The Dell EMC Common Object Manager (ECOM) component used in multiple Dell EMC products is affected by a XML External Entity (XXE) Injection vulnerability that may potentially be exploited by malicious users to compromise the affected system.
ca38cccc3045ff5a40c220fdf2a44b66a7339f491e382df921a3922abcedc6ddDebian Linux Security Advisory 4175-1 - Wojciech Regula discovered an XML External Entity vulnerability in the XML Parser of the mindmap loader in freeplane, a Java program for working with mind maps, resulting in potential information disclosure if a malicious mind map file is opened.
c456759cde28b933ea6dc80d25171392f1e7c16e867cd1b223b5cfa8a4a89c38Digital Guardian Management Console version 7.1.2.0015 suffers from an XML external entity injection vulnerability.
7cec0fd3e8efd19ae243d045d84667f65746f0c3315377e8314d97b5817a1fc7Geist WatchDog Console version 3.2.2 suffers from cross site scripting, XML external entity injection, and insecure file permission vulnerabilities.
d918f241ee6c7025f29ccf1f1cb519560eb23c715777ff59995bc0cdf7a81280KYOCERA Multi-Set Template Editor version 3.4.0906 suffers from an out-of-band XML external entity injection vulnerability.
c9052cd2ab7f9839495ce8d05c2a907fa7501d1dceff407eac665610153825a5Microsoft Windows Remote Assistance suffers from an XML external entity injection vulnerability.
30f3cbd80b79f0e54f6c7a336934dced0eac0a94cb3f89c1fa94def8ecf8a977Micro Focus Security Bulletin MFSBGN03797 1 - A potential security vulnerability has been identified in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC). The vulnerability could be exploited to allow XML External Entity (XXE) injection. Revision 1 of this advisory.
51226d70f2a4c9992bea2c5c5282c64bfc317194d1ea20fdf55efb2aefb2364cOracle Financial Services Analytical Applications versions 7.3.5.x and 8.0.x suffer from XML external entity injection and cross site scripting vulnerabilities.
596ba7a1bde4935da9df89c58e1d05d2e8ba24cba2ef3cb2156029511e53d6b4Red Hat Security Advisory 2017-3452-01 - Apache Lucene is a high-performance, full-featured text search engine library written entirely in Java. It is a technology suitable for nearly any application that requires full-text search, especially cross-platform. Security Fix: It was discovered that Lucene's XML query parser did not properly restrict doctype declaration and expansion of external entities. An attacker with access to an application using a Lucene XML query parser could exploit this flaw to perform XML eXternal Entity attacks.
26e4726f6f0f7896cd9ba554784035113622f24b3a03626fd4b1e47b30def97eRed Hat Security Advisory 2017-3451-01 - Apache Lucene is a high-performance, full-featured text search engine library written entirely in Java. It is a technology suitable for nearly any application that requires full-text search, especially cross-platform. Security Fix: It was discovered that Lucene's XML query parser did not properly restrict doctype declaration and expansion of external entities. An attacker with access to an application using a Lucene XML query parser could exploit this flaw to perform XML eXternal Entity attacks.
121c43b8294f271b4d791d9a53c87376dd04c9aa6efe6e6e2b4d2274c61a3262Diving Log version 6.0 suffers from an XML external entity injection vulnerability.
d0450eb5a8f82ef2929848b75adb39ccab2685f6239626955cde5507f931229diText PDF Library versions 2.0.8, 5.5.11, and 7.0.2 suffer from an XML external entity injection vulnerability. The attack can be carried out by submitting a malicious PDF to an iText application that parses XML data. By providing a malicious XXE payloads inside the XML data that resides in the PDF, an attacker can for example extract files or forge requests on the server.
28a8b1badebadad07e326e2363388a39384fcbcb1f223722393aafea4bef3345Attackers who can send SOAP messages to a Ladon webservice via the HTTP interface of the Ladon webservice can exploit an XML external entity expansion vulnerability and read local files, forge server side requests or overload the service with exponentially growing memory payloads. Versions 0.9.40 and below are affected.
ed8acdbe74a60413ec64bf7ee626907c637009037aa099593ef2ffdb4b694c81Oracle Java SE installs a protocol handler in the registry as "HKEY_CLASSES_ROOT\jnlp\Shell\Open\Command\Default" 'C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe" -securejws "%1"'. This can allow allow an attacker to launch remote jnlp files with little user interaction. A malicious jnlp file containing a crafted XML XXE attack can be leveraged to disclose files, cause a denial of service or trigger SSRF. Versions v8u131 and below are affected.
95eeae9eabde4f8ff4be6539a758b833f6a5e74bc86b983863634a6eabcb0b56Mura CMS versions prior to 6.2 suffer from server-side request forgery and XML external entity injection vulnerabilities.
c741fa594f6ecdac9c58e2a524f6ef11f7b20005c381775459dc8b4332c6578dMicrosoft Windows Game Definition File Editor (GDFMaker) version 6.3.9600.16384 suffers from an XML external entity injection vulnerability.
10f87d3d1b9071caa4665070b4aa0e2d5a5dea176d6602bf53f8a85c7ceff9c0Apache Solar version 7.0.1 suffers from XML external entity injection and remote code execution vulnerabilities.
329a2e9c8a0283ae00e021c2cda2241153ca88f96329701ff8bb3b1e24590293Lansweeper version 6.0.100.29 suffers from an XML external entity injection vulnerability.
ca71842cb4e74173030f211999d389dfe2a9a3c19eef8bf22a35b124a45d5cc4OpenText Document Sciences xPression version 4.5SP1 Patch 13 suffers from an XML external entity injection vulnerability.
cb063feea8c14d949fd64fa4cffed3d0e978d0cfdea136ab6e161807cb366f78OpenText Documentum Administrator version 7.2.0180.0055 and Documentum Webtop version 6.8.0160.0073 suffer from XML external entity injection vulnerabilities.
9447f70c1cfba534cf62cd68923f8cb3c42fb6f8ccf56f0f659927fcf0c4317eIBM Infosphere Information Server / Datastage versions 9.1, 11.3, and 11.5 (including Cloud version 11.5) suffer from bypass, XML external entity injection, DLL side loading, and various other vulnerabilities.
ea53053471a3eeb44443432b6095afa188583cf9617704a2e1f792491a59b12aOSCI-Transport library version 1.2 for German e-Government suffers from padding oracle, signature wrapping, and XML external entity injection vulnerabilities.
e836d90008122100e3bb9c8d79986aeef8cdb8cc46a5f5f505ce7a6396d60f8eCisco Prime Infrastructure versions 1.1 through 3.1.6 suffer from cross site scripting, XML external entity injection, file disclosure, and remote SQL injection vulnerabilities.
b99dc34bb1d4f4d0e0a2ab8dce19e42ad7671744eb78f870180c5ae19b9036d4Subsonic 6.1.1 import playlist feature is susceptible to an XML External Entity attack via import of a malicious .XSPF playlist file.
1785d67006592ca1aebed74e108868e2aadc2c36f565e3ed4e6a0527106e6ae0Trend Micro Deep Security version 6.5 suffers from XML external entity injection, local privilege escalation, and remote code execution vulnerabilities.
7734e239114061512b4ac1ebb3b04a639de98f84e9b038a1c584b34f794fd8ce
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed