CVE-2023-40310 Missing XML Validation vulnerability in SAP PowerDesigner Client BPMN2 import

SAP PowerDesigner Client - version 16.7, does not sufficiently validate BPMN2 XML document imported from an untrusted source. As a result, URLs of external entities in BPMN2 file, although not used, would be accessed during import. A successful attack could impact availability of SAP...

CVE-2023-3550 Stored XSS leads to privilege escalation in MediaWiki v1.40.0

Mediawiki v1.40.0 does not validate namespaces used in XML files. Therefore, if the instance administrator allows XML file uploads, a remote attacker with a low-privileged user account can use this exploit to become an administrator by sending a malicious link to the instance administrator...

Design/Logic Flaw

The client in OpenText Archive Center Administration through 21.2 allows XXE attacks. Authenticated users of the OpenText Archive Center Administration client Versions 16.2.3, 21.2, and older versions could upload XML files to the application that it did not sufficiently validate. As a result,...

PT-2023-10823 · Unknown · Wechat Sdk

Name of the Vulnerable Software and Affected Versions: zwczou WeChat SDK Python versions 0.3.0 through 0.5.4 Description: A critical issue affects the validate/to xml function, leading to xml external entity reference. The attack may be initiated remotely. Recommendations: To address this issue,...

PT-2022-7162 · Parallels · Parallels Desktop

Name of the Vulnerable Software and Affected Versions: Parallels Desktop affected versions not specified Description: This issue allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code o...

CVE-2022-20938

A vulnerability in the module import function of the administrative interface of Cisco Firepower Management Center FMC Software could allow an authenticated, remote attacker to view sensitive information. This vulnerability is due to insufficient validation of the XML syntax when importing a...

NewStart CGSL CORE 5.04 / MAIN 5.04 : expat Multiple Vulnerabilities (NS-SA-2022-0082)

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has expat packages installed that are affected by multiple vulnerabilities: - In Expat aka libexpat before 2.4.3, a left shift by 29 or more places in the storeAtts function in xmlparse.c can lead to realloc misbehavior e.g.,...

PT-2022-6146 · Cisco · Cisco Firepower Management Center

Name of the Vulnerable Software and Affected Versions: Cisco Firepower Management Center FMC Software affected versions not specified Description: A vulnerability in the module import function of the administrative interface could allow an authenticated, remote attacker to view sensitive...

Cisco Firepower Management Center 代码问题漏洞

Cisco Firepower Management Center FMC is the next generation firewall management center software from Cisco. A code issue vulnerability exists in Cisco Firepower Management Center FMC Software, which stems from insufficient XML syntax validation in the module import function of its management...

IBM MQ XXE (6613021)

The version of IBM MQ Server running on the remote host is affected by a vulnerability as referenced in the 6613021 advisory. - IBM MQ Explorer is vulnerable to an XML External Entity Injection XXE attack due to improper XML validation in the import Wizard. CVE-2022-22489 Note that Nessus has not...

Autodesk Fusion360 代码问题漏洞

Autodesk Fusion360 is a 3D CAD drawing tool from Autodesk, Inc. A code issue vulnerability exists in Autodesk Fusion360 version 2.0.12887, which arises from an application that does not adequately validate user-supplied XML input during insertion of an SVG when parsing a specially crafted SVG fil...

CVE-2022-28217

Some part of SAP NetWeaver EP Web Page Composer does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system�s Availability by...

CVE-2022-28217

Some part of SAP NetWeaver EP Web Page Composer does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system�s Availability by...

CVE-2022-28217

CVE-2022-28217 affects SAP NetWeaver (EP Web Page Composer). Multiple connected documents describe a vulnerability where an XML document from an untrusted source is not sufficiently validated, enabling unprotected XML parking at endpoints and a potential SSRF attack that could impact availability...

CVE-2022-28217

Some part of SAP NetWeaver EP Web Page Composer does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system�s Availability by...

EulerOS 2.0 SP3 : expat (EulerOS-SA-2022-1716)

According to the versions of the expat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In Expat aka libexpat before 2.4.3, a left shift by 29 or more places in the storeAtts function in xmlparse.c can lead to realloc misbehavior e.g...

GHSA-67Q3-GWWW-PM4G Apache OpenMeetings does not correctly validate uploaded XML documents

Uploaded XML documents were not correctly validated in Apache OpenMeetings 3.1.0. The issue is fixed in version 3.3.0...

Missing XML Validation in Apache Tomcat

Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to 1 read arbitrary files via a crafted web application that provides an XML external entity...

Missing XML Validation in Spring Framework

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB,...

GHSA-VP63-RRCM-9MPH Missing XML Validation in Spring Framework

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB,...