Total
1205 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-45396 | 1 Jenkins | 1 Sourcemonitor | 2025-04-30 | 9.8 Critical |
| Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2022-43689 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | 5.3 Medium |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure. | ||||
| CVE-2022-3340 | 1 Trellix | 1 Intrusion Prevention System Manager | 2025-04-30 | 5.9 Medium |
| XML External Entity (XXE) vulnerability in Trellix IPS Manager prior to 10.1 M8 allows a remote authenticated administrator to perform XXE attack in the administrator interface part of the interface, which allows a saved XML configuration file to be imported. | ||||
| CVE-2022-3980 | 1 Sophos | 1 Mobile | 2025-04-29 | 9.8 Critical |
| An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4. | ||||
| CVE-2025-2070 | 2025-04-29 | 5 Medium | ||
| An improper XML parsing vulnerability was reported in the FileZ client that could allow arbitrary file reads on the system if a crafted url is visited by a local user. | ||||
| CVE-2022-40771 | 1 Zohocorp | 4 Manageengine Assetexplorer, Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp and 1 more | 2025-04-28 | 4.9 Medium |
| Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure. | ||||
| CVE-2022-23640 | 1 Excel Streaming Reader Project | 1 Excel Streaming Reader | 2025-04-23 | 9.8 Critical |
| Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a patch. There is no known workaround. | ||||
| CVE-2022-38419 | 1 Adobe | 1 Coldfusion | 2025-04-23 | 7.5 High |
| Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction. | ||||
| CVE-2022-42341 | 1 Adobe | 1 Coldfusion | 2025-04-23 | 7.5 High |
| Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction. | ||||
| CVE-2022-46682 | 1 Jenkins | 1 Plot | 2025-04-23 | 9.8 Critical |
| Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2022-45326 | 1 Kwoksys | 1 Information Server | 2025-04-23 | 4.9 Medium |
| An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks. | ||||
| CVE-2022-46827 | 1 Jetbrains | 1 Intellij Idea | 2025-04-22 | 3.9 Low |
| In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible. | ||||
| CVE-2022-24898 | 1 Xwiki | 1 Commons | 2025-04-22 | 4.9 Medium |
| org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights. | ||||
| CVE-2016-4931 | 1 Juniper | 1 Junos Space | 2025-04-20 | N/A |
| XML entity injection in Junos Space before 15.2R2 allows attackers to cause a denial of service. | ||||
| CVE-2017-1383 | 1 Ibm | 2 Infosphere Information Server, Softlayer | 2025-04-20 | N/A |
| IBM InfoSphere Information Server 9.1, 11.3, and 11.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 127155. | ||||
| CVE-2017-14101 | 1 Changehealthcare | 1 Conserus Image Repository | 2025-04-20 | N/A |
| A security researcher found an XML External Entity (XXE) vulnerability on the Conserus Image Repository archive solution version 2.1.1.105 by McKesson Medical Imaging Company, which is now a Change Healthcare company. An unauthenticated user supplying a modified HTTP SOAP request to the vulnerable service allows for arbitrary file read access to the local file system as well as the transmittal of the application service's account hashed credentials to a remote attacker. | ||||
| CVE-2017-6662 | 1 Cisco | 2 Evolved Programmable Network Manager, Prime Infrastructure | 2025-04-20 | N/A |
| A vulnerability in the web-based user interface of Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker read and write access to information stored in the affected system as well as perform remote code execution. The attacker must have valid user credentials. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file with malicious entries which could allow the attacker to read and write files and execute remote code within the application, aka XML Injection. Cisco Prime Infrastructure software releases 1.1 through 3.1.6 are vulnerable. Cisco EPNM software releases 1.2, 2.0, and 2.1 are vulnerable. Cisco Bug IDs: CSCvc23894 CSCvc49561. | ||||
| CVE-2017-14527 | 1 Opentext | 2 Documentum Administrator, Documentum Webtop | 2025-04-20 | N/A |
| Multiple XML external entity (XXE) vulnerabilities in the OpenText Documentum Webtop 6.8.0160.0073 allow remote authenticated users to list the contents of arbitrary directories, read arbitrary files, cause a denial of service, or, on Windows, obtain Documentum user hashes via a (1) crafted DTD, involving unspecified XML structures in a request to xda/com/documentum/ucf/server/transport/impl/GAIRConnector or crafted XML file in a MediaProfile file (2) import or (3) check in. | ||||
| CVE-2017-12629 | 4 Apache, Canonical, Debian and 1 more | 9 Solr, Ubuntu Linux, Debian Linux and 6 more | 2025-04-20 | 9.8 Critical |
| Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr. | ||||
| CVE-2017-13706 | 1 Lansweeper | 1 Lansweeper | 2025-04-20 | N/A |
| XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery (SSRF) attacks, conduct internal port scans, or have unspecified other impact via an XML request, aka bug #572705. | ||||