51 matches found
CVE-2021-27931
LumisXP aka Lumis Experience Platform before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service...
Atlassian Confluence 7.13 < 9.2.11 / 9.3.1 < 10.1.0 (CONFSERVER-101827)
The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-101827 advisory. - Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit 2.23.2 due to usage of an unsecured document build t...
EUVD-2021-24754
Malware in sbrugna...
EUVD-2025-21327
Malicious code in bioql PyPI...
Apache Jackrabbit vulnerable to blind XXE attack due to insecure document build
Blind XXE vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 Java 8, 2.22.1 Java 11 or 2.23.2 Java 11, beta versions, which fix this issue...
CVE-2025-53689
Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 Java 8, 2.22.1 Java 11 or 2.23.2 Java 11, beta versions, which fix this issue...
CVE-2025-53689
Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 Java 8, 2.22.1 Java 11 or 2.23.2 Java 11, beta versions, which fix this issue...
CVE-2025-53689
Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 Java 8, 2.22.1 Java 11 or 2.23.2 Java 11, beta versions, which fix this issue...
PT-2025-29446 · Apache +1 · Apache Jackrabbit +1
Name of the Vulnerable Software and Affected Versions: Apache Jackrabbit versions prior to 2.23.2 Description: The software contains Blind XXE vulnerabilities in jackrabbit-spi-commons and jackrabbit-core due to the use of an unsecured document build to load privileges. Recommendations: Upgrade t...
CVE-2020-9352
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the transaction parameter. NOTE: the documentation states "These tools are, by...
Exploit for Improper Restriction of XML External Entity Reference in Adobe Commerce
CVE-2024-34102 ★ Thanks to @th3gokul, Sanjaith3hacker, Chocapi...
HuTool XML parsing module has blind XXE vulnerability
A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference...
ManageEngine ADAudit Plus CVE-2022-28219
This module exploits CVE-2022-28219, which is a pair of vulnerabilities in ManageEngine ADAudit Plus versions before build 7060: a path traversal in the /cewolf endpoint, and a blind XXE in, to upload and execute an executable file. Module Options msf use...
ManageEngine ADAudit Plus Path Traversal / XML Injection Exploit
This Metasploit module exploits CVE-2022-28219, which is a pair of vulnerabilities in ManageEngine ADAudit Plus versions before build 7060. They include a path traversal in the /cewolf endpoint along with a blind XML external entity injection vulnerability to upload and execute a file. This modul...
CVE-2021-38298
Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE...
Integer overflow
Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE...
CVE-2021-38298
Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE...
h1-ctf: CCC H1 June 2021 CTF Writeup
CTF Summary This was my first H1 CTF and I was excited to work with several others to collaborate on the CTF and find the flag. I'll write up the solution process and vulnerabilities involved in the solution: Knowledge basic of S3 operations XML External Entities and Local File Exfiltration SQL...
CVE-2021-27931
LumisXP aka Lumis Experience Platform before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service...
Design/Logic Flaw
LumisXP aka Lumis Experience Platform before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service...