Vulnerabilities > Improper Restriction of XML External Entity Reference ('XXE')

DATE CVE VULNERABILITY TITLE RISK
2012-11-24 CVE-2012-2239 XXE vulnerability in multiple products
Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack, as demonstrated by reading config.php.
network
low complexity
mahara debian CWE-611
critical
9.1
2012-10-09 CVE-2012-4399 XXE vulnerability in Cakefoundation Cakephp
The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
network
low complexity
cakefoundation CWE-611
7.5
2012-10-03 CVE-2012-3489 XXE vulnerability in multiple products
The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.
6.5
2012-06-17 CVE-2012-0037 XXE vulnerability in multiple products
Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 and 3.4 Beta, LibreOffice before 3.4.6 and 3.5.x before 3.5.1, and other products, allows user-assisted remote attackers to read arbitrary files via a crafted XML external entity (XXE) declaration and reference in an RDF document.
6.5
2011-11-17 CVE-2011-4107 XXE vulnerability in multiple products
The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
network
low complexity
phpmyadmin fedoraproject debian CWE-611
6.5
2010-09-14 CVE-2010-3322 XXE vulnerability in Splunk
The XML parser in Splunk 4.0.0 through 4.1.4 allows remote authenticated users to obtain sensitive information and gain privileges via an XML External Entity (XXE) attack to unknown vectors.
network
low complexity
splunk CWE-611
8.8
2009-06-10 CVE-2009-1699 XXE vulnerability in multiple products
The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an "XXE attack."
network
low complexity
apple canonical opensuse CWE-611
7.5
2005-06-15 CVE-2005-1306 XXE vulnerability in Adobe Acrobat and Acrobat Reader
The Adobe Reader control in Adobe Reader and Acrobat 7.0 and 7.0.1 allows remote attackers to determine the existence of files via Javascript containing XML script, aka the "XML External Entity vulnerability."
network
low complexity
adobe CWE-611
7.5