VYPR

CWE-611

Improper Restriction of XML External Entity Reference

BaseDraft

Description

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-221

CVEs mapped to this weakness (684)

page 26 of 35
  • CVE-2023-24187Feb 14, 2023
    risk 0.00cvss epss 0.01

    An XML External Entity (XXE) vulnerability in ureport v2.2.9 allows attackers to execute arbitrary code via uploading a crafted XML file to /ureport/designer/saveReportFile.

  • CVE-2023-22832Feb 10, 2023
    risk 0.00cvss epss 0.01

    The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with…

  • CVE-2023-24430Jan 24, 2023
    risk 0.00cvss epss 0.01

    Jenkins Semantic Versioning Plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2023-24443Jan 24, 2023
    risk 0.00cvss epss 0.01

    Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2023-24429Jan 24, 2023
    risk 0.00cvss epss 0.01

    Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file…

  • CVE-2023-24441Jan 24, 2023
    risk 0.00cvss epss 0.01

    Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-47950Jan 18, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to…

  • CVE-2015-10029Jan 7, 2023
    risk 0.00cvss epss 0.01

    A vulnerability classified as problematic was found in kelvinmo simplexrd up to 3.1.0. This vulnerability affects unknown code of the file simplexrd/simplexrd.class.php. The manipulation leads to xml external entity reference. Upgrading to version 3.1.1 is able to address this…

  • CVE-2016-15011Jan 6, 2023
    risk 0.00cvss epss 0.01

    A vulnerability classified as problematic was found in e-Contract dssp up to 1.3.1. Affected by this vulnerability is the function checkSignResponse of the file dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java. The manipulation leads to xml external…

  • CVE-2020-36641Jan 5, 2023
    risk 0.00cvss epss 0.01

    A vulnerability classified as problematic was found in gturri aXMLRPC up to 1.12.0. This vulnerability affects the function ResponseParser of the file src/main/java/de/timroes/axmlrpc/ResponseParser.java. The manipulation leads to xml external entity reference. Upgrading to…

  • CVE-2020-36640Jan 5, 2023
    risk 0.00cvss epss 0.01

    A vulnerability, which was classified as problematic, was found in bonitasoft bonita-connector-webservice up to 1.3.0. This affects the function TransformerConfigurationException of the file src/main/java/org/bonitasoft/connectors/ws/SecureWSConnector.java. The manipulation…

  • CVE-2017-20151Dec 30, 2022
    risk 0.00cvss epss 0.01

    A vulnerability classified as problematic was found in iText RUPS. This vulnerability affects unknown code of the file src/main/java/com/itextpdf/rups/model/XfaFile.java. The manipulation leads to xml external entity reference. The patch is identified as…

  • CVE-2022-46682Dec 7, 2022
    risk 0.00cvss epss 0.01

    Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-45386Nov 15, 2022
    risk 0.00cvss epss 0.00

    Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-45395Nov 15, 2022
    risk 0.00cvss epss 0.01

    Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-45397Nov 15, 2022
    risk 0.00cvss epss 0.01

    Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-45400Nov 15, 2022
    risk 0.00cvss epss 0.01

    Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-45396Nov 15, 2022
    risk 0.00cvss epss 0.01

    Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-43689Nov 14, 2022
    risk 0.00cvss epss 0.01

    Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure.

  • CVE-2022-43415Oct 19, 2022
    risk 0.00cvss epss 0.01

    Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.