Vulnerabilities > Improper Restriction of XML External Entity Reference ('XXE')

DATE CVE VULNERABILITY TITLE RISK
2017-07-19 CVE-2017-1219 XXE vulnerability in IBM Bigfix Platform
IBM Tivoli Endpoint Manager is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data.
network
low complexity
ibm CWE-611
6.5
2017-07-19 CVE-2016-6798 XXE vulnerability in Apache Sling
In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which use this method to validate user input, potentially allowing an attacker to read sensitive data on the filesystem, perform same-site-request-forgery (SSRF), port-scanning behind the firewall or DoS the application.
network
low complexity
apache CWE-611
critical
9.8
2017-07-17 CVE-2017-7664 XXE vulnerability in Apache Openmeetings
Uploaded XML documents were not correctly validated in Apache OpenMeetings 3.1.0.
network
low complexity
apache CWE-611
critical
10.0
2017-07-17 CVE-2017-1000061 XXE vulnerability in Xmlsec Project Xmlsec
xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service
local
low complexity
xmlsec-project CWE-611
7.1
2017-07-17 CVE-2017-1000021 XXE vulnerability in Logicaldoc
LogicalDoc Community Edition 7.5.3 and prior is vulnerable to XXE when indexing XML documents.
network
low complexity
logicaldoc CWE-611
8.8
2017-07-11 CVE-2017-8557 XXE vulnerability in Microsoft products
Windows System Information Console in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an information disclosure vulnerability improperly parses XML input containing a reference to an external entity, aka "Windows System Information Console Information Disclosure Vulnerability".
local
low complexity
microsoft CWE-611
5.5
2017-07-11 CVE-2017-0170 XXE vulnerability in Microsoft products
Windows Performance Monitor in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an information disclosure vulnerability due to the way it parses XML input, aka "Windows Performance Monitor Information Disclosure Vulnerability".
network
low complexity
microsoft CWE-611
6.5
2017-07-05 CVE-2017-1254 XXE vulnerability in IBM Security Guardium
IBM Security Guardium 10.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data.
network
low complexity
ibm CWE-611
7.1
2017-06-30 CVE-2017-10670 XXE vulnerability in Xoev Osci Transport Library 1.6/1.6.1
An XML External Entity (XXE) issue exists in OSCI-Transport 1.2 as used in OSCI Transport Library 1.6.1 (Java) and OSCI Transport Library 1.6 (.NET), exploitable by sending a crafted standard-conforming OSCI message from within the infrastructure.
network
low complexity
xoev CWE-611
critical
9.8
2017-06-27 CVE-2017-1322 XXE vulnerability in IBM API Connect
IBM API Connect 5.0.6.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data.
network
low complexity
ibm CWE-611
8.2