CVE-2023-27476 XML External Entity (XXE) Injection in OWSLib

OWSLib is a Python package for client programming with Open Geospatial Consortium OGC web service interface standards, and their related content models. OWSLib's XML parser which supports both lxml and xml.etree does not disable entity resolution, and could lead to arbitrary file reads from an...

GHSA-8H9C-R582-MGGC OWSLib vulnerable to XML External Entity (XXE) Injection

Impact OWSLib's XML parser which supports both lxml and xml.etree does not disable entity resolution for lxml, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. Patches - Use only lxml for XML handling, adding...

OWSLib 代码问题漏洞

OWSLib is a Python package for client-side programming using the Open Geospatial Consortium OGC Web Services hence the name OWS interface standard and its associated content model. A code issue vulnerability exists in versions of OWSLib prior to 0.28.1 that stems from an XML parser that does not...

py39-OWSLib -- arbitrary file read vulnerability

Jorge Rosillo reports: OWSLib's XML parser which supports both lxml and xml.etree does not disable entity resolution for lxml, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase...

GHSA-9VX8-F5C4-862X XML External Entity (XXE) vulnerability in apoc.import.graphml

Impact A XML External Entity XXE vulnerability found in the apoc.import.graphml procedure of APOC core plugin in Neo4j graph database. XML External Entity XXE injection occurs when the XML parser allows external entities to be resolved. The XML parser used by the apoc.import.graphml procedure was...

K51011533: Expat XML parser vulnerability CVE-2018-20843

Security Advisory Description In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing enough to be usable for denial-of-service attacks. CVE-2018-20843 Impact...

K65460334: Expat XML parser vulnerability CVE-2012-6702

Security Advisory Description Expat, when used in a parser that has not called XMLSetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. CVE-2012-6702 Impact An attacker m...

K57108702: Apache Tika XML External Entity vulnerability CVE-2016-4434

Security Advisory Description Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity XXE attacks via vectors involving 1 spreadsheets in OOXML files and 2 XMP metadata in PDF and other file formats,...

K15892: Oracle Database Server vulnerabilities CVE-2013-3751, CVE-2013-3774, CVE-2014-4236, CVE-2014-4237, and CVE-2014-4245

Security Advisory Description CVE-2013-3751 Unspecified vulnerability in the XML Parser component in Oracle Database Server 11.2.0.2, 11.2.0.3, and 12.1.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. CVE-2013-3774 Unspecified...

K15429: Apache Tomcat vulnerability CVE-2014-0119

Security Advisory Description Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to 1 read arbitrary files via a crafted web application that...

@actvalue/av-aws-sdk (>=0.5.0 <=0.9.2), @adiza/sfpowerscripts (>=23.0.0 <=25.0.7) +616 more potentially affected by CVE-2023-26920 via fast-xml-parser (>=4.0.0-beta.2 <=4.1.1)

fast-xml-parser NPM version =4.0.0-beta.2, =0.5.0, =23.0.0, =35.0.0, =1.6.3, =7.1.3, =2.0.17, =1.2.11, =1.11.83, =8.3.11, =3.10.0, =3.0.0, =0.0.1-beta.1, =0.0.1-beta.1, =2.0.0, =10.8.0, =10.12.0-RC.1 and more Source cves: CVE-2023-26920 Source advisory: SNYK:JS-FASTXMLPARSER-3325616...

Prototype Pollution

Overview fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries Affected versions of this package are vulnerable to Prototype Pollution due to improper argument validation, which is exploitable via the aName variable. PoC js const XMLParser, XMLBuilder, XMLValidator...

GHSA-6WXG-WH7F-RQPR XML External Entity (XXE) vulnerability in apoc.import.graphml

Impact A XML External Entity XXE vulnerability found in the apoc.import.graphml procedure of APOC core plugin in Neo4j graph database. XML External Entity XXE injection occurs when the XML parser allows external entities to be resolved. The XML parser used by the apoc.import.graphml procedure was...

XML External Entity (XXE) vulnerability in apoc.import.graphml

Impact A XML External Entity XXE vulnerability found in the apoc.import.graphml procedure of APOC core plugin in Neo4j graph database. XML External Entity XXE injection occurs when the XML parser allows external entities to be resolved. The XML parser used by the apoc.import.graphml procedure was...

CVE-2023-23926

APOC Awesome Procedures on Cypher is an add-on library for Neo4j. An XML External Entity XXE vulnerability found in the apoc.import.graphml procedure of APOC core plugin prior to version 5.5.0 and 4.4.0.14 4.4 branch in Neo4j graph database. XML External Entity XXE injection occurs when the XML...

CVE-2023-23926

APOC Awesome Procedures on Cypher is an add-on library for Neo4j. An XML External Entity XXE vulnerability found in the apoc.import.graphml procedure of APOC core plugin prior to version 5.5.0 and 4.4.0.14 4.4 branch in Neo4j graph database. XML External Entity XXE injection occurs when the XML...

SUSE CVE-2009-0783

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the 1 web.xml, 2 context.xml, or 3 tld files of arbitrary web applications via a crafted...

SUSE CVE-2012-1521

Use-after-free vulnerability in the XML parser in Google Chrome before 18.0.1025.168 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors...

SUSE CVE-2012-5134

Heap-based buffer underflow in the xmlParseAttValueComplex function in parser.c in libxml2 2.9.0 and earlier, as used in Google Chrome before 23.0.1271.91 and other products, allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted entities in an XML...

SUSE CVE-2013-0338

libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service CPU and memory consumption via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity...