The Ubiquiti Networks web application suffered from an XXE injection vulnerability.
d645f5c22a117c00797ef6ddd30973f63867c5fa0aab82f98789a422cbf5aa34
Mobile Security Framework (MobSF) is an all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK and IPA) and zipped source code. MobSF can also do Web API Security testing with it's API Fuzzer that performs Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session Management and API Rate Limiting.
215db863dcdeca863fb174fd724d9d0cdd0c4653f30eb69dab71e49afcaeda6c
Hippo CMS version 10.1 suffers from an XML External Entity information disclosure vulnerability.
c467cf5987ff04b0981c61e79fceeeafe5e7597ea26c5cfec1e21868b1dd6c71
Red Hat Security Advisory 2016-0041-01 - Red Hat JBoss BRMS is a business-rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. This release of Red Hat JBoss BRMS 6.1.5 serves as a replacement for Red Hat JBoss BRMS 6.1.2, and includes bug fixes and enhancements that are documented in the README.txt file included with the patch files. The following security issue is also fixed with this release: It was found that batik was vulnerable to XML External Entity attacks when parsing SVG files. A remote attacker able to send malicious SVG content to the affected server could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
ecf50ed6b27bd5cb65f243cf38a699b302292ed4b30ec06c24b2a7e8a36ce9ac
Red Hat Security Advisory 2016-0042-01 - Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. This release of Red Hat JBoss BPM Suite 6.1.5 serves as a replacement for Red Hat JBoss BPM Suite 6.1.2, and includes bug fixes and enhancements, which are documented in the README.txt file included with the patch files. The following security issue is also fixed with this release: It was found that batik was vulnerable to XML External Entity attacks when parsing SVG files. A remote attacker able to send malicious SVG content to the affected server could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
44ac4683b3f4026f361e4266c427d6d4681a4e87c9c31c5b5815e0a422ee0fca
PyAMF suffers from insufficient AMF input payload sanitization which results in the XML parser not preventing the processing of XML external entities (XXE). A specially crafted AMF payload, containing malicious references to XML external entities, can be used to trigger denial of service (DoS) conditions or arbitrarily return the contents of files that are accessible with the running application privileges. Versions 0.7.2 and below are affected.
939e9f52f635c72d8bc7877b8213d3c23d28d84296a37c4314ff4368f14040f1
OpenMRS version 2.3 (1.11.4) suffers from an XML external entity processing vulnerability. The vulnerability is caused due to an error when parsing XML entities within ZIP archives and can be exploited to e.g. disclose data from local resources or cause a DoS condition (billion laughs) via a specially crafted XML file including external entity references.
070b2c30afd808c338b88609b0c09df9664f1cb7251179abf50e418c628aac90
Aethra SV2242E suffers from an XML external entity injection vulnerability.
f6e1dff459b1b34ead7aedcf8cec0f90b77dec9084aca725feca07e6529faf74
SAP Sybase Adaptive Server Enterprise suffers from an XXE injection vulnerability.
eefc985f29a3508ca13dea522b15ac3c29c4c59a97887c2cc3fc596ee310c5aa
SAP Mobile Platform version 2.3 suffers from an XML external entity injection vulnerability.
763ac979871c176d5a9e6b1f185a1e6109b4d7b5f4517066de0a8a2a92f8f153
SAP NetWeaver version 7.4 suffers from an XML external entity injection vulnerability.
b5a92464ff47c770ab76479c835e0239d3e5db4770ef988ae3b50741e8e7356c
Google AdWords API PHP client library versions 6.2.0 and below suffer from an XML eXternal Entity injection vulnerability.
6c9916344ebaa174cf5f48cf521868ab0c1c4407426a74e9439a33f3fc409164
Milton Webdav version 2.7.0.1 suffers from an XXE injection vulnerability.
46b29fcbd281a787022982aa5892c003ff7312833ef3f70e1d8febb584ffcc1a
eBay Magento CE versions 1.9.2.1 and below and eBay Magento EE versions 1.14.2.1 and below suffer from an XXE injection vulnerability.
08393363d6670e33368d62daac52944168d2958ae3fd00c5baedaa4999a731b3
Oracle E-Business Suite version 12.1.3 suffers from an XXE injection vulnerability in the /OA_HTML/oramipp_lpr servlet.
de8ff071f7c958b91bd1cfd996007fd7b0ecb3dec217f9ae5e66e3d96ad27826
Oracle E-Business Suite version 12.1.3 suffers from an XXE injection vulnerability in the /OA_HTML/IspPunchInServlet servlet.
6fb7e76643fd36ba0f6358346bf6ca64dbdedb6d5bcb98f6fd505aead1f86292
Oracle E-Business Suite version 12.1.3 suffers from an XXE injection vulnerability in the /OA_HTML/copxml servlet.
64f773023ff0e889e6870ab0b5f1dc0367b44615f3ae94952e1f839c93009706
The Bosch Security Systems Dinion NBN-498 web interface suffers from an XML injection vulnerability.
a12d29591883d284d568f0ad1d6260eb088acdb48fe2604e353eb253983126e0
SAP Netweaver versions prior to 7.01 suffer from an XXE injection vulnerability.
987e7fdca3ec106a0a0d7d54210c112384477f102eb17692cff33e9a889a6a56
SAP NetWeaver AS Java version 7.4 suffers from multiple XXE vulnerabilities. An attacker can read an arbitrary file on a server by sending a correct XML request with a crafted DTD and reading the response from the service. An attacker can perform a DoS attack (for example, XML Entity Expansion). An SMB Relay attack is a type of Man-in-the-Middle attack where the attacker asks the victim to authenticate into a machine controlled by the attacker, then relays the credentials to the target. The attacker forwards the authentication information both ways and gets access.
02e1d0a4e09aea20fa9d257a9bab83f794b1d6fbe455cfe78e609b89f08f57bd
The Qlikview platform is vulnerable to XML External Entity (XXE) vulnerabilities. More specifically, the platform is susceptible to DTD parameter injections, which are also "blind" as the server feeds back no visual response. These vulnerabilities can be exploited to force Server Side Request Forgeries (SSRF)in multiple protocols, as well as reading and extracting arbitrary files on the server directly. Version 11.20 SR4 is vulnerable.
a5ff2a5356848862e8dae59e2e7566e7cec347863f2849477e43814c9500de31
EMC Atmos is affected by an XML eXternal Entity (XXE) injection vulnerability due to the configuration of the XML parser shipped with the product. An XXE injection attack may occur when XML input containing a reference to an external entity is processed by an affected XML parser. XXE injection might allow attackers to gain unauthorized access to files containing sensitive information or might be used to cause denial of service.
79c60afb2e7da3e86b0c5b23c6697b2aca1590bf50e05cab1ddeb39c9963b319
Debian Linux Security Advisory 3340-1 - Dawid Golunski discovered that when running under PHP-FPM in a threaded environment, Zend Framework, a PHP framework, did not properly handle XML data in multibyte encoding. This could be used by remote attackers to perform an XML External Entity attack via crafted XML data.
23d6416156f37ab76976ca96977e08ed7c0c6841cde302f768e47b512c50093f
SAP NetWeaver AS Java version 7.4 suffers from an XXE injection vulnerability. Related CVE Number: CVE-2015-4091.
6cfc59352a8bee96dd51e5b8172b86529f4d78b89fc4d04fbb33af78e0cd1d52
Zend Framework versions 2.4.2 and below and 1.12.13 and below suffer from an XML external entity injection vulnerability.
cccb5dc964df6b506118b1a8ca7240bbdddcf7b3aded48bd2c1c454e40f791da