CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-611

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-44147 611 2021-11-22 2021-11-23
4.3
None Remote Medium Not required Partial None None
An XML External Entity issue in Claris FileMaker Pro and Server (including WebDirect) before 19.4.1 allows a remote attacker to disclose local files via a crafted XML/Excel document and perform server-side request forgery attacks.
2 CVE-2021-43577 611 2021-11-12 2021-11-17
5.5
None Remote Low ??? Partial Partial None
Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
3 CVE-2021-43576 611 2021-11-12 2021-11-17
4.3
None Remote Medium Not required Partial None None
Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
4 CVE-2021-41770 611 2021-10-07 2021-10-15
5.0
None Remote Low Not required Partial None None
Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure.
5 CVE-2021-41098 611 2021-09-27 2021-10-06
5.0
None Remote Low Not required Partial None None
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.
6 CVE-2021-40500 611 2021-10-12 2021-10-18
5.0
None Remote Low Not required Partial None None
SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation can enable the attacker to retrieve arbitrary files from the server.
7 CVE-2021-40439 611 DoS 2021-10-07 2021-10-15
4.3
None Remote Medium Not required None None Partial
Apache OpenOffice has a dependency on expat software. Versions prior to 2.1.0 were subject to CVE-2013-0340 a "Billion Laughs" entity expansion denial of service attack and exploit via crafted XML files. ODF files consist of a set of XML files. All versions of Apache OpenOffice up to 4.1.10 are subject to this issue. expat in version 4.1.11 is patched.
8 CVE-2021-40356 611 2021-09-14 2021-09-28
5.0
None Remote Low Not required Partial None None
A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All versions < 13.2.0.2). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem.
9 CVE-2021-39371 611 2021-08-23 2021-09-14
5.0
None Remote Low Not required Partial None None
An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.
10 CVE-2021-39239 611 2021-09-16 2021-09-27
5.0
None Remote Low Not required Partial None None
A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.
11 CVE-2021-38584 611 2021-08-11 2021-08-20
6.5
None Remote Low ??? Partial Partial Partial
The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585).
12 CVE-2021-38555 611 2021-09-11 2021-09-23
6.4
None Remote Low Not required Partial Partial None
An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.
13 CVE-2021-38298 611 2021-10-07 2021-10-15
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE.
14 CVE-2021-37425 611 2021-08-10 2021-08-18
6.4
None Remote Low Not required Partial None Partial
Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the certificate and private key.
15 CVE-2021-37178 611 2021-08-10 2021-08-20
4.3
None Remote Medium Not required Partial None None
A vulnerability has been identified in Solid Edge SE2021 (All Versions < SE2021MP7). An XML external entity injection vulnerability in the underlying XML parser could cause the affected application to disclose arbitrary files to remote attackers by loading a specially crafted xml file.
16 CVE-2021-36172 611 DoS 2021-11-02 2021-11-04
6.4
None Remote Low Not required Partial None Partial
An improper restriction of XML external entity reference vulnerability in the parser of XML responses of FortiPortal before 6.0.6 may allow an attacker who controls the producer of XML reports consumed by FortiPortal to trigger a denial of service or read arbitrary files from the underlying file system by means of specifically crafted XML documents.
17 CVE-2021-35496 611 2021-10-12 2021-11-23
6.0
None Remote Medium ??? Partial Partial Partial
The XMLA Connections component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains a difficult to exploit vulnerability that allows a low privileged attacker with network access to interfere with XML processing in the affected component. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 7.2.1 and below, TIBCO JasperReports Server: versions 7.5.0 and 7.5.1, TIBCO JasperReports Server: version 7.8.0, TIBCO JasperReports Server: version 7.9.0, TIBCO JasperReports Server - Community Edition: versions 7.8.0 and below, TIBCO JasperReports Server - Developer Edition: versions 7.9.0 and below, TIBCO JasperReports Server for AWS Marketplace: versions 7.9.0 and below, TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.9.0 and below, and TIBCO JasperReports Server for Microsoft Azure: version 7.8.0.
18 CVE-2021-35201 611 2021-09-30 2021-10-04
4.3
None Remote Medium Not required Partial None None
NEI in NETSCOUT nGeniusONE 6.3.0 build 1196 allows XML External Entity (XXE) attacks.
19 CVE-2021-35066 611 2021-06-21 2021-06-28
7.5
None Remote Low Not required Partial Partial Partial
An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132.
20 CVE-2021-34823 611 2021-08-13 2021-08-31
6.4
None Remote Low Not required Partial Partial None
The ON24 ScreenShare (aka DesktopScreenShare.app) plugin before 2.0 for macOS allows remote file access via its built-in HTTP server. This allows unauthenticated remote users to retrieve files accessible to the logged-on macOS user. When a remote user sends a crafted HTTP request to the server, it triggers a code path that will download a configuration file from a specified remote machine over HTTP. There is an XXE flaw in processing of this configuration file that allows reading local (to macOS) files and uploading them to remote machines.
21 CVE-2021-34706 611 2021-10-06 2021-10-14
5.5
None Remote Low ??? Partial Partial None
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information or conduct a server-side request forgery (SSRF) attack through an affected device. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the web application to perform arbitrary HTTP requests on behalf of the attacker.
22 CVE-2021-33813 611 DoS 2021-06-16 2021-11-23
5.0
None Remote Low Not required None None Partial
An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
23 CVE-2021-32972 611 2021-07-09 2021-07-13
4.3
None Remote Medium Not required Partial None None
Panasonic FPWIN Pro, all Versions 7.5.1.1 and prior, allows an attacker to craft a project file specifying a URI that causes the XML parser to access the URI and embed the contents, which may allow the attacker to disclose information that is accessible in the context of the user executing software.
24 CVE-2021-32754 611 2021-07-12 2021-07-15
3.5
None Remote Medium ??? Partial None None
FlowDroid is a data flow analysis tool. FlowDroid versions prior to 2.9.0 contained an XML external entity (XXE) vulnerability that allowed an attacker who had control over the source/sink definition file in XML format to read files from external locations. In order for this to occur, the XML-based format for sources and sinks had to be used and the attacker had to able control the source/sink definition file. The vulnerability was patched in version 2.9.0. As a workaround, do not allow untrusted entities to control the source/sink definition file.
25 CVE-2021-31842 611 DoS 2021-09-17 2021-09-30
2.1
None Local Low Not required None None Partial
XML Entity Expansion injection vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2021 Update allows a local user to initiate high CPU and memory consumption resulting in a Denial of Service attack through carefully editing the EPDeploy.xml file and then executing the setup process.
26 CVE-2021-30201 611 2021-07-09 2021-07-12
6.5
None Remote Low ??? Partial Partial Partial
An XML External Entity (XXE) issue exists in Kaseya VSA before 9.5.6.
27 CVE-2021-30137 611 2021-09-15 2021-09-28
6.4
None Remote Low Not required Partial None Partial
Assyst 10 SP7.5 has authenticated XXE leading to SSRF via XML unmarshalling. The application allows users to send JSON or XML data to the server. It was possible to inject malicious XML data through several access points.
28 CVE-2021-30006 611 2021-05-11 2021-05-17
5.0
None Remote Low Not required Partial None None
In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure.
29 CVE-2021-29831 611 2021-09-21 2021-09-29
5.5
None Remote Low ??? Partial None Partial
IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 204775.
30 CVE-2021-29620 611 2021-06-23 2021-06-30
5.0
None Remote Low Not required Partial None None
Report portal is an open source reporting and analysis framework. Starting from version 3.1.0 of the service-api XML parsing was introduced. Unfortunately the XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file which imports external Document Type Definition (DTD) file with external entities for extraction of secrets from Report Portal service-api module or server-side request forgery. This will be resolved in the 5.4.0 release.
31 CVE-2021-29447 611 2021-04-15 2021-09-20
4.0
None Remote Low ??? Partial None None
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.
32 CVE-2021-29421 611 2021-04-01 2021-06-02
5.0
None Remote Low Not required Partial None None
models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries.
33 CVE-2021-28965 611 2021-04-21 2021-06-02
5.0
None Remote Low Not required None Partial None
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
34 CVE-2021-28684 611 2021-06-21 2021-06-23
4.3
None Remote Medium Not required Partial None None
The XML parser used in ConeXware PowerArchiver before 20.10.02 allows processing of external entities, which might lead to exfiltration of local files over the network (via an XXE attack).
35 CVE-2021-28110 611 2021-03-19 2021-03-25
5.0
None Remote Low Not required None None Partial
/exec in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in its XML parser.
36 CVE-2021-27931 611 DoS 2021-03-03 2021-03-10
6.4
None Remote Low Not required Partial None Partial
LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service.
37 CVE-2021-27741 611 2021-08-13 2021-08-24
6.4
None Remote Low Not required Partial None Partial
" Security vulnerability in HCL Commerce Management Center allowing XML external entity (XXE) injection"
38 CVE-2021-27736 611 2021-04-22 2021-04-27
4.0
None Remote Low ??? Partial None None
FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.
39 CVE-2021-27635 611 2021-06-09 2021-11-04
5.5
None Remote Low ??? Partial None Partial
SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compromise as to integrity.
40 CVE-2021-27604 611 2021-04-14 2021-08-27
4.0
None Remote Low ??? Partial None None
In order to prevent XML External Entity vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Enterprise Service Repository JAVA Mappings), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SAP recommends to refer this note.
41 CVE-2021-27492 611 2021-05-27 2021-06-09
4.3
None Remote Medium Not required Partial None None
When opening a specially crafted 3DXML file, the application containing Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior could disclose arbitrary files to remote attackers. This is because of the passing of specially crafted content to the underlying XML parser without taking proper restrictions such as prohibiting an external DTD.
42 CVE-2021-27184 611 2021-02-11 2021-02-17
5.0
None Remote Low Not required Partial None None
Pelco Digital Sentry Server 7.18.72.11464 has an XML External Entity vulnerability (exploitable via the DTD parameter entities technique), resulting in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the ControlPointCacheShare.xml file (in a %APPDATA%\Pelco directory) when DSControlPoint.exe is executed.
43 CVE-2021-26969 611 DoS 2021-03-05 2021-03-11
5.5
None Remote Low ??? Partial None Partial
A remote authenticated authenticated xml external entity (xxe) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Due to improper restrictions on XML entities a vulnerability exists in the web-based management interface of AirWave. A successful exploit could allow an authenticated attacker to retrieve files from the local system or cause the application to consume system resources, resulting in a denial of service condition.
44 CVE-2021-26703 611 Exec Code 2021-03-01 2021-03-04
7.5
None Remote Low Not required Partial Partial Partial
EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted JSON/XML input to a cgi/ajax/phrase URI.
45 CVE-2021-25951 611 DoS 2021-06-30 2021-07-06
5.0
None Remote Low Not required None None Partial
XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to cause a denial of service.
46 CVE-2021-25163 611 2021-04-29 2021-05-03
5.5
None Remote Low ??? Partial None Partial
A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.
47 CVE-2021-23901 611 2021-01-25 2021-05-17
6.4
None Remote Low Not required Partial Partial None
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Nutch 1.18.
48 CVE-2021-23899 611 2021-01-13 2021-01-19
7.5
None Remote Low Not required Partial Partial Partial
OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.
49 CVE-2021-23418 611 2021-07-29 2021-08-05
7.5
None Remote Low Not required Partial Partial Partial
The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks.
50 CVE-2021-22523 611 2021-07-22 2021-08-02
6.8
None Remote Medium Not required Partial Partial Partial
XML External Entity vulnerability in Micro Focus Verastream Host Integrator, affecting version 7.8 Update 1 and earlier versions. The vulnerability could allow the control of web browser and hijacking user sessions.
Total number of vulnerabilities : 656   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.