Design/Logic Flaw

yWorks yEd Desktop before 3.20.1 allows XXE attacks via an XML or GraphML document...

NEC ExpressCluster ApplyConfig XML External Entity Processing Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of NEC ExpressCluster. Authentication is not required to exploit this vulnerability. The specific flaw exists within the clpwebmc executable. Due to the improper restriction of XML External Enti...

Huawei EulerOS: Security Advisory for qt (EulerOS-SA-2020-1881)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

MGASA-2020-0296 Updated xerces-c packages fix security vulnerability

A use-after-free vulnerability was found in xerces-c in the way an XML document is processed via the SAX API. Applications that process XML documents with an external Document Type Definition DTD may be vulnerable to this flaw. A remote attacker could exploit this flaw by creating a specially...

XML External Entity (XXE)

everrest-core is vulnerable to XML external entity XXE attacks. The external DTDs are not disabled by default, allowing an attacker to submit a malicious XML document to perform requests on behalf of the server or read system files...

Denial Of Service (DoS)

libxml2 is vulnerable to denial of service DoS. The vulnerability exists when used in recover mode, allows remote attackers to cause a denial of service NULL pointer dereference via a crafted XML document. NOTE: The maintainer states "I would disagree of a CVE with the Recover parsing option whic...

MGASA-2020-0204 Updated qt4 packages fix security vulnerabilities

Updated qt4 packages fix security vulnerabilities: A double-free or corruption during parsing of a specially crafted illegal XML document CVE-2018-15518. A malformed SVG image could cause a segmentation fault in qsvghandler.cpp CVE-2018-19869. A malformed GIF image might have caused a NULL pointe...

Amazon Linux 2 : xerces-c (ALAS-2020-1415)

The version of xerces-c installed on the remote host is prior to 3.1.1-10. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2020-1415 advisory. A use-after-free vulnerability was found in xerces-c in the way an XML document is processed via the SAX API. Applications that...

Huawei EulerOS: Security Advisory for python-reportlab (EulerOS-SA-2020-1428)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EulerOS Virtualization 3.0.2.2 : libxml2 (EulerOS-SA-2020-1474)

According to the versions of the libxml2 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of servi...

Authorization Bypass

firefox is vulnerable to authorization bypass. The vulnerability exists as a flaw was found in the Firefox XML document loading security checks. Certain security checks were not being called when an XML document was loaded. This could possibly be leveraged later by an attacker to load certain...

Security Bulletin: WebSphere Message Broker and IBM Integration Bus are affected by denial of service vulnerability (CVE-2014-8901)

Summary WebSphere Message Broker and IBM Integration Bus are affected by denial of service vulnerability. Pattern matching while validating a specially crafted XML document causes XML4C to consume 100% CPU Vulnerability Details CVEID: CVE-2014-8901 DESCRIPTION: IBM XML4J and XML4C libraries conta...

CVE-2018-15518

QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document...

XML External Entity (XXE)

maven-bundle-plugin is vulnerable to XML external entity XXE attacks. The external DTDs is not disabled by default, allowing an attacker to submit a malicious XML document to perform requests on behalf of the server or read system files...

Cross-Site Scripting (XSS)

dojox is vulnerable to cross-site scripting XSS. insufficient XML escaping in dojox.xmpp.util.xmlEncode allows an attacker to inject and execute arbitrary Javascript in a user's browser via a malicious XML document...

Amazon Linux 2 : python-reportlab (ALAS-2020-1390)

The version of python-reportlab installed on the remote host is prior to 2.5-9. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2020-1390 advisory. ReportLab through 3.5.26 allows remote code execution because of toColorevalarg in colors.py, as demonstrated by a crafted X...

Cross-Site Scripting (XSS)

erubis is vulnerable to cross-site scripting XSS. The single quote character ' is not validated and allows a remote attacker to inject and execute arbitrary Javascript in a user's browser via a template source and a malicious XML document...

XML External Entity (XXE)

checkstyle is vulnerable to XML external entity attacks. The external-parameter-entities feature is not disabled by default, allowing a remote attacker to retrieve system files or perform requests on behalf of the server via a malicious XML document...

CVE-2015-1811

XML external entity XXE vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via a crafted XML document...

CVE-2018-1311

A use-after-free vulnerability was found in xerces-c in the way an XML document is processed via the SAX API. Applications that process XML documents with an external Document Type Definition DTD may be vulnerable to this flaw. A remote attacker could exploit this flaw by creating a specially...