92 matches found
CVE-2018-17198
CVE-2018-17198 describes a Server-Side Request Forgery (SSRF) and File Enumeration flaw in Apache Roller 5.2.1, 5.2.0 and earlier . The issue arises because the Java SAX Parser used for the XML-RPC interface allows external entities in XML DOCTYPE by default, enabling SSRF/File Enumeration even w...
mxgraph mxGraphViewImageReader.java file XML external entity vulnerability
mxGraph is a JavaScript charting library . A security vulnerability in the mxGraphViewImageReader.java file in versions prior to mxGraph 3.7.6 stems from a SAXParserFactory instance in the 'convert' function that lacks the user blocking XML external entity injection attacks with a status flag...
CVE-2016-6798
In Apache Sling, the XSS Protection API module is affected: versions before 1.0.12 use an insecure SAX parser in XSS.getValidXML(), enabling XML External Entity (XXE) attacks. This can allow attackers to read filesystem data, enable SSRF, perform port scanning behind a firewall, or cause DoS. Pub...
XML External Entity (XXE) Processing
Apache Sling XSS protection is vulnerable to XML External Entity XXE processing attacks. The library uses an insecure SAX parser to validate strings, allowing a malicious user to read sensitive data in the filesystem, conduct port-scanning behind the firewall or execute arbitrary code...
[SECURITY] Fedora 24 Update: nodejs-node-expat-2.3.11-8.fc24
Fast libexpat XML SAX parser binding for Node.js...
MGASA-2014-0556 Updated castor packages fix CVE-2014-3004
Updated castor packages fix security vulnerability: The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity XXE attacks via a crafted XML document CVE-2014-3004...
Updated castor packages fix CVE-2014-3004
Updated castor packages fix security vulnerability: The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity XXE attacks via a crafted XML document CVE-2014-3004...
CVE-2014-3004
The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity XXE attacks via a crafted XML document...
Xxe
The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity XXE attacks via a crafted XML document...
UBUNTU-CVE-2014-3004
The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity XXE attacks via a crafted XML document...
CVE-2014-3004
CVE-2014-3004 affects the Castor Library: the default configuration of the Xerces SAX Parser in Castor prior to version 1.3.3 allows XML External Entity (XXE) processing via crafted XML, enabling context-dependent attackers to disclose sensitive information. The issue is mitigated by upgrading Ca...
Apache XML-RPC信息泄露漏洞
Apache XML-RPC是一种Java语言的XML-RPC协议实现。 Apache XML-RPC的实现上存在设计问题,远程攻击者可能利用来从服务端获取敏感信息。 Apache XML-RPC的SAX解析器允许包含外部资源,恶意客户端可能利用这个机制把服务器上资源包含进来。 Apache Group Apache XML-RPC 3.x Apache Group ------------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://ws.apache.org/xmlrpc/changes-report.htmla3.1.3...