VYPR

CWE-611

Improper Restriction of XML External Entity Reference

BaseDraft

Description

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-221

CVEs mapped to this weakness (684)

page 24 of 35
  • CVE-2023-48362Jul 24, 2024
    risk 0.00cvss epss 0.01

    XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any file on a remote file system or execute commands via a malicious XML file. Users are recommended to upgrade to version 1.21.2, which fixes this issue.

  • CVE-2024-36827Jun 7, 2024
    risk 0.00cvss epss 0.01

    An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of ebookmeta before v1.2.8 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input.

  • CVE-2024-37388Jun 7, 2024
    risk 0.00cvss epss 0.01

    An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input.

  • CVE-2022-47894Apr 9, 2024
    risk 0.00cvss epss 0.01

    Improper Input Validation vulnerability in Apache Zeppelin SAP.This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict…

  • CVE-2023-50380Feb 27, 2024
    risk 0.00cvss epss 0.01

    XML External Entity injection in apache ambari versions <= 2.7.7, Users are recommended to upgrade to version 2.7.8, which fixes this issue. More Details: Oozie Workflow Scheduler had a vulnerability that allowed for root-level file reading and privilege escalation from…

  • CVE-2024-25606Feb 20, 2024
    risk 0.00cvss epss 0.01

    XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to…

  • CVE-2023-45139Jan 10, 2024
    risk 0.00cvss epss 0.01

    fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed.…

  • CVE-2023-6149Jan 9, 2024
    risk 0.00cvss epss 0.00

    Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or…

  • CVE-2023-6147Jan 9, 2024
    risk 0.00cvss epss 0.01

    Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to…

  • CVE-2023-6836Dec 15, 2023
    risk 0.00cvss epss 0.00

    Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.

  • CVE-2023-49733Nov 30, 2023
    risk 0.00cvss epss 0.01

    Improper Restriction of XML External Entity Reference vulnerability in Apache Cocoon.This issue affects Apache Cocoon: from 2.2.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.

  • CVE-2023-49656Nov 29, 2023
    risk 0.00cvss epss 0.01

    Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2023-46502Oct 30, 2023
    risk 0.00cvss epss 0.01

    An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory.

  • CVE-2022-4245Sep 25, 2023
    risk 0.00cvss epss 0.01

    A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.

  • CVE-2023-41933Sep 6, 2023
    risk 0.00cvss epss 0.01

    Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2023-41932Sep 6, 2023
    risk 0.00cvss epss 0.01

    Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file…

  • CVE-2023-41034Aug 31, 2023
    risk 0.00cvss epss 0.01

    Eclipse Leshan is a device management server and client Java implementation. In affected versions DDFFileParser` and `DefaultDDFFileValidator` (and so `ObjectLoader`) are vulnerable to `XXE Attacks`. A DDF file is a LWM2M format used to store LWM2M object description. Leshan…

  • CVE-2023-24620Aug 25, 2023
    risk 0.00cvss epss 0.00

    An issue was discovered in Esoteric YamlBeans through 1.15. A crafted YAML document is able perform am XML Entity Expansion attack against YamlBeans YamlReader. By exploiting the Anchor feature in YAML, it is possible to generate a small YAML document that, when read, is…

  • CVE-2022-46751Aug 21, 2023
    risk 0.00cvss epss 0.02

    Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own…

  • CVE-2023-0871Aug 11, 2023
    risk 0.00cvss epss 0.00

    XXE injection in /rtc/post/ endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to XML external entity (XXE) injection, which can be used for instance to force Horizon to make arbitrary HTTP requests to internal and external…