BIT-GRADLE-2023-42445 Possible local file exfiltration by XML External entity injection

Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack OOB-XXE, just parsing XML can lead to exfiltration of local tex...

IBM Security Guardium XML External Entity Injection Vulnerability (CNVD-2024-12704)

IBM Security Guardium is a suite of platforms from International Business Machines IBM that provide data protection capabilities. The platform includes features such as custom UI, report management and streamlined audit process building. IBM Security Guardium Key Lifecycle Manager suffers from an...

Xxe

IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 is vulnerable to an XML External Entity Injection XXE attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 247599...

CVE-2023-25926

CVE-2023-25926 affects IBM Security Guardium Key Lifecycle Manager (GKLM) 3.0, 3.0.1, 4.0, 4.1, and 4.1.1, with an XML External Entity Injection (XXE) vulnerability when processing XML data. The root cause is XXE in the XML processing path, enabling a remote attacker to potentially expose sensiti...

ROS-20240226-02

A vulnerability in Microsoft's .NET Framework software platform is related to incorrectly restricting XML links to external objects. external objects. Exploitation of the vulnerability could allow an attacker acting remotely to gain access to sensitive information...

ReDoS (Regular Expression Denial Of Service)

scrapy is vulnerable to ReDoS Regular Expression Denial Of Service. The vulnerability is due to a Regular Expression with inefficient complexity which is used to parse XML content when utilizing the XMLFeedSpider class when scraping XML. If the class is utilized to scrape an attacker-controlled w...

USN-6305-2: PHP vulnerabilities

USN-6305-1 fixed several vulnerabilities in PHP. This update provides the corresponding update for Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: It was discovered that PHP incorrectly handled certain XML files. An attacker could possibly use this issue to...

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : PHP vulnerabilities (USN-6305-2)

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6305-2 advisory. USN-6305-1 fixed several vulnerabilities in PHP. This update provides the corresponding update for Ubuntu 16.04 LTS, Ubuntu 18.04...

Fedora: Security Advisory (FEDORA-2024-fbe1f0c1aa)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Fedora: Security Advisory for mingw-expat (FEDORA-2024-b8656bc059)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] Fedora 38 Update: expat-2.6.0-1.fc38

This is expat, the C library for parsing XML, written by James Clark. Expat is a stream oriented XML parser. This means that you register handlers with the parser prior to starting the parse. These handlers are called when the parser discovers the associated structures in the document being parse...

Fedora: Security Advisory for expat (FEDORA-2024-8a2c093df5)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2024-25129

The CodeQL CLI repo holds binaries for the CodeQL command line interface CLI. Prior to version 2.16.3, an XML parser used by the CodeQL CLI to read various auxiliary files is vulnerable to an XML External Entity attack. If a vulnerable version of the CLI is used to process either a maliciously...

Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to a local authenticated attacker due to Eclipse IDE (CVE-2023-4218)

Summary IBM App Connect Enterprise Toolkit and IBM Integration Bus for z/OS Toolkit are vulnerable to a local authenticated attacker due to Eclipse IDE. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2023-4218 DESCRIPTION: Eclipse IDE coul...

[SECURITY] Fedora 39 Update: qt5-qtbase-5.15.12-5.fc39

Qt is a software toolkit for developing applications. This package contains base tools, like string, xml, and network handling...

Code Injection

Overview Affected versions of this package are vulnerable to Code Injection due to incorrect handling of certain XML files. An attacker can achieve remote code execution by crafting malicious XML files that exploit the vulnerability. Note: This CVE was released to notify about the release of a fi...

SAP NetWeaver AS Java Multiple Vulnerabilities (Feb 2024)

SAP NetWeaver Application Server for Java is affected by multiple vulnerabilities, including the following: - The User Admin application of SAP NetWeaver AS for Java insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This resul...

CVE-2024-22024

An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure 9.x, 22.x, Ivanti Policy Secure 9.x, 22.x and ZTA gateways which allows an attacker to access certain restricted resources without authentication...

CVE-2024-22024

CVE-2024-22024 is an XML External Entity (XXE) vulnerability in Ivanti Connect Secure and Ivanti Policy Secure gateways (SAML component) affecting 9.x and 22.x branches, plus ZTA gateways. The issue allows an unauthenticated attacker to access certain restricted resources via SAML-based requests....

CVE-2024-24743

SAP NetWeaver AS Java (CAF - Guided Procedures) 7.50 is affected by an unauthenticated XXE-type vulnerability triggered by submitting a crafted XML over the network. The issue allows an attacker to access sensitive files and data without modifying them; availability is not affected per the CVE en...