what you don't know can hurt you

Register | Login

FilesNewsUsersAuthors

Home Files News Services About Contact Add New

Showing 1 - 25 of 255

XML Injection Files

Dell EMC ECOM XML External Entity Injection

Posted Apr 26, 2018

Authored by Jakub Palaczynski | Site emc.com

The Dell EMC Common Object Manager (ECOM) component used in multiple Dell EMC products is affected by a XML External Entity (XXE) Injection vulnerability that may potentially be exploited by malicious users to compromise the affected system.

tags | advisory, xxe

MD5 | 7dab4d7ace5e05c27d3d81c8b2326fc4

Download | Favorite | View

Debian Security Advisory 4175-1

Posted Apr 22, 2018

Authored by Debian | Site debian.org

Debian Linux Security Advisory 4175-1 - Wojciech Regula discovered an XML External Entity vulnerability in the XML Parser of the mindmap loader in freeplane, a Java program for working with mind maps, resulting in potential information disclosure if a malicious mind map file is opened.

tags | advisory, java, info disclosure, xxe

systems | linux, debian

advisories | CVE-2018-1000069

MD5 | 12a16510ecd8dd615bb9eb5718e58e42

Download | Favorite | View

Digital Guardian Management Console 7.1.2.0015 XXE Injection

Posted Apr 19, 2018

Authored by Pawel Gocyla

Digital Guardian Management Console version 7.1.2.0015 suffers from an XML external entity injection vulnerability.

tags | exploit, xxe

advisories | CVE-2018-10175

MD5 | 4580a4c26b72fed29c24bcb9499af56f

Download | Favorite | View

Geist WatchDog Console 3.2.2 XSS / XML Injection / Insecure Permissions

Posted Apr 19, 2018

Authored by bzyo

Geist WatchDog Console version 3.2.2 suffers from cross site scripting, XML external entity injection, and insecure file permission vulnerabilities.

tags | exploit, vulnerability, xss, xxe

advisories | CVE-2018-10077, CVE-2018-10078, CVE-2018-10079

MD5 | 4811ca31e7f5fe461ed4376e43851ecc

Download | Favorite | View

KYOCERA Multi-Set Template Editor 3.4 Out-Of-Band XML External Entity Injection

Posted Apr 9, 2018

Authored by LiquidWorm | Site zeroscience.mk

KYOCERA Multi-Set Template Editor version 3.4.0906 suffers from an out-of-band XML external entity injection vulnerability.

tags | exploit, xxe

MD5 | 0c8850a036da5916bbb8e718eccc4d21

Download | Favorite | View

Microsoft Windows Remote Assistance XXE Injection

Posted Mar 28, 2018

Authored by Nabeel Ahmed

Microsoft Windows Remote Assistance suffers from an XML external entity injection vulnerability.

tags | exploit, remote, xxe

systems | windows

advisories | CVE-2018-0878

MD5 | cb3025652af207020bf6755d7274530e

Download | Favorite | View

Micro Focus Security Bulletin MFSBGN03797 1

Posted Feb 2, 2018

Authored by Micro Focus | Site microfocus.com

Micro Focus Security Bulletin MFSBGN03797 1 - A potential security vulnerability has been identified in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC). The vulnerability could be exploited to allow XML External Entity (XXE) injection. Revision 1 of this advisory.

tags | advisory, xxe

advisories | CVE-2018-6486

MD5 | 62f460254f94edede800f1cd1ae2458b

Download | Favorite | View

Oracle Financial Services Analytical Applications 7.3.5.x / 8.0.x XXE Injection / XSS

Posted Jan 24, 2018

Authored by Samandeep Singh, Mohammad Shah Bin Mohammad Esa | Site sec-consult.com

Oracle Financial Services Analytical Applications versions 7.3.5.x and 8.0.x suffer from XML external entity injection and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, xxe

advisories | CVE-2018-2660, CVE-2018-2661

MD5 | 03e038ba3c35a62362f8c4edf912224d

Download | Favorite | View

Red Hat Security Advisory 2017-3452-01

Posted Dec 13, 2017

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-3452-01 - Apache Lucene is a high-performance, full-featured text search engine library written entirely in Java. It is a technology suitable for nearly any application that requires full-text search, especially cross-platform. Security Fix: It was discovered that Lucene's XML query parser did not properly restrict doctype declaration and expansion of external entities. An attacker with access to an application using a Lucene XML query parser could exploit this flaw to perform XML eXternal Entity attacks.

tags | advisory, java, xxe

systems | linux, redhat

advisories | CVE-2017-12629

MD5 | 0cf279b0be3ca49556ec283b8a84e4b4

Download | Favorite | View

Red Hat Security Advisory 2017-3451-01

Posted Dec 13, 2017

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-3451-01 - Apache Lucene is a high-performance, full-featured text search engine library written entirely in Java. It is a technology suitable for nearly any application that requires full-text search, especially cross-platform. Security Fix: It was discovered that Lucene's XML query parser did not properly restrict doctype declaration and expansion of external entities. An attacker with access to an application using a Lucene XML query parser could exploit this flaw to perform XML eXternal Entity attacks.

tags | advisory, java, xxe

systems | linux, redhat

advisories | CVE-2017-12629

MD5 | bc6baf9fcb7346cbdd4c4cfb54217a81

Download | Favorite | View

Diving Log 6.0 XML External Entity Injection

Posted Nov 27, 2017

Authored by Trent Gordon

Diving Log version 6.0 suffers from an XML external entity injection vulnerability.

tags | exploit, xxe

advisories | CVE-2017-9095

MD5 | 9d6c9f15cd8cdb7805839a5f1d6aa410

Download | Favorite | View

iText PDF Library 7.0.2 / 5.5.11 / 2.0.8 XXE Injection

Posted Nov 6, 2017

Authored by Benjamin Bruppacher

iText PDF Library versions 2.0.8, 5.5.11, and 7.0.2 suffer from an XML external entity injection vulnerability. The attack can be carried out by submitting a malicious PDF to an iText application that parses XML data. By providing a malicious XXE payloads inside the XML data that resides in the PDF, an attacker can for example extract files or forge requests on the server.

tags | advisory, xxe

advisories | CVE-2017-9096

MD5 | b4f4f5142c0c778840b48038c076d309

Download | Favorite | View

Ladon Framework For Python 0.9.40 XXE Injection

Posted Nov 3, 2017

Site redteam-pentesting.de

Attackers who can send SOAP messages to a Ladon webservice via the HTTP interface of the Ladon webservice can exploit an XML external entity expansion vulnerability and read local files, forge server side requests or overload the service with exponentially growing memory payloads. Versions 0.9.40 and below are affected.

tags | exploit, web, local, xxe

MD5 | 56720fcc2b7cc9bfd94f0fbaf6ff432d

Download | Favorite | View

Oracle Java SE Wv8u131 Information Disclosure

Posted Nov 2, 2017

Authored by mr_me

Oracle Java SE installs a protocol handler in the registry as "HKEY_CLASSES_ROOT\jnlp\Shell\Open\Command\Default" 'C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe" -securejws "%1"'. This can allow allow an attacker to launch remote jnlp files with little user interaction. A malicious jnlp file containing a crafted XML XXE attack can be leveraged to disclose files, cause a denial of service or trigger SSRF. Versions v8u131 and below are affected.

tags | exploit, java, remote, denial of service, shell, registry, protocol, info disclosure, xxe

advisories | CVE-2017-10309

MD5 | 1e5c74e4370cfb11bd675efce53eb688

Download | Favorite | View

Mura CMS Server-Side Request Forgery / XXE Injection

Posted Oct 26, 2017

Authored by Anthony Cole

Mura CMS versions prior to 6.2 suffer from server-side request forgery and XML external entity injection vulnerabilities.

tags | exploit, vulnerability, xxe

advisories | CVE-2017-15639

MD5 | 082f770ed9b178ced262ba51f73e3f10

Download | Favorite | View

Microsoft Windows GDFMaker 6.3.9600.16384 XXE Injection

Posted Oct 18, 2017

Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

Microsoft Windows Game Definition File Editor (GDFMaker) version 6.3.9600.16384 suffers from an XML external entity injection vulnerability.

tags | exploit, xxe

systems | windows

MD5 | c7d0ae4a7bf14a2d1e2cae2ae115040a

Download | Favorite | View

Apache Solr 7.0.1 XXE Injection / Code Execution

Posted Oct 18, 2017

Authored by Michael Stepankin, Olga Barinova

Apache Solar version 7.0.1 suffers from XML external entity injection and remote code execution vulnerabilities.

tags | exploit, remote, vulnerability, code execution, xxe

advisories | CVE-2017-12629

MD5 | c5a11c70eb9d20e9abf2fb6d5efc3959

Download | Favorite | View

Lansweeper 6.0.100.29 XXE Injection

Posted Oct 6, 2017

Authored by Mehmet Ince, Barkin Kilic

Lansweeper version 6.0.100.29 suffers from an XML external entity injection vulnerability.

tags | exploit, xxe

advisories | CVE-2017-13706

MD5 | ac359c8576cebe46e9bfc2fd930fc500

Download | Favorite | View

OpenText Document Sciences xPression 4.5SP1 Patch 13 XML Injection

Posted Sep 29, 2017

Authored by Mariusz Woloszyn

OpenText Document Sciences xPression version 4.5SP1 Patch 13 suffers from an XML external entity injection vulnerability.

tags | exploit, xxe

advisories | CVE-2017-14759

MD5 | cc7bbb9dac8735511fb665bdf6292a89

Download | Favorite | View

OpenText Documentum Administrator / Webtop XXE Injection

Posted Sep 27, 2017

Authored by Jakub Palaczynski, Pawel Gocyla

OpenText Documentum Administrator version 7.2.0180.0055 and Documentum Webtop version 6.8.0160.0073 suffer from XML external entity injection vulnerabilities.

tags | exploit, vulnerability, xxe

advisories | CVE-2017-14526, CVE-2017-14527

MD5 | 0cf5e2fc80eb45dd8b9bba4f36f8f1b5

Download | Favorite | View

IBM Infosphere Information Server / Datastage 11.5 Command Execution / Bypass

Posted Sep 15, 2017

Authored by Samandeep Singh, Goh Zhi Hao, Mohammad Shah Bin Mohammad Esa | Site sec-consult.com

IBM Infosphere Information Server / Datastage versions 9.1, 11.3, and 11.5 (including Cloud version 11.5) suffer from bypass, XML external entity injection, DLL side loading, and various other vulnerabilities.

tags | exploit, vulnerability, xxe

advisories | CVE-2017-1383, CVE-2017-1467, CVE-2017-1468, CVE-2017-1495

MD5 | df508740935e04a74179d3725b5fea36

Download | Favorite | View

OSCI-Transport Library 1.2 Padding Oracle / Signature Wrapping / XXE Injection

Posted Jun 30, 2017

Authored by Wolfgang Ettlinger, Marc Nimmerrichter | Site sec-consult.com

OSCI-Transport library version 1.2 for German e-Government suffers from padding oracle, signature wrapping, and XML external entity injection vulnerabilities.

tags | advisory, vulnerability, xxe

advisories | CVE-2017-10668, CVE-2017-10669, CVE-2017-10670

MD5 | 852b54bfa71394caa84d2551937c6f52

Download | Favorite | View

Cisco Prime Infrastructure 3.1.6 XXE Injection / XSS / LFD / SQL Injection

Posted Jun 22, 2017

Authored by P. Morimoto | Site sec-consult.com

Cisco Prime Infrastructure versions 1.1 through 3.1.6 suffer from cross site scripting, XML external entity injection, file disclosure, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection, xxe

systems | cisco

advisories | CVE-2017-6662, CVE-2017-6698, CVE-2017-6699, CVE-2017-6700

MD5 | a015626c21297363f1b2f3b6319821c8

Download | Favorite | View

Subsonic 6.1.1 XML External Entity Attack

Posted Jun 3, 2017

Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

Subsonic 6.1.1 import playlist feature is susceptible to an XML External Entity attack via import of a malicious .XSPF playlist file.

tags | exploit, xxe

advisories | CVE-2017-9355

MD5 | 55908f5f3dbc9a08e404b4b34bfa1497

Download | Favorite | View

Trend Micro Deep Security 6.5 XXE / Code Execution

Posted May 31, 2017

Site securiteam.com

Trend Micro Deep Security version 6.5 suffers from XML external entity injection, local privilege escalation, and remote code execution vulnerabilities.

tags | exploit, remote, local, vulnerability, code execution, xxe

MD5 | 14d6ad8c29d1b68a5710f229a32f0da6

Download | Favorite | View