[SECURITY] Fedora 42 Update: yq-4.47.1-2.fc42

Yq is a portable command-line YAML, JSON, XML, CSV, TOML and properties processor...

Ruby On Rails XML Processor YAML Deserialization Scanner

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Ruby on Rails XML Processor YAML Deserialization Scanner', 'Description' = %q This module attempts to identify Ruby on Rails instances vulnerable...

Xxe

Improper Restriction of XML External Entity Reference vulnerability in OpenText AppBuilder on Windows, Linux allows Server Side Request Forgery, Probe System Files. AppBuilder's XML processor is vulnerable to XML External Entity Processing XXE, allowing an authenticated user to upload specially...

CVE-2023-4554 XML External Entity (XXE) Processing

Improper Restriction of XML External Entity Reference vulnerability in OpenText AppBuilder on Windows, Linux allows Server Side Request Forgery, Probe System Files. AppBuilder's XML processor is vulnerable to XML External Entity Processing XXE, allowing an authenticated user to upload specially...

expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution

A flaw was found in expat. Passing one or more namespace separator characters in the "xmlns:prefix" attribute values made expat send malformed tag names to the XML processor on top of expat. This issue causes arbitrary code execution depending on how unexpected cases are handled inside the XML...

Security Bulletin: A vulnerability in FasterXML Woodstox affects IBM Tivoli Business Service Manager (220573)

Summary FasterXML Woodstox is shipped with IBM Tivoli Business Manager 6.2.0 as part of its XML processor insfrastructure. Information about security vulnerabilities affecting FasterXML Woodstox has been published in a security bulletin. Vulnerability Details IBM X-Force ID: 220573 DESCRIPTION:...

expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution

A flaw was found in expat. Passing one or more namespace separator characters in the "xmlns:prefix" attribute values made expat send malformed tag names to the XML processor on top of expat. This issue causes arbitrary code execution depending on how unexpected cases are handled inside the XML...

expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution

A flaw was found in expat. Passing one or more namespace separator characters in the "xmlns:prefix" attribute values made expat send malformed tag names to the XML processor on top of expat. This issue causes arbitrary code execution depending on how unexpected cases are handled inside the XML...

expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution

A flaw was found in expat. Passing one or more namespace separator characters in the "xmlns:prefix" attribute values made expat send malformed tag names to the XML processor on top of expat. This issue causes arbitrary code execution depending on how unexpected cases are handled inside the XML...

expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution

A flaw was found in expat. Passing malformed 2- and 3-byte UTF-8 sequences for example, from start tag names to the XML processing application on top of expat can lead to arbitrary code execution. This issue is dependent on how invalid UTF-8 is handled inside the XML processor...

expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution

A flaw was found in expat. Passing one or more namespace separator characters in the "xmlns:prefix" attribute values made expat send malformed tag names to the XML processor on top of expat. This issue causes arbitrary code execution depending on how unexpected cases are handled inside the XML...

expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution

A flaw was found in expat. Passing one or more namespace separator characters in the "xmlns:prefix" attribute values made expat send malformed tag names to the XML processor on top of expat. This issue causes arbitrary code execution depending on how unexpected cases are handled inside the XML...

Critical: expat

Issue Overview: A flaw was found in expat. Passing malformed 2- and 3-byte UTF-8 sequences for example, from start tag names to the XML processing application on top of expat can lead to arbitrary code execution. This issue is dependent on how invalid UTF-8 is handled inside the XML processor...

Critical: expat

Issue Overview: A flaw was found in expat. Passing malformed 2- and 3-byte UTF-8 sequences for example, from start tag names to the XML processing application on top of expat can lead to arbitrary code execution. This issue is dependent on how invalid UTF-8 is handled inside the XML processor...

Updated expat packages fix security vulnerability

Passing malformed 2- and 3-byte UTF-8 sequences e.g. from start tag names to the XML processing application on top of Expat can cause arbitrary damage e.g. code execution depending on how invalid UTF-8 is handled inside the XML processor; validation was not their job but Expat's. Exploits with co...

How to disable XXE processing?

In my last post I talked about XXE vulnerabilities found on popular open-source projects and more generally how to assess this type of issue. Today, I’ll talk about the different strategies to disable XXE processing. External XXE and internal entities are useful for building concise XML documents...

CVE-2019-12924

MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection XXE attacks that could be exploited by an unauthenticated user. It was possible for an attacker to use a vulnerability in the configuration of the XML processor to read any file on the host system. Because all...

TufinOS 2.17 Build 1193 - XML External Entity Injection Vulnerability

Exploit for linux platform in category web applications Exploit Title: TufinOS 2.17 Build 1193 - XML External Entity Injection Exploit Author: konstantinos Alexiou Vendor: https://www.tufin.com Software Link: https://www.tufin.com/tufin-orchestration-suite/securetrack CVE: N/A Category: webapps 1...

OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993)

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE subcomponent: JAXP. Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network...

Semrush: XXE in Site Audit function exposing file and directory contents

Summary: The Project Site Audit function is vulnerable to XXE when parsing sitemap.xml files. Description: The Site Audit function spiders a given website and performs analysis on the discovered pages. In order to improve website spidering the URL of a sitemap.xml file can be provided. If provide...