Vulnerabilities > Improper Restriction of XML External Entity Reference ('XXE')

DATE CVE VULNERABILITY TITLE RISK
2023-09-06 CVE-2023-41932 XXE vulnerability in Jenkins JOB Configuration History
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called 'history.xml'.
network
low complexity
jenkins CWE-611
6.5
2023-09-06 CVE-2023-41933 XXE vulnerability in Jenkins JOB Configuration History
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
network
low complexity
jenkins CWE-611
8.8
2023-09-05 CVE-2023-35892 XXE vulnerability in IBM Financial Transaction Manager 3.2.4
IBM Financial Transaction Manager for SWIFT Services 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data.
network
low complexity
ibm CWE-611
critical
9.1
2023-09-01 CVE-2023-40239 XXE vulnerability in Lexmark products
Certain Lexmark devices (such as CS310) before 2023-08-25 allow XXE attacks, leading to information disclosure.
network
low complexity
lexmark CWE-611
7.5
2023-08-25 CVE-2023-24620 XXE vulnerability in Esotericsoftware Yamlbeans
An issue was discovered in Esoteric YamlBeans through 1.15.
local
low complexity
esotericsoftware CWE-611
5.5
2023-08-22 CVE-2022-48565 XXE vulnerability in multiple products
An XML External Entity (XXE) issue was discovered in Python through 3.9.1.
network
low complexity
python debian CWE-611
critical
9.8
2023-08-11 CVE-2023-0871 XXE vulnerability in Opennms Horizon and Meridian
XXE injection in /rtc/post/ endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to XML external entity (XXE) injection, which can be used for instance to force Horizon to make arbitrary HTTP requests to internal and external services. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer.
low complexity
opennms CWE-611
6.1
2023-08-11 CVE-2023-3823 XXE vulnerability in multiple products
In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded.
network
low complexity
php fedoraproject debian CWE-611
7.5
2023-08-10 CVE-2023-32567 XXE vulnerability in Ivanti Avalanche
Ivanti Avalanche decodeToMap XML External Entity Processing.
network
low complexity
ivanti CWE-611
critical
9.8
2023-08-04 CVE-2020-26064 XXE vulnerability in Cisco Catalyst Sd-Wan Manager
A vulnerability in the web UI of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files.
network
low complexity
cisco CWE-611
8.1