Amazon Linux 2 : expat (ALAS-2020-1513)

The version of expat installed on the remote host is prior to 2.1.0-12. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2020-1513 advisory. It was discovered that the setElementTypePrefix function incorrectly extracted XML namespace prefixes. By tricking an...

Medium: expat

Issue Overview: It was discovered that the "setElementTypePrefix" function incorrectly extracted XML namespace prefixes. By tricking an application into processing a specially crafted XML file, an attacker could cause unusually high consumption of memory resources and possibly lead to a denial of...

WECON LeviStudioU XML External Entity Processing Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of WECON LeviStudioU. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the...

CVE-2020-27197

TAXII libtaxii through 1.1.117, as used in EclecticIQ OpenTAXII through 0.2.0 and other products, allows SSRF via an initial http:// substring to the parse method, even when the nonetwork setting is used for the XML parser. NOTE: the vendor points out that the parse method "wraps the lxml library...

CVE-2020-27197

TAXII libtaxii through 1.1.117, as used in EclecticIQ OpenTAXII through 0.2.0 and other products, allows SSRF via an initial http:// substring to the parse method, even when the nonetwork setting is used for the XML parser. NOTE: the vendor points out that the parse method "wraps the lxml library...

CVE-2020-27197

CVE-2020-27197 affects TAXII libtaxii up to v1.1.117 and EclecticIQ OpenTAXII up to v0.2.0. The root cause is SSRF via an initial http:// substring to the parse method, even when the XML parser is configured with no_network. The vulnerability is triggered through the parse method that wraps the l...

PT-2020-16660 · Eclecticiq +2 · Opentaxii +2

Name of the Vulnerable Software and Affected Versions: TAXII libtaxii versions 1.1.117 and earlier EclecticIQ OpenTAXII versions 0.2.0 and earlier Description: The issue allows SSRF via an initial http:// substring to the parse method, even when the no network setting is used for the XML parser...

CVE-2020-2298

Jenkins Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

Xxe

Jenkins Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

CVE-2020-2298

CVE-2020-2298 affects Jenkins Nerrvana Plugin versions 1.02.06 and earlier. The root cause is that the plugin’s XML parser is not configured to prevent XML external entity (XXE) attacks. Impact described across sources includes potential exposure of secrets via crafted XML data parsed by Jenkins,...

CVE-2020-2298

Jenkins Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

CVE-2020-2284

Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

CVE-2020-2284

Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

Xxe

Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

CVE-2020-2284

Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

CVE-2020-2284

Jenkins Liquibase Runner Plugin versions ≤ 1.4.5 are affected by an XXE vulnerability caused by an XML parser not configured to prevent external entities. This could allow an attacker to supply crafted Liquibase changesets that are parsed by Jenkins to exfiltrate secrets or enable SSRF. The issue...

Xxe

This vulnerability allows remote attackers to disclose sensitive information on affected installations of NEC ExpressCluster 4.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the clpwebmc executable. Due to the improper restriction of XML External...

NEC ExpressCluster ApplyConfig XML External Entity Processing Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of NEC ExpressCluster. Authentication is not required to exploit this vulnerability. The specific flaw exists within the clpwebmc executable. Due to the improper restriction of XML External Enti...

dom4j: XML External Entity vulnerability in default SAX parser

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j...

NewStart CGSL MAIN 4.05 : xerces-c Vulnerability (NS-SA-2020-0052)

The remote NewStart CGSL host, running version MAIN 4.05, has xerces-c packages installed that are affected by a vulnerability: - The Apache Xerces-C 3.0.0 to 3.2.2 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the...