The Dell EMC Common Object Manager (ECOM) component used in multiple Dell EMC products is affected by a XML External Entity (XXE) Injection vulnerability that may potentially be exploited by malicious users to compromise the affected system.
ca38cccc3045ff5a40c220fdf2a44b66a7339f491e382df921a3922abcedc6dd
Debian Linux Security Advisory 4175-1 - Wojciech Regula discovered an XML External Entity vulnerability in the XML Parser of the mindmap loader in freeplane, a Java program for working with mind maps, resulting in potential information disclosure if a malicious mind map file is opened.
c456759cde28b933ea6dc80d25171392f1e7c16e867cd1b223b5cfa8a4a89c38
Digital Guardian Management Console version 7.1.2.0015 suffers from an XML external entity injection vulnerability.
7cec0fd3e8efd19ae243d045d84667f65746f0c3315377e8314d97b5817a1fc7
Geist WatchDog Console version 3.2.2 suffers from cross site scripting, XML external entity injection, and insecure file permission vulnerabilities.
d918f241ee6c7025f29ccf1f1cb519560eb23c715777ff59995bc0cdf7a81280
KYOCERA Multi-Set Template Editor version 3.4.0906 suffers from an out-of-band XML external entity injection vulnerability.
c9052cd2ab7f9839495ce8d05c2a907fa7501d1dceff407eac665610153825a5
Microsoft Windows Remote Assistance suffers from an XML external entity injection vulnerability.
30f3cbd80b79f0e54f6c7a336934dced0eac0a94cb3f89c1fa94def8ecf8a977
Micro Focus Security Bulletin MFSBGN03797 1 - A potential security vulnerability has been identified in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC). The vulnerability could be exploited to allow XML External Entity (XXE) injection. Revision 1 of this advisory.
51226d70f2a4c9992bea2c5c5282c64bfc317194d1ea20fdf55efb2aefb2364c
Oracle Financial Services Analytical Applications versions 7.3.5.x and 8.0.x suffer from XML external entity injection and cross site scripting vulnerabilities.
596ba7a1bde4935da9df89c58e1d05d2e8ba24cba2ef3cb2156029511e53d6b4
Red Hat Security Advisory 2017-3452-01 - Apache Lucene is a high-performance, full-featured text search engine library written entirely in Java. It is a technology suitable for nearly any application that requires full-text search, especially cross-platform. Security Fix: It was discovered that Lucene's XML query parser did not properly restrict doctype declaration and expansion of external entities. An attacker with access to an application using a Lucene XML query parser could exploit this flaw to perform XML eXternal Entity attacks.
26e4726f6f0f7896cd9ba554784035113622f24b3a03626fd4b1e47b30def97e
Red Hat Security Advisory 2017-3451-01 - Apache Lucene is a high-performance, full-featured text search engine library written entirely in Java. It is a technology suitable for nearly any application that requires full-text search, especially cross-platform. Security Fix: It was discovered that Lucene's XML query parser did not properly restrict doctype declaration and expansion of external entities. An attacker with access to an application using a Lucene XML query parser could exploit this flaw to perform XML eXternal Entity attacks.
121c43b8294f271b4d791d9a53c87376dd04c9aa6efe6e6e2b4d2274c61a3262
Diving Log version 6.0 suffers from an XML external entity injection vulnerability.
d0450eb5a8f82ef2929848b75adb39ccab2685f6239626955cde5507f931229d
iText PDF Library versions 2.0.8, 5.5.11, and 7.0.2 suffer from an XML external entity injection vulnerability. The attack can be carried out by submitting a malicious PDF to an iText application that parses XML data. By providing a malicious XXE payloads inside the XML data that resides in the PDF, an attacker can for example extract files or forge requests on the server.
28a8b1badebadad07e326e2363388a39384fcbcb1f223722393aafea4bef3345
Attackers who can send SOAP messages to a Ladon webservice via the HTTP interface of the Ladon webservice can exploit an XML external entity expansion vulnerability and read local files, forge server side requests or overload the service with exponentially growing memory payloads. Versions 0.9.40 and below are affected.
ed8acdbe74a60413ec64bf7ee626907c637009037aa099593ef2ffdb4b694c81
Oracle Java SE installs a protocol handler in the registry as "HKEY_CLASSES_ROOT\jnlp\Shell\Open\Command\Default" 'C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe" -securejws "%1"'. This can allow allow an attacker to launch remote jnlp files with little user interaction. A malicious jnlp file containing a crafted XML XXE attack can be leveraged to disclose files, cause a denial of service or trigger SSRF. Versions v8u131 and below are affected.
95eeae9eabde4f8ff4be6539a758b833f6a5e74bc86b983863634a6eabcb0b56
Mura CMS versions prior to 6.2 suffer from server-side request forgery and XML external entity injection vulnerabilities.
c741fa594f6ecdac9c58e2a524f6ef11f7b20005c381775459dc8b4332c6578d
Microsoft Windows Game Definition File Editor (GDFMaker) version 6.3.9600.16384 suffers from an XML external entity injection vulnerability.
10f87d3d1b9071caa4665070b4aa0e2d5a5dea176d6602bf53f8a85c7ceff9c0
Apache Solar version 7.0.1 suffers from XML external entity injection and remote code execution vulnerabilities.
329a2e9c8a0283ae00e021c2cda2241153ca88f96329701ff8bb3b1e24590293
Lansweeper version 6.0.100.29 suffers from an XML external entity injection vulnerability.
ca71842cb4e74173030f211999d389dfe2a9a3c19eef8bf22a35b124a45d5cc4
OpenText Document Sciences xPression version 4.5SP1 Patch 13 suffers from an XML external entity injection vulnerability.
cb063feea8c14d949fd64fa4cffed3d0e978d0cfdea136ab6e161807cb366f78
OpenText Documentum Administrator version 7.2.0180.0055 and Documentum Webtop version 6.8.0160.0073 suffer from XML external entity injection vulnerabilities.
9447f70c1cfba534cf62cd68923f8cb3c42fb6f8ccf56f0f659927fcf0c4317e
IBM Infosphere Information Server / Datastage versions 9.1, 11.3, and 11.5 (including Cloud version 11.5) suffer from bypass, XML external entity injection, DLL side loading, and various other vulnerabilities.
ea53053471a3eeb44443432b6095afa188583cf9617704a2e1f792491a59b12a
OSCI-Transport library version 1.2 for German e-Government suffers from padding oracle, signature wrapping, and XML external entity injection vulnerabilities.
e836d90008122100e3bb9c8d79986aeef8cdb8cc46a5f5f505ce7a6396d60f8e
Cisco Prime Infrastructure versions 1.1 through 3.1.6 suffer from cross site scripting, XML external entity injection, file disclosure, and remote SQL injection vulnerabilities.
b99dc34bb1d4f4d0e0a2ab8dce19e42ad7671744eb78f870180c5ae19b9036d4
Subsonic 6.1.1 import playlist feature is susceptible to an XML External Entity attack via import of a malicious .XSPF playlist file.
1785d67006592ca1aebed74e108868e2aadc2c36f565e3ed4e6a0527106e6ae0
Trend Micro Deep Security version 6.5 suffers from XML external entity injection, local privilege escalation, and remote code execution vulnerabilities.
7734e239114061512b4ac1ebb3b04a639de98f84e9b038a1c584b34f794fd8ce