Vulnerabilities > Improper Restriction of XML External Entity Reference ('XXE')

DATE CVE VULNERABILITY TITLE RISK
2024-02-20 CVE-2024-25606 XXE vulnerability in Liferay Digital Experience Platform
XXE vulnerability in Liferay Portal 7.2.0 through 7.4.3.7, and older unsupported versions, and Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20, and older unsupported versions allows attackers with permission to deploy widgets/portlets/extensions to obtain sensitive information or consume system resources via the Java2WsddTask._format method.
network
low complexity
liferay CWE-611
8.7
2024-02-13 CVE-2024-22024 XXE vulnerability in Ivanti Connect Secure, Policy Secure and Zero Trust Access
An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.
network
low complexity
ivanti CWE-611
8.3
2024-02-06 CVE-2023-52239 XXE vulnerability in Magicsoftware Magic XPI Integration Platform 4.13.4
The XML parser in Magic xpi Integration Platform 4.13.4 allows XXE attacks, e.g., via onItemImport.
network
low complexity
magicsoftware CWE-611
6.5
2024-02-01 CVE-2024-1167 XXE vulnerability in Seweurodrive Movitools Motionstudio 6.5.0.2
When SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur.
network
low complexity
seweurodrive CWE-611
7.5
2024-01-29 CVE-2023-4554 XXE vulnerability in Opentext Appbuilder 21.2
Improper Restriction of XML External Entity Reference vulnerability in OpenText AppBuilder on Windows, Linux allows Server Side Request Forgery, Probe System Files. AppBuilder's XML processor is vulnerable to XML External Entity Processing (XXE), allowing an authenticated user to upload specially crafted XML files to induce server-side request forgery, disclose files local to the server that processes them. This issue affects AppBuilder: from 21.2 before 23.2.
network
low complexity
opentext CWE-611
6.5
2024-01-24 CVE-2024-21765 XXE vulnerability in Cals-Ed products
Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier, and Electronic delivery item Inspection Support SystemVer.4.0.31 and earlier improperly restrict XML external entity references (XXE).
local
low complexity
cals-ed CWE-611
5.5
2024-01-24 CVE-2024-21796 XXE vulnerability in Dfeg Electronic Deliverables Creation Support Tool
Electronic Deliverables Creation Support Tool (Construction Edition) prior to Ver1.0.4 and Electronic Deliverables Creation Support Tool (Design & Survey Edition) prior to Ver1.0.4 improperly restrict XML external entity references (XXE).
local
low complexity
dfeg CWE-611
5.5
2024-01-24 CVE-2024-22380 XXE vulnerability in Maff Electronic Delivery Check System 14.0.001.002
Electronic Delivery Check System (Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version) March, Heisei 31 era edition Ver.14.0.001.002 and earlier improperly restricts XML external entity references (XXE).
local
low complexity
maff CWE-611
5.5
2024-01-18 CVE-2024-23525 XXE vulnerability in Tozt Spreadsheet::Parsexlsx
The Spreadsheet::ParseXLSX package before 0.30 for Perl allows XXE attacks because it neglects to use the no_xxe option of XML::Twig.
network
low complexity
tozt CWE-611
6.5
2024-01-09 CVE-2023-6149 XXE vulnerability in Qualys web Application Screening
Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services.
network
low complexity
qualys CWE-611
6.5