Open-Xchange versions 7.6.0 and below suffer from absolute path traversal, server-side request forgery, XXE injection, and cross site scripting vulnerabilities.
a67a92350a6eb49fcfcd83bb5f4009ea48632c5c129805bdc644ed7b80ed0a6b
JobScheduler versions prior to 1.7.4241 suffer from an XML external entity injection vulnerability.
40fe0246e1c67d5e7933e033572c8b33f807c11ecad0185a3406b997503ac03f
Red Hat Security Advisory 2014-1040-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
c84f2ca607c16d6e752c066398ee8786761d415d970c03caeb98cbd795ed9347
Red Hat Security Advisory 2014-1039-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
f3cdf1e9d78876065cfd5fdcf939ee9388ca8b23e3255cd79aa82c3e0053cdea
Red Hat Security Advisory 2014-1038-01 - Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that several application-provided XML files, such as web.xml, content.xml, *.tld, *.tagx, and *.jspx, resolved external entities, permitting XML External Entity attacks. An attacker able to deploy malicious applications to Tomcat could use this flaw to circumvent security restrictions set by the JSM, and gain access to sensitive information on the system. Note that this flaw only affected deployments in which Tomcat is running applications from untrusted sources, such as in a shared hosting environment.
220eef9b77e8329c308283833debe085021b4510cef9b147d1800c2590e7f7da
Red Hat Security Advisory 2014-1034-01 - Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors, and tag plug-in configuration files. The injected XML parser could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same Apache Tomcat instance.
3e502c379842f949aa84688ae16c32c5acda8edbb9f220f665768110cbd1d22b
Red Hat Security Advisory 2014-1011-01 - RESTEasy contains a JBoss project that provides frameworks to help build RESTful Web Services and RESTful Java applications. It is a fully certified and portable implementation of the JAX-RS specification. It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
fd5e845e27a0bd0fd5a26827ee1c0e892426a3af40340919597f9b721ede0dfc
This is a Metasploit-style module system specifically for XXE exploit code. This allows a common interface, including the ability to automate downloads of numerous files, or automatically walk the directory structure if the vulnerable system is based on Java.
2a7816d21a64e47351a2d07b9a62e0b2608e025ddb24e5a5ec4f745d5b82bbfb
Red Hat Security Advisory 2014-0898-01 - Red Hat JBoss Enterprise Web Platform is a platform for Java applications, which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam. It was found that the implementation of the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method provided a DocumentBuilderFactory that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
18741ed083fd88bef12746d5d7cb90c7633e1bbdee424711f7b3da2352532b3c
Red Hat Security Advisory 2014-0897-01 - Red Hat JBoss Enterprise Web Platform is a platform for Java applications, which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam. It was found that the implementation of the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method provided a DocumentBuilderFactory that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
80ff770a940677ba6ce6e5fd9f188c8b53262afdde5337e1bd2d8f9c30bc6b65
Red Hat Security Advisory 2014-0886-00 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. It was found that the implementation of the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method provided a DocumentBuilderFactory that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
d3ca816758feba4cd5d87e779e2f7d1863ed3a7afb7b0768d0234ca5c12c0450
Red Hat Security Advisory 2014-0885-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. It was found that the implementation of the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method provided a DocumentBuilderFactory that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
51e15bfe75d2d06eb17bd6b555217230ed6465d0220e45b26aff8848ef26cef7
Red Hat Security Advisory 2014-0884-00 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the implementation of the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method provided a DocumentBuilderFactory that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
824d19e24f381d4ffe663420e89fb27d7908ea0e5208c070a8564134a5a86b3c
Red Hat Security Advisory 2014-0883-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the implementation of the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method provided a DocumentBuilderFactory that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
2a52eb55391b6c8b922ce725eb855c7602647d799b5051376c79b0094d829e69
EMC DFS may be vulnerable to XXE vulnerability due to the way the JAXB XML parser handles the incoming XML from an authenticated user. This can be potentially leveraged by a malicious authenticated user to inject malicious data in the XML and retrieve information from sensitive files on the system. This may also be potentially leveraged to affect the integrity and availability of the system.
d1e1a73d1d637c161e05f25a631264752ec6586523f72bf2a11e1e625939b20d
Red Hat Security Advisory 2014-0814-01 - The Red Hat Enterprise Virtualization Manager is a centralized management platform that allows system administrators to view and manage virtual machines. It was found that the ovirt-engine REST API resolved entities in XML API calls. A remote attacker with credentials to call the ovirt-engine REST API could use this flaw to read files accessible to the user running the ovirt-engine JBoss server, and potentially perform other more advanced XXE attacks.
05adc95783f571a217ffe1d911df66b509c35fc597481b598054f42f53193008
HP Enterprise Maps version 1.00 suffers from an authenticated XXE injection vulnerability.
49cac9392e67761747314562b60d157df35c9cc117dcad5865d91f95214595b0
SugarCRM versions 6.5.16 and below suffer from an XML external entity attack vulnerability.
75ac9dbf751b5a7e72f7c1007cb231586a2d7bdca087f2e5353448d2f0bdd326
Zabbix versions 1.8.x through 2.2.x suffer from an XML external entity attack vulnerability.
58c8a52d7fba50ef0b5bff2b0868272d62ff90398c6d604f69d6a653058e7dcd
This is a Metasploit-style module system specifically for XXE exploit code. This allows a common interface, including the ability to automate downloads of numerous files, or automatically walk the directory structure if the vulnerable system is based on Java.
4e08b55a546faeff41068928bc3ca50a97d8ac5d5ac1c90754d365538b92d25d
Plesk versions 10.4.4 and 11.0.9 XXE injection exploit.
a888af2afa6a4a2e8c49d9d0384d86c3420acad12ed0440f2a3ebf119774860e
Castor Library version 1.3.3-RC1 suffers from a file disclosure vulnerability via XXE injection.
c745856a0985244400e7849e695d5c5af94674a689876f8d473e189ed7ba90ca
In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XMl parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance. Versions affected include Apache Tomcat 8.0.0-RC1 to 8.0.5, Apache Tomcat 7.0.0 to 7.0.53, and Apache Tomcat 6.0.0 to 6.0.39.
b71018c17fe31cadd9009eec7e6aa8baac5fe8224526001717dfff63d30296e6
Red Hat Security Advisory 2014-0513-01 - The libxml2 library is a development toolbox providing the implementation of various XML standards. It was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled. A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity attacks, possibly resulting in a denial of service or an information leak on the system. An out-of-bounds read flaw was found in the way libxml2 detected the end of an XML file. A remote attacker could provide a specially crafted XML file that, when processed by an application linked against libxml2, could cause the application to crash.
3d551b6c132f55a4510bfa07d62cbc76c5971974060b32e4b1e88be27977c857
This Metasploit module takes advantage of three separate vulnerabilities in order to read an arbitrary text file from the file system with the privileges of the web server. You must be authenticated, but can be unprivileged since a privilege escalation vulnerability is used. Tested against HP Release Control 9.20.0000, Build 395 installed with demo data. The first vulnerability allows an unprivileged authenticated user to list the current users, their IDs, and even their password hashes. Can't login with hashes, but the ID is useful in the second vulnerability. When a user changes their password, they post the ID of the user who is going to have their password changed. Just replace it with the admin ID and you change the admin password. You are now admin. The third vulnerability is an XXE in the dashboard XML import mechanism. This is what allows you to read the file from the file system. This Metasploit module is super ghetto half because it was an AMF application, half because I worked on it longer than I wanted to.
32678ccb2a4454a4f3176a572bfd08436712de26dce1cdfb8b2986d281d3c14e