VYPR

CWE-611

Improper Restriction of XML External Entity Reference

BaseDraft

Description

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-221

CVEs mapped to this weakness (684)

page 11 of 35
  • CVE-2017-17762HigAug 29, 2018
    risk 0.49cvss 7.5epss 0.05

    XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request involving util/xmlrpc/Handler.ashx.

  • CVE-2018-12408HigAug 8, 2018
    risk 0.49cvss 7.5epss 0.02

    The BusinessWorks engine component of TIBCO Software Inc.'s TIBCO ActiveMatrix BusinessWorks, TIBCO ActiveMatrix BusinessWorks for z/Linux, and TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric contains a vulnerability that may allow XML eXternal Entity (XXE)…

  • CVE-2017-8316HigAug 3, 2018
    risk 0.49cvss 7.5epss 0.02

    IntelliJ IDEA XML parser was found vulnerable to XML External Entity attack, an attacker can exploit the vulnerability by implementing malicious code on both Androidmanifest.xml.

  • CVE-2018-13439HigJul 8, 2018
    risk 0.49cvss 7.5epss 0.02

    WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a merchant notification URL.

  • CVE-2018-7783HigJul 3, 2018
    risk 0.49cvss 7.5epss 0.02

    Schneider Electric SoMachine Basic prior to v1.6 SP1 suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is…

  • CVE-2018-1000515HigJun 26, 2018
    risk 0.49cvss 7.5epss 0.01

    ventrian News-Articles version NewsArticles.00.09.11 contains a XML External Entity (XXE) vulnerability in News-Articles/API/MetaWebLog/Handler.ashx.vb that can result in Attacker can read any file in the server or use smbrelay attack to access to server..

  • CVE-2018-8819HigJun 14, 2018
    risk 0.49cvss 7.5epss 0.03

    An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying…

  • CVE-2018-4942HigMay 19, 2018
    risk 0.49cvss 7.5epss 0.04

    Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Unsafe XML External Entity Processing vulnerability. Successful exploitation could lead to information disclosure.

  • CVE-2018-1259HigMay 11, 2018
    risk 0.49cvss 7.5epss 0.05

    Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does…

  • CVE-2018-0765HigMay 9, 2018
    risk 0.49cvss 7.5epss 0.08

    A denial of service vulnerability exists when .NET and .NET Core improperly process XML documents, aka ".NET and .NET Core Denial of Service Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.7.1, Microsoft .NET…

  • CVE-2017-8315HigApr 20, 2018
    risk 0.49cvss 7.5epss 0.02

    Eclipse XML parser for the Eclipse IDE versions 2017.2.5 and earlier was found vulnerable to an XML External Entity attack. An attacker can exploit the vulnerability by implementing malicious code on Androidmanifest.xml.

  • CVE-2018-1077HigMar 14, 2018
    risk 0.49cvss 7.5epss 0.01

    Spacewalk 2.6 contains an API which has an XXE flaw allowing for the disclosure of potentially sensitive information from the server.

  • CVE-2018-1000090HigMar 13, 2018
    risk 0.49cvss 7.5epss 0.01

    textpattern version version 4.6.2 contains a XML Injection vulnerability in Import XML feature that can result in Denial of service in context to the web server by exhausting server memory resources. This attack appear to be exploitable via Uploading a specially crafted XML file.

  • CVE-2018-5789HigFeb 5, 2018
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is a Remote, Unauthenticated XML Entity Expansion Denial of Service on the WiNG Access Point / Controller via crafted XML entities to the Web User Interface.

  • CVE-2017-1000477HigJan 3, 2018
    risk 0.49cvss 7.5epss 0.01

    XMLBundle version 0.1.7 is vulnerable to XXE attacks which can result in denial of service attacks.

  • CVE-2017-11286HigDec 1, 2017
    risk 0.49cvss 7.5epss 0.08

    Adobe ColdFusion has an XML external entity (XXE) injection vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.

  • CVE-2017-14868HigNov 30, 2017
    risk 0.49cvss 7.5epss 0.03

    Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.

  • CVE-2010-2245HigAug 8, 2017
    risk 0.49cvss 7.4epss 0.12

    XML External Entity (XXE) vulnerability in Apache Wink 1.1.1 and earlier allows remote attackers to read arbitrary files or cause a denial of service via a crafted XML document.

  • CVE-2017-11390HigAug 2, 2017
    risk 0.49cvss 7.5epss 0.02

    XML external entity (XXE) processing vulnerability in Trend Micro Control Manager 6.0, if exploited, could lead to information disclosure. Formerly ZDI-CAN-4706.

  • CVE-2017-9233HigJul 25, 2017
    risk 0.49cvss 7.5epss 0.09

    XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.