Vulnerabilities > Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-06-26 | CVE-2024-28982 | XML Entity Expansion vulnerability in Hitachi Pentaho Business Analytics Server Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference. | 8.2 |
2024-06-04 | CVE-2022-28652 | XML Entity Expansion vulnerability in multiple products ~/.config/apport/settings parsing is vulnerable to "billion laughs" attack | 5.5 |
2024-02-04 | CVE-2023-52426 | XML Entity Expansion vulnerability in Libexpat Project Libexpat libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time. | 5.5 |
2023-12-07 | CVE-2023-49967 | XML Entity Expansion vulnerability in Typecho 1.2.1 Typecho v1.2.1 was discovered to be vulnerable to an XML Quadratic Blowup attack via the component /index.php/action/xmlrpc. | 7.5 |
2023-08-31 | CVE-2023-41635 | XML Entity Expansion vulnerability in Grupposcai Realgimm 1.1.37 A XML External Entity (XXE) vulnerability in the VerifichePeriodiche.aspx component of GruppoSCAI RealGimm v1.1.37p38 allows attackers to read any file in the filesystem via supplying a crafted XML file. | 6.5 |
2023-03-01 | CVE-2023-20052 | XML Entity Expansion vulnerability in multiple products On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. | 5.3 |
2022-11-18 | CVE-2022-44641 | XML Entity Expansion vulnerability in multiple products In Linaro Automated Validation Architecture (LAVA) before 2022.11, users with valid credentials can submit crafted XMLRPC requests that cause a recursive XML entity expansion, leading to excessive use of memory on the server and a Denial of Service. | 6.5 |
2022-10-11 | CVE-2022-34430 | XML Entity Expansion vulnerability in Dell Hybrid Client Dell Hybrid Client below 1.8 version contains a Zip Bomb Vulnerability in UI. | 7.5 |
2022-08-30 | CVE-2022-25857 | XML Entity Expansion vulnerability in multiple products The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. | 7.5 |
2022-08-26 | CVE-2022-0217 | XML Entity Expansion vulnerability in Prosody It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. | 7.5 |