VBASE VISAM Automation Base VBASE-Editor GestureConfigurations File Parsing XML External Entity Processing Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of VBASE VISAM Automation Base. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists withi...

Security Bulletin: IBM TRIRIGA Application Platform discloses use of Apache Xerces (CVE-2022-23437)

Summary Apache Xerces2 Java XML Parser is vulnerable to a denial of service, caused by an infinite loop in the XML parser. By persuading a victim to open a specially-crafted XML document payloads, a remote attacker could exploit this vulnerability to consume system resources for prolonged duratio...

OESA-2023-1455 firefox security update

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. Security Fixes: addBinding in xmlparse.c in Expat aka libexpat before 2.4.3 has an integer overflow.CVE-2022-22822 buildmodel in xmlparse.c in Expat aka libexpat before 2.4.3 has an...

Security Bulletin: A vulnerability in OpenStack Swift affects IBM Storage Scale environments with the S3 capability of Object protocol enabled (CVE-2022-47950)

Summary IBM Storage Scale, shipped with OpenStack Swift, is exposed to vulnerabilities as detailed below. The exposure to this vulnerability only exists if the Object protocol has been configured with S3 enabled. Vulnerability Details CVEID:CVE-2022-47950 DESCRIPTION: OpenStack Swift could allow ...

XML External Entity (XXE) Attacks

External Monitor Job Type Plugin is vulnerable to XML External Entity XXE Attacks. The vulnerability exists because it does not properly configure the XML parser which allows an attacker with Item/Build permission to parse a crafted HTTP request with XML data, resulting in external entity XXE...

CVE-2023-37942

The CVE-2023-37942 entry concerns Jenkins External Monitor Job Type Plugin, specifically 206.v9a_94ff0b_4a_10 and earlier. The root cause is that the XML parser was not configured to prevent XML External Entity (XXE) attacks. Impact as described: an attacker with Item/Build permission can supply ...

CVE-2023-37942

Jenkins External Monitor Job Type Plugin 206.v9a94ff0b4a10 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

GHSA-58QW-P7QM-5RVH Eclipse Jetty XmlParser allows arbitrary DOCTYPE declarations

From the reporter XmlParser is vulnerable to XML external entity XXE vulnerability. XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit this vulnerability in order to achieve SSRF or cause a denial of service. One possible scenario is importing a remote...

GHSA-WF8M-QR47-XC9M Jenkins AbsInt a³ Plugin XML External Entity Reference vulnerability

Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control Project File APX contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring, IntegrationServer and IntegrationRuntime operands are vulnerable to denial of service due to [CVE-2023-34104]

Summary Node.js module fast-xml-parser is used by IBM App Connect Enterprise Certified Container for parsing XML. IBM App Connect Enterprise Certified Container DesignerAuthoring, IntegrationServer and IntegrationRuntime operands are vulnerable to denial of service. This bulletin provides patch...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring, IntegrationServer and IntegrationRuntime operands are vulnerable to arbitrary code execution due to [CVE-2023-26920]

Summary Node.js module fast-xml-parser is used by IBM App Connect Enterprise Certified Container for parsing XML data. IBM App Connect Enterprise Certified Container DesignerAuthoring, IntegrationServer and IntegrationRuntime operands are vulnerable to arbitrary code execution. This bulletin...

Debian dla-3470 : owslib-doc - security update

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3470 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3470-1 [email protected] https://www.debian.org/lts/security/...

Prototype Pollution

fast-xml-parser is vulnerable to Prototype Pollution. This vulnerability is due to not sanitizing user input or the proto field leading to polluting the global prototype object which can be used to mount denial of service DoS, RCE Remote Code Execution , Privilege Escalation Attacks...

Advisory ROSA-SA-2023-2168

Software: firefox 102.10.0 OS: rosa-server79 packageevrstring: 102.10.0-1.res7 CVE-ID: CVE-2022-40674 BDU-ID: 2023-02596 CVE-Crit: HIGH CVE-DESC: A vulnerability in the doContent function of the xmlparse.c file of the libexpat XML parser library is related to a post-release exploit. Exploitation ...

Advisory ROSA-SA-2023-2166

Software: thunderbird 102.10.0 OS: rosa-server79 packageevrstring: 102.10.0-2.res7 CVE-ID: CVE-2022-40674 BDU-ID: 2023-02596 CVE-Crit: HIGH CVE-DESC: A vulnerability in the doContent function of the xmlparse.c file of the libexpat XML parser library is related to a post-release exploit...

Security Bulletin: IBM Cloud Pak for Network Automation 2.5.0 fixes multiple security vulnerabilities

Summary IBM Cloud Pak for Network Automation 2.5.0 fixes multiple security vulnerabilities, listed in the CVEs below. Vulnerability Details CVEID:CVE-2023-31047 DESCRIPTION: Django could allow a remote attacker to bypass security restrictions. By sending a specially-crafted request, an attacker...

@activepieces/piece-amazon-s3 (=0.0.2), @adobe/helix-admin-support (>=2.1.22 <=2.1.23) +470 more potentially affected by unknown CVE via fast-xml-parser (=4.2.4)

fast-xml-parser NPM version =4.2.4 is affected by a known vulnerability. The following packages have a transitive dependency on fast-xml-parser and may be impacted: - @activepieces/piece-amazon-s3 =0.0.2 - @adobe/helix-admin-support =2.1.22, =9.0.39, =2.1.1, =2.1.15, =1.11.158, =1.0.4-0, =1.2.39-...

Debian DSA-5426-1 : owslib - security update

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5426 advisory. - OWSLib is a Python package for client programming with Open Geospatial Consortium OGC web service interface standards, and their related content models. OWSLib's XML...

1337-docs (>=1.0.10 <=1.0.16), 1pointfixed1 (=1.3.5) +3690 more potentially affected by CVE-2023-26920 via fast-xml-parser (>=2.3.1 <=4.1.1)

fast-xml-parser NPM version =2.3.1, =1.0.10, =2.0.0, =1.0.0, =7.0.35, =2.0.0, =1.0.0, =3.0.0-beta.0, =3.0.0-beta.0, =2.73.2, =1.6.66, =0.5.0, =0.9.2 - @adamkac/gus-api-regon =1.0.2 and more Source cves: CVE-2023-26920 Source advisory: OSV:GHSA-X3CC-X39P-42QX...

GHSA-X3CC-X39P-42QX fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name

Impact As a part of this vulnerability, user was able to se code using proto as a tag or attribute name. js const XMLParser, XMLBuilder, XMLValidator = require"fast-xml-parser"; let XMLdata = "hacked" const parser = new XMLParser; let jObj = parser.parseXMLdata; console.logjObj.polluted // should...