 0.49cvss 7.5epss 0.08
A denial of service vulnerability exists when .NET and .NET Core improperly process XML documents, aka ".NET and .NET Core Denial of Service Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.7.1, Microsoft .NET…
- risk 0.49cvss 7.5epss 0.02
Eclipse XML parser for the Eclipse IDE versions 2017.2.5 and earlier was found vulnerable to an XML External Entity attack. An attacker can exploit the vulnerability by implementing malicious code on Androidmanifest.xml.
- risk 0.49cvss 7.5epss 0.01
Spacewalk 2.6 contains an API which has an XXE flaw allowing for the disclosure of potentially sensitive information from the server.
- risk 0.49cvss 7.5epss 0.01
textpattern version version 4.6.2 contains a XML Injection vulnerability in Import XML feature that can result in Denial of service in context to the web server by exhausting server memory resources. This attack appear to be exploitable via Uploading a specially crafted XML file.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is a Remote, Unauthenticated XML Entity Expansion Denial of Service on the WiNG Access Point / Controller via crafted XML entities to the Web User Interface.
- risk 0.49cvss 7.5epss 0.01
XMLBundle version 0.1.7 is vulnerable to XXE attacks which can result in denial of service attacks.
- risk 0.49cvss 7.5epss 0.08
Adobe ColdFusion has an XML external entity (XXE) injection vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.
- risk 0.49cvss 7.5epss 0.03
Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.
- risk 0.49cvss 7.4epss 0.12
XML External Entity (XXE) vulnerability in Apache Wink 1.1.1 and earlier allows remote attackers to read arbitrary files or cause a denial of service via a crafted XML document.
- risk 0.49cvss 7.5epss 0.02
XML external entity (XXE) processing vulnerability in Trend Micro Control Manager 6.0, if exploited, could lead to information disclosure. Formerly ZDI-CAN-4706.
- risk 0.49cvss 7.5epss 0.09
XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.