XML External Entity (XXE) Injection

cyclonedx-core-java is vulnerable to XML External Entity XXE injection. The vulnerability is due to an insecurely configured XML Validator, where external entity processing was not fully disabled during XML validation, allowing attackers to supply a crafted CycloneDX XML BOM that triggers externa...

CVE-2025-64518

An XML External Entity XXE injection vulnerability was found in the CycloneDX Java core library’s XML validation step where the XML Validator was not configured securely. When a specially crafted CycloneDX BOM XML is validated, external XML entities can be processed XXE, allowing an attacker to...

CVE-2025-64518

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML Validator used by cyclonedx-core-java was not configured securely, making the library...

CycloneDX Core 代码问题漏洞

CycloneDX Core is a CycloneDX BOM Standard open source aid for creating SBOM applications. A code issue vulnerability exists in CycloneDX Core versions prior to 11.0.1 that stems from an unsecured configuration of the XML Validator, which could lead to an XML external entity injection attack...

PT-2025-46213

Name of the Vulnerable Software and Affected Versions CycloneDX versions 2.1.0 through 11.0.1 Description The CycloneDX core module, used for creating, validating, and parsing SBOMs, contains a flaw due to an insecurely configured XML Validator. This allows for XML External Entity XXE injection...

EUVD-2016-8828

Malware in sbrugna...

PT-2024-40273 · Unknown · Simplesamlphp

Name of the Vulnerable Software and Affected Versions: SimpleSAMLphp versions prior to 1.14.17 Description: A signature validation bypass issue has been found in the SimpleSAML XML Validator class, which performs the verification of the XML digital signature of a SAML 1 message with a given key...

CVE-2024-34345

The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1...

CVE-2024-34345 @cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability

The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1...

@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability

Impact XML External entity injections could be possible, when running the provided XML Validator on arbitrary input. POC js const Spec: Version , Validation: XmlValidator = require'@cyclonedx/cyclonedx-library'; const version = Version.v1dot5; const validator = new XmlValidatorversion; const inpu...

Fedora: Security Advisory for msv (FEDORA-2024-129d8ca6fc)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2020-11885

WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user with admin console access can use the XML validator to make unintended network invocations such as SSRF via an uploaded file...

Design/Logic Flaw

WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user with admin console access can use the XML validator to make unintended network invocations such as SSRF via an uploaded file...

GHSA-QH3M-QW6V-QVHG Moderate severity vulnerability that affects io.vertx:vertx-core

In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema...

Design/Logic Flaw

In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema...

CVE-2016-9955

The SimpleSAMLXMLValidator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service memory consumption by leveraging improper conversion of return values to boolean...

DEBIAN-CVE-2016-9955

The SimpleSAMLXMLValidator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service memory consumption by leveraging improper conversion of return values to boolean...

CVE-2016-9955

The SimpleSAMLXMLValidator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service memory consumption by leveraging improper conversion of return values to boolean...

Cross site request forgery (csrf)

Cross-site request forgery CSRF vulnerability in ecrire/exec/validerxml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that execute the XML validator on a local file via a crafted validerxml request. NOTE: this issue can be combin...

CVE-2016-7980

Cross-site request forgery CSRF vulnerability in ecrire/exec/validerxml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that execute the XML validator on a local file via a crafted validerxml request. NOTE: this issue can be combin...