wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl

A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This iss...

CVE-2019-14984

eQ-3 Homematic CCU2 and CCU3 with the XML-API through 1.2.0 AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because the undocumented addons/xmlapi/exec.cgi script uses CMDEXEC to execute TCL code from a POST request...

Design/Logic Flaw

eQ-3 Homematic CCU2 and CCU3 with the XML-API through 1.2.0 AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because the undocumented addons/xmlapi/exec.cgi script uses CMDEXEC to execute TCL code from a POST request...

CVE-2019-14984

CVE-2019-14984 affects eQ-3 Homematic CCU2/CCU3 when the XML-API AddOn is installed up to version 1.2.0. The undocumented addons/xmlapi/exec.cgi script uses CMD_EXEC to execute TCL code from a POST request, enabling Remote Code Execution by unauthenticated attackers who have access to the web int...

CVE-2019-14984

eQ-3 Homematic CCU2 and CCU3 with the XML-API through 1.2.0 AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because the undocumented addons/xmlapi/exec.cgi script uses CMDEXEC to execute TCL code from a POST request...

CVE-2017-18478

In cPanel before 62.0.4 incorrect ACL checks could occur in xml-api for Rearrange Account actions SEC-207...

CVE-2017-18478

In cPanel before 62.0.4 incorrect ACL checks could occur in xml-api for Rearrange Account actions SEC-207...

Design/Logic Flaw

In cPanel before 62.0.4 incorrect ACL checks could occur in xml-api for Rearrange Account actions SEC-207...

CVE-2017-18478

Affected software: cPanel prior to 62.0.4. Vulnerability: incorrect ACL checks in xml-api for Rearrange Account actions, caused by an ACL bypass issue. Impact: potential improper access control. Mitigation: upgrade to 62.0.4 or later (as cited by cPanel and related CVE records). Notes: the connec...

CVE-2017-18478

In cPanel before 62.0.4 incorrect ACL checks could occur in xml-api for Rearrange Account actions SEC-207...

Information disclosure

Information disclosure in PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier may allow for an authenticated user with read-only privileges to extract the API key of the device and/or the username/password from the XML API in PAN-OS and...

Information Disclosure in PAN-OS Management API Usage

An Information Disclosure vulnerability exists in PAN-OS Management API usage Ref PAN-107239 and PAN-118869 / CVE-2019-1575 Successful exploitation may allow for an authenticated user with read-only privileges to extract the API key of the device and the username/password from the XML API in PAN-...

CVE-2019-1720

A vulnerability in the XML API of Cisco Expressway Series and Cisco TelePresence Video Communication Server VCS could allow an authenticated, remote attacker to cause the CPU to increase to 100% utilization, causing a denial of service DoS condition on an affected system. The vulnerability is due...

Design/Logic Flaw

A vulnerability in the XML API of Cisco Expressway Series and Cisco TelePresence Video Communication Server VCS could allow an authenticated, remote attacker to cause the CPU to increase to 100% utilization, causing a denial of service DoS condition on an affected system. The vulnerability is due...

CVE-2019-1720 Cisco Expressway Series and Cisco TelePresence Video Communication Server Denial of Service Vulnerability

A vulnerability in the XML API of Cisco Expressway Series and Cisco TelePresence Video Communication Server VCS could allow an authenticated, remote attacker to cause the CPU to increase to 100% utilization, causing a denial of service DoS condition on an affected system. The vulnerability is due...

CVE-2019-1720

Summary: Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) expose a denial-of-service vulnerability via their XML API. An authenticated remote attacker can send a crafted XML payload to trigger CPU resource exhaustion, causing DoS. Affected versions: all before X12.5...

Cisco Expressway Series and Cisco TelePresence Video Communication Server Denial of Service Vulnerability

A vulnerability in the XML API of Cisco Expressway Series and Cisco TelePresence Video Communication Server VCS could allow an authenticated, remote attacker to cause the CPU to increase to 100% utilization, causing a denial of service DoS condition on an affected system. The vulnerability is due...

Product update: Virtuozzo Automator 7.0 Update 2 Hotfix 2 (VA MN: 7.0.2-403, VA Agent: 7.0.2-189)

This hotfix for Virtuozzo Automator 7.0.2 provides stability and usability bug fixes. Vulnerability id: PVA-37045 The Management Node did not recognize bonded network during VLAN creation. Vulnerability id: PVA-37041 Could not create virtual network for a VLAN created by the Virtuozzo installer...

OpenJDK: maximum XML name limit not applied to namespace URIs (JAXP, 8148872)

Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2016-3508...

OpenJDK: missing entity replacement limits (JAXP, 8149962)

Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2016-3500...