Vulnerabilities > Improper Restriction of XML External Entity Reference ('XXE')

DATE CVE VULNERABILITY TITLE RISK
2017-10-14 CVE-2017-12629 XXE vulnerability in multiple products
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class.
network
low complexity
apache redhat debian canonical CWE-611
critical
9.8
2017-10-12 CVE-2017-15280 XXE vulnerability in Umbraco CMS
XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs.
local
low complexity
umbraco CWE-611
5.5
2017-10-10 CVE-2017-12623 XXE vulnerability in Apache Nifi
An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack.
network
low complexity
apache CWE-611
6.5
2017-10-10 CVE-2017-13706 XXE vulnerability in Lansweeper
XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery (SSRF) attacks, conduct internal port scans, or have unspecified other impact via an XML request, aka bug #572705.
network
low complexity
lansweeper CWE-611
critical
9.9
2017-10-10 CVE-2014-0030 XXE vulnerability in Apache Roller
The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.
network
low complexity
apache CWE-611
critical
9.8
2017-10-03 CVE-2017-14759 XXE vulnerability in Opentext Document Sciences Xpression 4.5
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to an XML External Entity vulnerability: /xFramework/services/QuickDoc.QuickDocHttpSoap11Endpoint/.
network
low complexity
opentext CWE-611
critical
9.8
2017-10-03 CVE-2017-12620 XXE vulnerability in Apache Opennlp
When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources.
network
low complexity
apache CWE-611
critical
9.8
2017-09-30 CVE-2016-4434 XXE vulnerability in Apache Tika 1.12
Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.
local
low complexity
apache CWE-611
7.8
2017-09-28 CVE-2017-14527 XXE vulnerability in Opentext Documentum Administrator and Documentum Webtop
Multiple XML external entity (XXE) vulnerabilities in the OpenText Documentum Webtop 6.8.0160.0073 allow remote authenticated users to list the contents of arbitrary directories, read arbitrary files, cause a denial of service, or, on Windows, obtain Documentum user hashes via a (1) crafted DTD, involving unspecified XML structures in a request to xda/com/documentum/ucf/server/transport/impl/GAIRConnector or crafted XML file in a MediaProfile file (2) import or (3) check in.
network
low complexity
opentext CWE-611
8.8
2017-09-28 CVE-2017-14526 XXE vulnerability in Opentext Documentum Administrator and Documentum Webtop
Multiple XML external entity (XXE) vulnerabilities in the OpenText Documentum Administrator 7.2.0180.0055 allow remote authenticated users to list the contents of arbitrary directories, read arbitrary files, cause a denial of service, or, on Windows, obtain Documentum user hashes via a (1) crafted DTD, involving unspecified XML structures in a request to xda/com/documentum/ucf/server/transport/impl/GAIRConnector or crafted XML file in a MediaProfile file (2) import or (3) check in.
network
low complexity
opentext CWE-611
8.8