CVE-2023-49735

UNSUPPORTED WHEN ASSIGNED The value set as the DefaultLocaleResolver.LOCALEKEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to...

Eclipse IDE XXE in eclipse.platform

Impact xml files like ".project" are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file for example for review a foreign repository or patch. Vulnerablility was found by static code analysis SonarLint...

GHSA-77JG-CPW9-73VG Apache Cocoon Improper Restriction of XML External Entity Reference vulnerability

Improper Restriction of XML External Entity Reference vulnerability in Apache Cocoon. This issue affects Apache Cocoon: from 2.2.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue...

Apache Cocoon Improper Restriction of XML External Entity Reference vulnerability

Improper Restriction of XML External Entity Reference vulnerability in Apache Cocoon. This issue affects Apache Cocoon: from 2.2.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue...

GHSA-82Q9-88M2-4V68 Jenkins MATLAB Plugin XML External Entity vulnerability

Jenkins MATLAB Plugin determines whether a user-specified directory on the Jenkins controller is the location of a MATLAB installation by parsing an XML file in that directory. MATLAB Plugin 2.11.0 and earlier does not perform permission checks in several HTTP endpoints implementing related form...

Jenkins MATLAB Plugin cross-site request forgery vulnerability

Jenkins MATLAB Plugin determines whether a user-specified directory on the Jenkins controller is the location of a MATLAB installation by parsing an XML file in that directory. MATLAB Plugin 2.11.0 and earlier does not perform permission checks in several HTTP endpoints implementing related form...

Jenkins MATLAB Plugin XML External Entity vulnerability

Jenkins MATLAB Plugin determines whether a user-specified directory on the Jenkins controller is the location of a MATLAB installation by parsing an XML file in that directory. MATLAB Plugin 2.11.0 and earlier does not perform permission checks in several HTTP endpoints implementing related form...

Xxe

Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to XML external entity injection due to Eclipse Jetty (260681)

Summary IBM Sterling Connect:Direct Web Services uses Eclipse Jetty. Vulnerability Details IBM X-Force ID: 260681 DESCRIPTION: Eclipse Jetty is vulnerable to an XML external entity injection XXE attack when processing XML data, caused by a weakly configured XML parser. By using specially crafted...

Magento 2.4.6 XSLT Server Side Injection

Exploit Title: Magento ver. 2.4.6 - XSLT Server Side Injection Date: 2023-11-17 Exploit Author: tmrswrr Vendor Homepage: https://magento2demo.firebearstudio.com/ Software Link: Magento 2.4.6-p3 Version: 2.4.6 Tested on: 2.4.6 POC 1. Enter with admin credentials to this URL:...

CVE-2023-31089

CVE-2023-31089 concerns the WordPress plugin Video XML Sitemap Generator (Tradebooster)

CVE-2023-47655 WordPress ANAC XML Bandi di Gara Plugin <= 7.5 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery CSRF vulnerability in Marco Milesi ANAC XML Bandi di Gara.This issue affects ANAC XML Bandi di Gara: from n/a through 7.5...

CVE-2023-45387

In the module "Product Catalog CSV, Excel, XML Export PRO" exportproducts in versions up to 5.0.0 from MyPrestaModules for PrestaShop, a guest can perform SQL injection via exportProduct::addDataToDb...

CVE-2023-45387

In the module "Product Catalog CSV, Excel, XML Export PRO" exportproducts in versions up to 5.0.0 from MyPrestaModules for PrestaShop, a guest can perform SQL injection via exportProduct::addDataToDb...

CVE-2023-47242

Auth. contributor+ Stored Cross-Site Scripting XSS vulnerability in Marco Milesi ANAC XML Bandi di Gara plugin = 7.5 versions...

CVE-2023-47242 WordPress ANAC XML Bandi di Gara Plugin <= 7.5 is vulnerable to Cross Site Scripting (XSS)

Auth. contributor+ Stored Cross-Site Scripting XSS vulnerability in Marco Milesi ANAC XML Bandi di Gara plugin = 7.5 versions...

CVE-2023-47242

CVE-2023-47242 refers to a Stored Cross-Site Scripting (XSS) flaw in the Marco Milesi ANAC XML Bandi di Gara WordPress plugin, affecting all releases up to and including version 7.5. The vulnerability requires Contributor+ authentication to exploit and could enable script injection under certain ...

Siemens OPC UA Modeling Editor (SiOME) XML External Entity Injection Vulnerability

Siemens OPC UA Modeling Editor SiOME is a free tool to create OPC UA information models or map existing companion specifications. An XML external entity injection vulnerability exists in Siemens OPC UA Modeling Editor SiOME, which can be exploited by an attacker to interfere with the application'...

CVE-2023-46590

A vulnerability has been identified in Siemens OPC UA Modelling Editor SiOME All versions V2.8. Affected products suffer from a XML external entity XXE injection vulnerability. This vulnerability could allow an attacker to interfere with an application's processing of XML data and read arbitrary...

CVE-2023-46590

Siemens OPC UA Modeling Editor (SiOME) is affected by an XXE injection in all versions prior to V2.8. The vulnerability allows attacker-controlled XML processing to read arbitrary files on the system. CVSS v3.1 base score is 7.5 (Networking, Low attack complexity, No privileges, No user interacti...