Vulnerabilities > Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

DATE CVE VULNERABILITY TITLE RISK
2024-06-26 CVE-2024-28982 XML Entity Expansion vulnerability in Hitachi Pentaho Business Analytics Server
Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference.
network
low complexity
hitachi CWE-776
8.2
2024-06-04 CVE-2022-28652 XML Entity Expansion vulnerability in multiple products
~/.config/apport/settings parsing is vulnerable to "billion laughs" attack
local
low complexity
apport-project canonical CWE-776
5.5
2024-02-04 CVE-2023-52426 XML Entity Expansion vulnerability in Libexpat Project Libexpat
libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.
local
low complexity
libexpat-project CWE-776
5.5
2023-12-07 CVE-2023-49967 XML Entity Expansion vulnerability in Typecho 1.2.1
Typecho v1.2.1 was discovered to be vulnerable to an XML Quadratic Blowup attack via the component /index.php/action/xmlrpc.
network
low complexity
typecho CWE-776
7.5
2023-08-31 CVE-2023-41635 XML Entity Expansion vulnerability in Grupposcai Realgimm 1.1.37
A XML External Entity (XXE) vulnerability in the VerifichePeriodiche.aspx component of GruppoSCAI RealGimm v1.1.37p38 allows attackers to read any file in the filesystem via supplying a crafted XML file.
network
low complexity
grupposcai CWE-776
6.5
2023-03-01 CVE-2023-20052 XML Entity Expansion vulnerability in multiple products
On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection.
network
low complexity
cisco clamav stormshield CWE-776
5.3
2022-11-18 CVE-2022-44641 XML Entity Expansion vulnerability in multiple products
In Linaro Automated Validation Architecture (LAVA) before 2022.11, users with valid credentials can submit crafted XMLRPC requests that cause a recursive XML entity expansion, leading to excessive use of memory on the server and a Denial of Service.
network
low complexity
linaro debian CWE-776
6.5
2022-10-11 CVE-2022-34430 XML Entity Expansion vulnerability in Dell Hybrid Client
Dell Hybrid Client below 1.8 version contains a Zip Bomb Vulnerability in UI.
network
low complexity
dell CWE-776
7.5
2022-08-30 CVE-2022-25857 XML Entity Expansion vulnerability in multiple products
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
network
low complexity
snakeyaml-project debian CWE-776
7.5
2022-08-26 CVE-2022-0217 XML Entity Expansion vulnerability in Prosody
It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data.
network
low complexity
prosody CWE-776
7.5