98 matches found
CVE-2024-3572
The scrapy/scrapy project is vulnerable to XML External Entity XXE attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, ...
Ubuntu 24.10 : libxml2 vulnerability (USN-7215-1)
The remote Ubuntu 24.10 host has packages installed that are affected by a vulnerability as referenced in the USN-7215-1 advisory. Xisco Fauli discovered that libxml2 incorrectly handled custom SAX handlers. A remote attacker could possibly use this issue to perform XML External Entity XXE attack...
RHEL 6 : pki-core (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access...
CVE-2024-3572 XML External Entity (XXE) Vulnerability in scrapy/scrapy
The scrapy/scrapy project is vulnerable to XML External Entity XXE attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, ...
Jenkins Nexus Platform Plugin missing permission check
Jenkins Nexus Platform Plugin 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML. Additionally, the plugin does not...
CVE-2023-37497 An XML External Entity (XXE) Injection Vulnerability affects HCL Unica Platform
The Unica application exposes an API which accepts arbitrary XML input. By manipulating the given XML, an authenticated attacker with certain rights can successfully perform XML External Entity attacks XXE against the backend service...
CVE-2022-41221
The client in OpenText Archive Center Administration through 21.2 allows XXE attacks. Authenticated users of the OpenText Archive Center Administration client Versions 16.2.3, 21.2, and older versions could upload XML files to the application that it did not sufficiently validate. As a result,...
CVE-2023-26264
All versions of Talend Data Catalog before 8.0-20220907 are potentially vulnerable to XML External Entity XXE attacks in the license parsing code...
RHEL 8 : pki-core:10.6 (RHSA-2023:1747)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2023:1747 advisory. The Public Key Infrastructure PKI Core contains fundamental packages required by Red Hat Certificate System. Security Fixes: pki-core: access to...
Jenkins remote-jobs-view-plugin vulnerable to XML external entity attacks
Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows authenticated attackers with Overall/Read permission to have Jenkins parse a crafted XML document that uses external entities for extraction of secret...
CVE-2023-28681
Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...
PT-2023-21901 · Jenkins · Jenkins Performance Publisher Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins Performance Publisher Plugin versions 8.09 and earlier Description: The issue is related to the XML parser not being configured to prevent XML external entity XXE attacks. This allows attackers who can control PerfPublisher report fil...
CVE-2023-28685
Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...
Xxe
Dragonfly is a Java runtime dependency management library. Dragonfly v0.3.0-SNAPSHOT does not configure DocumentBuilderFactory to prevent XML external entity XXE attacks. This issue is patched in 0.3.1-SNAPSHOT. As a workaround, since Dragonfly only parses XML SNAPSHOT versions are being resolved...
CVE-2022-46682
Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...
CVE-2022-45400
Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...
Xxe
Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...
Xxe
Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...
CVE-2022-45397
Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...
CVE-2022-45396
Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...