Design/Logic Flaw

CBRN-Analysis before 22 allows XXE attacks via am mws XML document, leading to NTLMv2-SSP hash disclosure...

PT-2022-27424 · Unknown · Cbrn-Analysis

Name of the Vulnerable Software and Affected Versions: CBRN-Analysis versions prior to 22 Description: The issue allows XXE attacks via an XML document, leading to NTLMv2-SSP hash disclosure. This occurs when processing a malicious XML document. Recommendations: For versions prior to 22, update t...

CVE-2022-45194

CVE-2022-45194 describes XXE abuse in CBRN-Analysis prior to version 22 via an am mws XML document, leading to NTLMv2-SSP hash disclosure. Connected sources confirm affected software (CBRN-Analysis) and root cause (external entity processing in XML). The PT-2022-27424 advisory explicitly recommen...

CVE-2022-45194

CBRN-Analysis before 22 allows XXE attacks via am mws XML document, leading to NTLMv2-SSP hash disclosure...

XMLDOM 输入验证错误漏洞

XMLDOM is a JavaScript implementation of the W3C DOM for Node by the individual developer jindw. A security vulnerability exists in XMLDOM, which stems from the fact that xmldom contains multiple top-level elements and adds all root nodes to the "childNodes" collection of "Document" without...

EulerOS 2.0 SP10 : golang (EulerOS-SA-2022-2683)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request...

Amazon Linux 2 : golang-github-godbus-dbus (ALAS-2022-1858)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2022-1858 advisory. 2023-05-11: CVE-2022-1996 has changed status to NOT AFFECTED for this package and has been removed from this advisory. A flaw was found in golang. The HTTP/1 client accepted invalid...

Denial Of Service (DoS)

libxml2 is vulnerable to denial of service DoS attacks. A malicious user is able to cause an integer overflow leading to a segmentation fault through a multi-gigabyte XML document when the XMLPARSEHUGE parser option enabled, causing the application to crash...

EulerOS 2.0 SP5 : golang (EulerOS-SA-2022-2439)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack...

AVEVA Edge LoadImportedLibraries XML External Entity Processing Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of AVEVA Edge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the...

CVE-2022-30633

Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag...

CVE-2022-30633

Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag...

CVE-2022-28131

Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document...

Code injection

Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag...

CVE-2022-28131

Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document...

CVE-2022-30633

The CVE-2022-30633 incident affects Go's encoding/xml package: Unmarshal can panic due to stack exhaustion when unmarshalling XML into a struct with nested fields using the any tag, in Go versions prior to 1.17.12 and 1.18.4. The published advisories (including ALAS2023-2023-046, ALAS2023-2023-04...

CVE-2022-28131

Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document...

CVE-2022-28131

Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document...

CVE-2022-28131

CVE-2022-28131: Uncontrolled recursion in Decoder.Skip in encoding/xml can panic due to stack exhaustion when parsing deeply nested XML. Affected: Go's encoding/xml package. Root cause: recursion while skipping nested XML elements. Impact: potential denial of service via panic/availability loss. ...

PT-2022-11609 · Unknown · Visam Vbase

Name of the Vulnerable Software and Affected Versions: VISAM VBASE version 11.6.0.6 Description: The issue arises when VISAM VBASE processes an XML document containing XML entities with URIs that resolve to documents outside of the intended sphere of control. This causes the product to embed...