Show CWE-611: Information Exposure Through XML External Entity Reference - CXSecurity.com

	Topic	Date	Author
High	SAP JAVA NetWeaver System Connections XML Injection	23.10.2021	Pablo Artuso
Med.	OX App Suite 7.8.4 XSS / XML Injection / Information Disclosure	02.07.2018	Secator
High	Agorum Core Pro 7.8.1.4-251 XXE Injection	14.04.2017	Dr. Erlijn van Genucht...
High	USB Pratirodh XXE Injection	17.03.2017	Sachin Wagh
High	SAP NetWeaver 7.4 XXE Injection	24.11.2015	Roman Bezhan
High	Oracle E-Business Suite 12.1.3 XXE Injection	30.10.2015	erpscan
High	SAP Mobile Platform 3 XXE Injection	10.09.2015	Vahagn Vardanyan
High	Qlikview 11.20 SR4 Blind XXE Injection	09.09.2015	Alex Haynes
High	SAP NetWeaver Portal XMLValidationComponent XXE	25.06.2015	Vahagn Vardanyan
Med.	JobScheduler XML eXternal Entity Injection	09.09.2014	Christian Schneider

CVEMAP Search Results

CVE

Details

Description

2023-03-21

	CVE-2023-27874	Updating...	IBM Aspera Faspex 4.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands. IBM X-Force ID: 249845.
	CVE-2022-41696	Updating...	Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.
	CVE-2018-25082	Updating...	A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The name of the patch is e54abadc777715b6dcb545c13214d1dea63df6c9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-223403.
	CVE-2022-46300	Updating...	Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.
	CVE-2022-46286	Updating...	Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.
	CVE-2022-45468	Updating...	Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.
	CVE-2022-45121	Updating...	Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.

2023-03-14

Waiting for details

CVE-2023-26461

Updating...

SAP NetWeaver allows (SAP Enterprise Portal) - version 7.50, allows an authenticated attacker with sufficient privileges to access the XML parser which can submit a crafted XML file which when parsed will enable them to access but not modify sensitive files and data. It allows the attacker to view sensitive data which is owned by certain privileges.

2023-03-08

Waiting for details

CVE-2023-27476

Updating...

OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details.

2023-03-07

Waiting for details

CVE-2023-27480

Updating...

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. Users unable to upgrade may apply the patch `e3527b98fd` manually.

Copyright 2023, cxsecurity.com