Red Hat Security Advisory 2016-2822-01 - This release of Red Hat JBoss BPM Suite 6.4.0 serves as a replacement for Red Hat JBoss BPM Suite 6.3.4, and includes bug fixes and enhancements, which are documented in the Release Notes of the patch linked to in the References section. Security Fix: It was found that several XML parsers used by XStream had default settings that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
6a3f71e3995dd45560a98eb9719679794b13ea13a4d9ddd7133a684f5961eaf8Mobile Security Framework (MobSF) is an all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also do Web API Security testing with it's API Fuzzer that performs Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session Management and API Rate Limiting.
700cdd3f3460d4db512a15ccc778012b27d14b9d9019961e561b1b27ac8ed277SAP NetWeaver AS JAVA version 7.4 suffers from an XML external entity (XXE) injection vulnerability.
efd99512a1f7388c7f876065269028bfcebd3facd45d7f9528eed91a41312084CS-Cart versions 4.3.10 and below suffer from an unauthenticated XML external entity (XXE) injection vulnerability.
d055752e041a2e34fe412240fa6a2df718f958b7dee0c4a6b2350b08ba38432aRSA Enterprise Compromise Assessment Tool (ECAT) version 4.1.0.1 suffers from an XML external entity injection vulnerability.
92a6d69e452163a03f152d0c049d53dc3060863f2a2c064d3f56464a83839051Adobe ColdFusion versions 11 and below suffer from an XML external entity (XXE) injection vulnerability.
a212b04a6debb5df2b3e137824d36dd10c3fdf16684e40ee63a9ffdcf54319c3WSO2 Identity Server version 5.1.0 suffers from cross site request forgery and XML external-entity injection vulnerabilities.
2b67ca98f0434cc12c90175af14f0db46882e9896a9bf9b101257ed13ed1f676Apache POI's XLSX2CSV example suffers from an XML external entity injection vulnerability. Versions 3.13 through 3.5 are affected.
59a7590a9b5e7abbfef473d55601ecaff052c17d0b8092896f3dbb707052b67cA total of 27 vulnerabilities have been patched by Oracle. These affect eBusiness Suite R12.x and 11.5, Apex, Primavera, OBIEE, and Agile DB components. These issues include SQL injection, cross site scripting, XXE injection, SSRF, failed access controls, and more.
1653be97a06d0c2cfb3b03919f6fc2b0e26ba7129144b78467d3acbf64b1587aAn attacker can trigger an XML Entity Expansion or XML External Entity Injection. This causes the entire machine to become unresponsive until the process is terminated manually. An attacker can use this flaw to perform a denial-of-service (DoS) attack. SAP NetWeaver AS JAVA version 7.4 is affected.
00d680c67dc60d3912397c85f8496bcdaca53ce2cb060a4c8ebe9fc69b59c8a2WSO2 SOA Enablement Server for Java/6.6 build SSJ-6.6-20090827-1616 suffers from an XML external entity injection vulnerability.
d9e516d3777daf410177b4c7a8c4a54f5f7f7677f5de9b1ae66ff8fa3a81c9c2CyberPower Systems PowerPanel version 3.1.2 suffers from an unauthenticated XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack. The vulnerability is triggered when input passed to the xmlservice servlet using the ppbe.xml script is not sanitized while parsing the xml inquiry payload returned by the JAXB element translation.
1e199c3b2e15d4027ddc146e6a88a9f1ee1d3945b4ea75888dc58e63c773f41aApple Safari version 9.1.1 for Mac OS X suffers from a local XXE vulnerability when processing specially crafted SVG images. This does not work with downloaded files.
23bbd32f77e1c03ed726b6f44b84ac17454893681f3844f34b64aef3707c3454CA Technologies Support is alerting customers to multiple potential risks with CA Release Automation. Three vulnerabilities exist that can allow a remote attacker to potentially gain sensitive information or cause a denial of service condition. CA has fixes available. The first vulnerability occurs due to the inclusion of a vulnerable 3rd party component, Open Flash Chart. A remote attacker can conduct cross-site scripting attacks The second vulnerability occurs due to insufficient verification of requests to the web server, which can lead to limited XML external entity attacks. An authenticated attacker in the local network can potentially gain sensitive information or cause a denial of service condition. The third vulnerability occurs due to insufficient verification of requests to the web interface, which leads to multiple reflected cross-site scripting vulnerabilities and one stored cross-site scripting vulnerability.
2ef5f54923997660f51cadb44ff051e243c99d18929f23a00717e9198858f0d9Debian Linux Security Advisory 3606-1 - It was discovered that pdfbox, a PDF library for Java, was susceptible to XML External Entity attacks.
61d21573a2ded453c905fe50c7f9fd46873c6e0f09de588bcfd1a066e813e554SugarCRM versions 6.5.18 CE and below suffer from a SAML authentication XML external entity vulnerability.
d8bf3667bba05f07cd81eeb7dfd0728907f68ad4f68d3142091238587292b06eSAP NetWeaver AS JAVA versions 7.1 through 7.5 suffer from an XML external entity injection vulnerability.
44897fd3de22b74e679203c9cb11f3fb82fcf5325291f376823810d3b828f093Dell OpenManager Server Administrator version 8.3 XML external entity exploit. Dell has contacted Packet Storm and has provided the following additional information: The Dell OpenManage Server Administrator (OMSA) product Linux installations has basic dependencies on the open source library libxml2. Customers using OMSA should upgrade to the latest libxml2 version 2.9.x as per the prerequisites mentioned in the installation guide on page 14 available here: http://topics-cdn.dell.com/pdf/dell-openmanage-server-administrator-v8.3_Install Guide_en-us.pdf. In general, users should use the most up-to-date versions as part of prudent computing practices.
d17fcc47a263830d3f8c7e93e9e5be745c51f553e740a9a88a4f51ea999dea0dLiferay supports OpenID login which was found to make use of a version of openid4java that is vulnerable to XML External Entity (XXE) attacks. Liferay versions 6.2.3 CE GA4 and earlier are affected.
4af9bc5284a2717eed36c719d395c99e7caa71650223cbe9e5ba3e327bfa0e63PRTG Network Monitor version 14.4.12.3282 suffers from an XML eXternal Entity expansion vulnerability.
41babc73fc9bda76f17c48714fa073370cc3e8261d71210d28b3b5a3b479575fApache PDFBox versions 1.8.0 through 1.8.11 and 2.0.0 suffer from an XML external entity injection vulnerability.
f160d0f59531b7124fd63893410f4382449ef5be4212ce0538851d88587946e3Apache Tika versions 0.10 through 1.12 suffer from an XXE injection vulnerability.
f33971406fb04b391007116a0482ffc39feb7e43a3c815760b26a24fb10693d3AfterLogic WebMail Pro ASP.NET versions prior to 6.2.7 suffer from an administrator account takeover via an XXE injection vulnerability.
285a356df0342917c10949047f0e7a8de20316652b88f7502badf4e23df2d5c3Debian Linux Security Advisory 3575-1 - It was discovered that XStream, a Java library to serialize objects to XML and back again, was susceptible to XML External Entity attacks.
af1b21075f21f469f80745cdec90abae5c25ac53e577e451d9fead725f190788Mobile Security Framework (MobSF) is an all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also do Web API Security testing with it's API Fuzzer that performs Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session Management and API Rate Limiting.
9a9189b4d7fe03495edaca2f8d76a9fbb34f18d666bd43cc24ac1ab1a8d428dd
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed