CVE Daily
← All tags

Tag: XML External Entity (XXE)

All CVEs associated with "XML External Entity (XXE)". Page 10/11 • 1285 CVEs.

Subscribe CVEs: RSS for “XML External Entity (XXE)”  ·  RSS (High+Critical only)

About “XML External Entity (XXE)”

A curated feed of “XML External Entity (XXE)”-related CVEs appears below. We currently track 1285 CVEs for this tag (all time). In the last 365 days, 115 were published. Average CVSS is 7.3 (all time; 7.0 over 365d), and 61% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-611 - Improper Restriction of XML External Entity Reference, CWE-610 - Externally Controlled Reference to a Resource in Another Sphere, CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion').

In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2016-11-23
Medium

CVE-2016-9563

BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Se…

CVSS: 6.5 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2016-11-16
Medium

CVE-2016-9318

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened,…

CVSS: 5.5 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2016-10-03
Critical

CVE-2015-1832

XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary fil…

CVSS: 9.1 CWE: CWE-399 View on NVD
2016-09-26
High

CVE-2016-5971

IBM Security Privileged Identity Manager (ISPIM) Virtual Appliance 2.x before 2.0.2 FP8 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via…

CVSS: 7.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-09-24
High

CVE-2016-6408

Cisco Prime Home 5.2.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML Externa…

CVSS: 7.5 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2016-09-07
Medium

CVE-2016-6898

XML external entity (XXE) vulnerability in the Hyper Management Module (HMM) in Huawei E9000 rack servers with software before V100R001C00SPC296 allows remote authenticated users to read arbitrary fi…

CVSS: 6.6 CWE: CWE-284 - Improper Access Control View on NVD
2016-09-01
High

CVE-2016-4264

The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a craf…

CVSS: 8.6 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2016-08-05
Medium

CVE-2016-5000

The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity r…

CVSS: 5.5 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2016-07-17
High

CVE-2016-3039

IBM Traveler 8.x and 9.x before 9.0.1.12 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via XML data containing an external entity declara…

CVSS: 8.1 CWE: N/A View on NVD
2016-07-13
High

CVE-2016-4216

XMPCore in Adobe XMP Toolkit for Java before 5.1.3 allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, rela…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2016-3255

Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1 allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entit…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-07-02
Low

CVE-2016-2868

IBM Security QRadar SIEM 7.2.x before 7.2.7 allows remote authenticated administrators to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity ref…

CVSS: 2.7 CWE: N/A View on NVD
2016-06-29
High

CVE-2015-8698

CA Release Automation (formerly LISA Release Automation) 5.0.2 before 5.0.2-227, 5.5.1 before 5.5.1-1616, 5.5.2 before 5.5.2-434, and 6.1.0 before 6.1.0-1026 allows remote attackers to read arbitrary…

CVSS: 7.1 CWE: N/A View on NVD
2016-06-10
Critical

CVE-2016-3720

XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.

CVSS: 9.8 CWE: N/A View on NVD
2016-06-09
High

CVE-2016-4449

XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitra…

CVSS: 7.1 CWE: CWE-20 - Improper Input Validation View on NVD
2016-06-01
High

CVE-2016-2175

Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.

CVSS: 7.8 CWE: N/A View on NVD
Medium

CVE-2016-0288

IBM Security AppScan Standard 8.7.x, 8.8.x, and 9.x before 9.0.3.2 and Security AppScan Enterprise allow remote authenticated users to read arbitrary files via an XML document containing an external…

CVSS: 6.5 CWE: N/A View on NVD
2016-05-22
Critical

CVE-2015-8866

ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote att…

CVSS: 9.6 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2016-05-17
High

CVE-2016-3674

Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStre…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-04-30
Critical

CVE-2016-1343

The XML parser in Cisco Information Server (CIS) 6.2 allows remote attackers to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity declaration in co…

CVSS: 10.0 CWE: N/A View on NVD
2016-04-14
High

CVE-2016-4014

XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service (system hang) via a crafted DTD in an XML request to ud…

CVSS: 8.6 CWE: N/A View on NVD
2016-04-07
Critical

CVE-2016-3974

XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access…

CVSS: 9.1 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2016-04-05
Medium

CVE-2016-1789

Apple iBooks Author before 2.4.1 allows remote attackers to read arbitrary files via an iBooks Author file containing an XML external entity declaration in conjunction with an entity reference, relat…

CVSS: 5.5 CWE: N/A View on NVD
2016-03-25
Medium

CVE-2016-2340

The AMF framework in Granite Data Services 3.1.1-SNAPSHOT allows remote authenticated users to read arbitrary files, send TCP requests to intranet servers, or cause a denial of service via an XML ext…

CVSS: 5.4 CWE: N/A View on NVD
2016-03-03
Medium

CVE-2016-1358

Cisco Prime Infrastructure 2.2, 3.0, and 3.1(0.0) allows remote authenticated users to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration…

CVSS: 6.4 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2016-02-29
Medium

CVE-2016-0245

The XML parser in IBM WebSphere Portal 8.0.x before 8.0.0.1 CF20 and 8.5.x before 8.5.0.0 CF10 allows remote authenticated users to read arbitrary files or cause a denial of service via an external e…

CVSS: 5.4 CWE: N/A View on NVD
2016-02-12
Medium

CVE-2016-0882

EMC Documentum xCP 2.1 before patch 23 and 2.2 before patch 11 allows remote authenticated users to read arbitrary files via a POST request containing an XML external entity declaration in conjunctio…

CVSS: 5.4 CWE: N/A View on NVD
2016-01-21
Medium

CVE-2016-0457

Unspecified vulnerability in the Application Mgmt Pack for E-Business Suite component in Oracle E-Business Suite 12.1 and 12.2 allows remote attackers to affect confidentiality via vectors related to…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2016-0456

Unspecified vulnerability in the Application Mgmt Pack for E-Business Suite component in Oracle E-Business Suite 12.1 and 12.2 allows remote attackers to affect confidentiality via vectors related to…

CVSS: 5.0 CWE: N/A View on NVD
2016-01-02
High

CVE-2015-7400

The Lotus Mashups component in IBM Mashup Center 3.0.0.1 allows remote authenticated users to cause a denial of service (CPU consumption) via an XML external entity declaration in conjunction with an…

CVSS: 7.7 CWE: CWE-399 View on NVD
2015-12-11
Medium

CVE-2015-7081

iBooks in Apple iOS before 9.2 and OS X before 10.11.2 allows remote attackers to read arbitrary files via an iBooks file containing an XML external entity declaration in conjunction with an entity r…

CVSS: 5.0 CWE: N/A View on NVD
2015-11-25
Medium

CVE-2015-5319

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration th…

CVSS: 5.0 CWE: N/A View on NVD
2015-11-11
Medium

CVE-2015-6096

The XML DTD parser in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, 4.5.2, and 4.6 allows remote attackers to read arbitrary files via an external entity declaration in conjunction wit…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2015-10-21
Medium

CVE-2015-4886

Unspecified vulnerability in the Oracle Report Manager component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality and integri…

CVSS: 6.4 CWE: N/A View on NVD
Medium

CVE-2015-4851

Unspecified vulnerability in the Oracle iSupplier Portal component in Oracle E-Business Suite 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality, integrity, and avai…

CVSS: 6.8 CWE: N/A View on NVD
Medium

CVE-2015-4849

Unspecified vulnerability in the Oracle Payments component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality, integrity, and a…

CVSS: 6.8 CWE: N/A View on NVD
2015-10-14
Medium

CVE-2015-2556

The InfoPath Forms Services component in Microsoft SharePoint Server 2007 SP3 and 2010 SP2 misparses DTDs, which allows remote attackers to read arbitrary files via an XML document containing an exte…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2015-09-28
Medium

CVE-2015-6463

CodeWrights HART Comm DTM components, as used with Endress+Hauser FieldCare, allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU…

CVSS: 5.8 CWE: N/A View on NVD
2015-09-16
Medium

CVE-2015-3623

XML external entity (XXE) vulnerability in QlikTech Qlikview before 11.20 SR12 allows remote attackers to conduct server-side request forgery (SSRF) attacks and read arbitrary files via crafted XML d…

CVSS: 6.4 CWE: N/A View on NVD
2015-09-04
High

CVE-2015-4538

The XML parser in EMC Atmos before 2.2.3.426 and 2.3.x before 2.3.1.0 allows remote authenticated users to read arbitrary files or cause a denial of service (CPU and memory consumption) via an extern…

CVSS: 7.5 CWE: N/A View on NVD
2015-08-25
Medium

CVE-2015-5161

The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote at…

CVSS: 6.8 CWE: N/A View on NVD
Medium

CVE-2015-3269

Apache Flex BlazeDS, as used in flex-messaging-core.jar in Adobe LiveCycle Data Services (LCDS) 3.0.x before 3.0.0.354170, 4.5 before 4.5.1.354169, 4.6.2 before 4.6.2.354169, and 4.7 before 4.7.0.354…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2015-08-24
Medium

CVE-2015-6664

XML external entity (XXE) vulnerability in the application import functionality in SAP Mobile Platform 2.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact v…

CVSS: 6.8 CWE: N/A View on NVD
Medium

CVE-2015-6662

XML external entity (XXE) vulnerability in SAP NetWeaver Portal 7.4 allows remote attackers to read arbitrary files and possibly have other unspecified impact via crafted XML data, aka SAP Security N…

CVSS: 6.8 CWE: N/A View on NVD
2015-08-16
Medium

CVE-2015-3784

Office Viewer in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an en…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2015-3762

The Text Formats component in Apple OS X before 10.10.5, as used in TextEdit, allows remote attackers to read arbitrary files via a text file containing an XML external entity declaration in conjunct…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2015-08-11
High

CVE-2015-1818

XML external entity (XXE) vulnerability in the dashbuilder import facility (DocumentBuilders in org.jboss.dashboard.export.ImportManagerImpl) in Red Hat JBoss BPM Suite before 6.1.2 allows remote att…

CVSS: 7.5 CWE: N/A View on NVD
2015-06-24
High

CVE-2015-5068

XML external entity (XXE) vulnerability in SAP Mobile Platform 3 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted XML request, aka SAP Security…

CVSS: 7.5 CWE: N/A View on NVD
2015-06-07
Medium

CVE-2015-0112

Jazz Team Server in Jazz Foundation in IBM Rational Collaborative Lifecycle Management (CLM) 3.0.1, 4.x before 4.0.7 IF5, and 5.x before 5.0.2 IF4; Rational Quality Manager (RQM) 2.0 through 2.0.1, 3…

CVSS: 4.0 CWE: N/A View on NVD
2015-06-03
Medium

CVE-2015-0264

Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an extern…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2015-0263

XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary…

CVSS: 5.0 CWE: N/A View on NVD
2015-06-02
Medium

CVE-2015-4162

XML external entity (XXE) vulnerability in the management interface in PAN-OS before 5.0.16, 6.x before 6.0.8, and 6.1.x before 6.1.4 allows remote authenticated administrators to obtain sensitive in…

CVSS: 4.0 CWE: N/A View on NVD
2015-05-30
Medium

CVE-2015-0758

The web-based user interface in Cisco Unified MeetingPlace 8.6(1.9) allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with a…

CVSS: 4.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2015-05-29
Medium

CVE-2015-1833

XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote atta…

CVSS: 6.4 CWE: CWE-20 - Improper Input Validation View on NVD
2015-05-26
High

CVE-2015-4091

XML external entity (XXE) vulnerability in SAP NetWeaver AS Java 7.4 allows remote attackers to send TCP requests to intranet servers or possibly have unspecified other impact via an XML request to t…

CVSS: 7.5 CWE: N/A View on NVD
2015-05-25
Medium

CVE-2015-1909

The XML parser in the Reference Data Management component in the server in IBM InfoSphere Master Data Management (MDM) 10.1 before IF1, 11.0 before FP3, 11.3, and 11.4 before FP2 allows remote attack…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2015-05-20
Medium

CVE-2014-8924

The server in IBM License Metric Tool 7.2.2 before IF15 and 7.5 before IF24 and Tivoli Asset Discovery for Distributed 7.2.2 before IF15 and 7.5 before IF24 allows remote attackers to read arbitrary…

CVSS: 6.4 CWE: N/A View on NVD
2015-05-18
Medium

CVE-2015-2346

XML external entity (XXE) vulnerability in Huawei SEQ Analyst before V200R002C03LG0001CP0022 allows remote authenticated users to read arbitrary files via the req parameter.

CVSS: 4.0 CWE: N/A View on NVD
2015-05-14
High

CVE-2014-8162

XML external entity (XXE) in the RPC interface in Spacewalk and Red Hat Network (RHN) Satellite 5.7 and earlier allows remote attackers to read arbitrary files and possibly have other unspecified imp…

CVSS: 7.5 CWE: N/A View on NVD
2015-05-12
Medium

CVE-2015-3451

The _clone function in XML::LibXML before 2.0119 does not properly set the expand_entities option, which allows remote attackers to conduct XML external entity (XXE) attacks via crafted XML data to t…

CVSS: 5.0 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2015-04-21
High

CVE-2014-8125

XML external entity (XXE) vulnerability in Drools and jBPM before 6.2.0 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted BPMN2 file.

CVSS: 7.5 CWE: N/A View on NVD
2015-04-10
Medium

CVE-2015-1092

NSXMLParser in Foundation in Apple iOS before 8.3 and Apple TV before 7.2 allows remote attackers to read arbitrary files via an external entity declaration in conjunction with an entity reference, r…

CVSS: 5.0 CWE: N/A View on NVD
2015-04-01
Medium

CVE-2015-2818

XML external entity (XXE) vulnerability in SAP Mobile Platform 3 allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security Note 2125513.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2015-2813

XML external entity (XXE) vulnerability in SAP Mobile Platform allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security Note 2125358.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2015-2812

XML external entity (XXE) vulnerability in XMLValidationComponent in SAP NetWeaver Portal 7.31.201109172004 allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Secur…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2015-2811

XML external entity (XXE) vulnerability in ReportXmlViewer in SAP NetWeaver Portal 7.31.201109172004 allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security Not…

CVSS: 5.0 CWE: N/A View on NVD
2015-03-24
Medium

CVE-2015-0250

XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of servic…

CVSS: 6.4 CWE: N/A View on NVD
2015-03-13
Medium

CVE-2015-0133

IBM WebSphere Commerce 7.0 Feature Pack 4 through 8 allows remote attackers to read arbitrary files and possibly obtain administrative privileges via an XML external entity declaration in conjunction…

CVSS: 5.0 CWE: N/A View on NVD
2015-03-09
High

CVE-2015-0254

Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform…

CVSS: 7.5 CWE: N/A View on NVD
2015-02-20
High

CVE-2014-3682

XML external entity (XXE) vulnerability in the JBPMBpmn2ResourceImpl function in designer/bpmn2/resource/JBPMBpmn2ResourceImpl.java in jbpm-designer 6.0.x and 6.2.x allows remote attackers to read ar…

CVSS: 7.5 CWE: N/A View on NVD
2015-02-19
Medium

CVE-2014-6302

The Monitoring Administration pages in PNMsoft Sequence Kinetics before 7.7 allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity referen…

CVSS: 5.0 CWE: N/A View on NVD
2015-02-14
Medium

CVE-2015-0923

The ContentBlockEx method in Workarea/ServerControlWS.asmx in Ektron Content Management System (CMS) 8.5 and 8.7 before 8.7sp2 and 9.0 before sp1 allows remote attackers to read arbitrary files via a…

CVSS: 5.0 CWE: N/A View on NVD
2015-01-28
High

CVE-2015-0581

The XML parser in Cisco Prime Service Catalog before 10.1 allows remote authenticated users to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity de…

CVSS: 7.5 CWE: N/A View on NVD
2015-01-22
Medium

CVE-2015-1309

XML external entity vulnerability in the Extended Computer Aided Test Tool (eCATT) in SAP NetWeaver AS ABAP 7.31 and earlier allows remote attackers to access arbitrary files via a crafted XML reques…

CVSS: 5.0 CWE: N/A View on NVD
2015-01-21
Medium

CVE-2014-6577

Unspecified vulnerability in the XML Developer's Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality v…

CVSS: 6.8 CWE: N/A View on NVD
2015-01-20
Medium

CVE-2014-8790

XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via…

CVSS: 5.0 CWE: N/A View on NVD
2015-01-15
Medium

CVE-2014-0171

XML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a…

CVSS: 5.0 CWE: N/A View on NVD
2015-01-10
Medium

CVE-2014-6212

The Echo API in IBM Emptoris Contract Management 9.5.x before 9.5.0.6 iFix11, 10.0.0.x before 10.0.0.1 iFix12, 10.0.1.x before 10.0.1.5 iFix2, and 10.0.2.x before 10.0.2.2 iFix5; Emptoris Sourcing 9.…

CVSS: 4.0 CWE: N/A View on NVD
2015-01-09
Medium

CVE-2015-0921

XML external entity (XXE) vulnerability in the Server Task Log in McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 allows remote authenticated users to read arbitrary files via the…

CVSS: 4.0 CWE: N/A View on NVD
2014-12-23
Medium

CVE-2014-5214

nps/servlet/webacc in iManager in the Administration Console server in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allows remote authenticated novlwww users to read arbitrary files via a query pa…

CVSS: 4.0 CWE: N/A View on NVD
2014-12-18
Medium

CVE-2014-6166

The Communications Enabled Applications (CEA) service in IBM WebSphere Application Server 8.0.x before 8.0.0.10 and 8.5.x before 8.5.5.4, and Feature Pack for CEA 1.x before 1.0.0.15, allows remote a…

CVSS: 4.3 CWE: N/A View on NVD
2014-12-11
Medium

CVE-2014-6114

The Hosted Transparent Decision Service in the Rule Execution Server in IBM WebSphere ILOG JRules 7.1 before MP1 FP5 IF43; WebSphere Operational Decision Management 7.5 before FP3 IF41; and Operation…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-12-10
Medium

CVE-2014-8452

Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows and OS X allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an e…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2014-9360

XML external entity (XXE) vulnerability in Scalix Web Access 11.4.6.12377 and 12.2.0.14697 allows remote attackers to read arbitrary files and trigger requests to intranet servers via a crafted reque…

CVSS: 6.4 CWE: N/A View on NVD
2014-12-06
Low

CVE-2014-7251

XML external entity (XXE) vulnerability in the WebHMI server in Yokogawa Electric Corporation FAST/TOOLS before R9.05-SP2 allows local users to cause a denial of service (CPU or network traffic consu…

CVSS: 3.2 CWE: CWE-20 - Improper Input Validation View on NVD
2014-11-25
Medium

CVE-2014-7839

DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external en…

CVSS: 6.4 CWE: CWE-20 - Improper Input Validation View on NVD
2014-11-24
Medium

CVE-2014-5325

The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrar…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-11-17
Medium

CVE-2014-3629

XML external entity (XXE) vulnerability in the XML Exchange module in Apache Qpid 0.30 allows remote attackers to cause outgoing HTTP connections via a crafted message.

CVSS: 4.3 CWE: CWE-19 View on NVD
2014-11-16
Medium

CVE-2014-2682

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService…

CVSS: 6.8 CWE: CWE-19 View on NVD
Medium

CVE-2014-2681

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService…

CVSS: 6.4 CWE: CWE-19 View on NVD
2014-11-07
High

CVE-2014-3437

The management console in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU5 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via XML data containing…

CVSS: 7.5 CWE: N/A View on NVD
2014-11-05
Medium

CVE-2014-4769

IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.8 allows remote authenticated users to read arbitrary files or send TCP requests to intranet servers via XML data containing an exter…

CVSS: 4.0 CWE: N/A View on NVD
2014-11-04
High

CVE-2014-8474

CA Cloud Service Management (CSM) before Summer 2014 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption)…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2014-8590

XML external entity (XXE) vulnerability in the Web Service Navigator in SAP NetWeaver Application Server (AS) Java allows remote attackers to access arbitrary files via a crafted request.

CVSS: 4.3 CWE: N/A View on NVD
2014-11-01
Medium

CVE-2014-6032

Multiple XML External Entity (XXE) vulnerabilities in the Configuration utility in F5 BIG-IP LTM, ASM, GTM, and Link Controller 11.0 through 11.6.0 and 10.0.0 through 10.2.4, AAM 11.4.0 through 11.6.…

CVSS: 5.5 CWE: N/A View on NVD
2014-10-31
Medium

CVE-2014-7177

XML External Entity vulnerability in Enalean Tuleap 7.2 and earlier allows remote authenticated users to read arbitrary files via a crafted xml document in a create action to plugins/tracker/.

CVSS: 4.0 CWE: N/A View on NVD
2014-10-18
Medium

CVE-2014-3573

The oVirt Engine backend module, as used in Red Hat Enterprise Virtualization Manager before 3.4.2, uses an "insecure DocumentBuilderFactory," which allows remote attackers to read arbitrary files or…

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD
2014-10-16
Medium

CVE-2014-8316

XML External Entity (XXE) vulnerability in polestar_xml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 allows remote attackers to read arbitrary files via the xmlParameter parameter in an explo…

CVSS: 5.0 CWE: N/A View on NVD
2014-09-30
Medium

CVE-2014-0170

Teiid before 8.4.3 and before 8.7 and Red Hat JBoss Data Virtualization 6.0.0 before patch 3 allows remote attackers to read arbitrary files via a crafted request to a REST endpoint, related to an XM…

CVSS: 4.3 CWE: N/A View on NVD
2014-09-23
Medium

CVE-2014-5392

XML External Entity (XXE) vulnerability in JobScheduler before 1.6.4246 and 7.x before 1.7.4241 allows remote attackers to cause a denial of service and read arbitrary files or directories via a requ…

CVSS: 5.8 CWE: N/A View on NVD
2014-09-18
Medium

CVE-2014-4374

NSXMLParser in Foundation in Apple iOS before 8 allows attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an…

CVSS: 5.0 CWE: N/A View on NVD
2014-09-04
Medium

CVE-2014-3529

The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference…

CVSS: 4.3 CWE: N/A View on NVD
2014-08-28
Low

CVE-2014-5398

Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 allows remote attackers to read arbitrary files or cause a denial of service via an XML external entity declaration i…

CVSS: 2.1 CWE: CWE-20 - Improper Input Validation View on NVD
2014-08-26
Medium

CVE-2014-5035

The Netconf (TCP) service in OpenDaylight 1.0 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference in an XML-RPC message, rel…

CVSS: 6.8 CWE: N/A View on NVD
2014-08-19
High

CVE-2014-3490

RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity…

CVSS: 7.5 CWE: N/A View on NVD
2014-08-17
Medium

CVE-2014-3087

callService.do in IBM Business Process Manager (BPM) 7.5 through 8.5.5 and WebSphere Lombardi Edition 7.2 through 7.2.0.5 allows remote authenticated users to read arbitrary files via an XML external…

CVSS: 4.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-08-03
Low

CVE-2014-5177

libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is enabled, allows local users to read arbitrary files via a crafted XML document containing an XML external entity declarat…

CVSS: 1.2 CWE: CWE-20 - Improper Input Validation View on NVD
Low

CVE-2014-0179

libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a denial of service (read block and hang) via a crafted XML document containing an XML external entity declaration in conjunction…

CVSS: 1.9 CWE: CWE-20 - Improper Input Validation View on NVD
2014-07-29
Medium

CVE-2014-3543

mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2014-3542

mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external e…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-07-22
High

CVE-2014-3530

The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-07-11
Medium

CVE-2014-3485

The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via un…

CVSS: 4.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-07-08
Medium

CVE-2014-2510

The JAXB XML parser in EMC Documentum Foundation Services (DFS) 6.6 before P39, 6.7 SP1 before P28, and 6.7 SP2 before P15, as used in My Documentum for Desktop, My Documentum for Microsoft Outlook,…

CVSS: 6.8 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-07-07
Medium

CVE-2014-3481

org.jboss.as.jaxrs.deployment.JaxrsIntegrationProcessor in Red Hat JBoss Enterprise Application Platform (JEAP) before 6.2.4 enables entity expansion, which allows remote attackers to read arbitrary…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-07-02
Medium

CVE-2014-3066

IBM Tivoli Endpoint Manager 9.1 before 9.1.1088.0 allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, relat…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-06-28
Low

CVE-2014-4669

HP Enterprise Maps 1.00 allows remote authenticated users to read arbitrary files via a WSDL document containing an XML external entity declaration in conjunction with an entity reference within a Ge…

CVSS: 3.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-06-11
Medium

CVE-2014-3004

The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document.

CVSS: 4.3 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2014-06-04
High

CVE-2014-2056

PHPDocX, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2014-2055

SabreDAV before 1.7.11, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2014-2054

PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, caus…

CVSS: 7.5 CWE: N/A View on NVD