Vulnerabilities > Improper Restriction of XML External Entity Reference ('XXE')

DATE CVE VULNERABILITY TITLE RISK
2017-09-28 CVE-2017-12621 XXE vulnerability in Apache Commons Jelly 1.0
During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL.
network
low complexity
apache CWE-611
critical
9.8
2017-09-26 CVE-2017-1527 XXE vulnerability in IBM Business Process Manager
IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data.
network
low complexity
ibm CWE-611
8.1
2017-09-13 CVE-2017-8710 XXE vulnerability in Microsoft Windows 7 and Windows Server 2008
The Microsoft Common Console Document (.msc) in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1 allows an attacker to read arbitrary files via an XML external entity (XXE) declaration, due to the way that the Microsoft Common Console Document (.msc) parses XML input containing a reference to an external entity, aka "Windows Information Disclosure Vulnerability".
local
low complexity
microsoft CWE-611
5.5
2017-09-12 CVE-2017-8918 XXE vulnerability in Blackwave Dive Assistant 8.0
XXE in Dive Assistant - Template Builder in Blackwave Dive Assistant - Desktop Edition 8.0 allows attackers to remotely view local files via a crafted template.xml file.
local
low complexity
blackwave CWE-611
5.5
2017-09-09 CVE-2017-8040 XXE vulnerability in VMWare Single Sign-On for Pivotal Cloud Foundry
In Single Sign-On for Pivotal Cloud Foundry (PCF) 1.3.x versions prior to 1.3.4 and 1.4.x versions prior to 1.4.3, an XXE (XML External Entity) attack was discovered in the Single Sign-On service dashboard.
network
low complexity
vmware CWE-611
6.5
2017-09-08 CVE-2017-9095 XXE vulnerability in Divinglog Diving LOG
XXE in Diving Log 6.0 allows attackers to remotely view local files through a crafted dive.xml file that is mishandled during a Subsurface import.
local
low complexity
divinglog CWE-611
5.5
2017-09-07 CVE-2017-12216 XXE vulnerability in Cisco Socialminer
A vulnerability in the web-based user interface of Cisco SocialMiner could allow an unauthenticated, remote attacker to have read and write access to information stored in the affected system.
network
low complexity
cisco CWE-611
8.8
2017-09-06 CVE-2015-7241 XXE vulnerability in SAP Netweaver 4.0/6.4/7.0
XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01.
network
low complexity
sap CWE-611
critical
9.8
2017-09-06 CVE-2015-3160 XXE vulnerability in Beaker-Project Beaker
XML external entity (XXE) vulnerability in bkr/server/jobs.py in Beaker before 20.1 allows remote authenticated users to obtain sensitive information via submitting job XML to the server containing entity references which reference files from the Beaker server's file system.
network
low complexity
beaker-project CWE-611
4.3
2017-09-05 CVE-2017-1458 XXE vulnerability in IBM Qradar Network Security 5.4
IBM QRadar Network Security 5.4 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data.
network
low complexity
ibm CWE-611
8.1