Lucene search
+L

553 matches found

RedhatCVE
RedhatCVE
added 2025/02/05 3:39 a.m.5 views

CVE-2024-45048

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions are subject to a bypassing of a filter which allows for an XXE-attack. This in turn allows attacker to obtain contents of local files, even if error reporting is muted. This vulnerability has been...

8.8CVSS6.4AI score0.0057EPSS
Exploits1References1
IBM Security Bulletins
IBM Security Bulletins
added 2025/01/28 10:8 p.m.27 views

Security Bulletin: A vulnerability in WebSphere Application Server Liberty affects IBM Robotic Process Automation and may result in an External Entity Injection (XXE) attack when processing XML data (CVE-2024-22354).

Summary A vulnerability in WebSphere Application Server Liberty affects IBM Robotic Process Automation and may result in an External Entity Injection XXE attack when processing XML data. WebSphere Application Server is used as the application server layer for IBM Robotic Process Automation...

7CVSS6.7AI score0.00649EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2025/01/28 10:8 p.m.15 views

Security Bulletin: IBM Master Data Management is vulnerable to an XXE attack from a vulnerability found in IBM WebSphere Application Server (CVE-2024-45072)

Summary IBM Master Data Management v11.6, v12.0, and v14.0 are vulnerable to an XXE attack from a vulnerability found in IBM WebSphere Application Server. IBM WebSphere Application Server is vulnerable to an XML External Entity Injection XXE attack when processing XML data. A privileged user coul...

5.5CVSS6.3AI score0.00439EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2025/01/28 10:8 p.m.16 views

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2024-45086)

Summary IBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Industry Solutions including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities, Maximo Adapter for Primavera,...

5.5CVSS6.6AI score0.0044EPSS
Exploits0Affected Software11
NVD
NVD
added 2024/12/20 3:15 p.m.25 views

CVE-2024-56356

In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack...

7.1CVSS0.00237EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2024/12/20 2:11 p.m.9 views

CVE-2024-56356

In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack...

5.9CVSS6.9AI score0.00237EPSS
Exploits0References1
Cvelist
Cvelist
added 2024/12/20 2:11 p.m.35 views

CVE-2024-56356

In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack...

5.9CVSS0.00237EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2024/12/11 12:0 a.m.15 views

PT-2024-10160 · Http4K · Http4K

Name of the Vulnerable Software and Affected Versions: http4k versions prior to 5.41.0.0 Description: The issue is related to an XXE XML External Entity Injection vulnerability when http4k handles malicious XML contents within requests. This could allow attackers to read local sensitive informati...

9.8CVSS6.1AI score0.01902EPSS
Exploits0References25
CISA KEV Catalog
CISA KEV Catalog
added 2024/12/03 12:0 a.m.33 views

North Grid Proself Improper Restriction of XML External Entity (XXE) Reference Vulnerability

North Grid Proself Enterprise/Standard, Gateway, and Mail Sanitize contain an improper restriction of XML External Entity XXE reference vulnerability, which could allow a remote, unauthenticated attacker to conduct an XXE attack...

7.5CVSS7AI score0.03542EPSS
In wildExploits0
Snyk
Snyk
added 2024/12/02 4:42 p.m.4 views

XML External Entity (XXE) Injection

Overview simplesamlphp/simplesamlphp is a PHP implementation of a SAML 2.0 service provider and identity provider, also compatible with Shibboleth 1.3 and 2.0. Affected versions of this package are vulnerable to XML External Entity XXE Injection due to improper sanitization of XML body in the...

8.8CVSS7.6AI score0.00414EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2024/11/18 8:1 p.m.364 views

XXE in PHPSpreadsheet's XLSX reader

Summary The XmlScanner class has a scan method which should prevent XXE attacks. However, we found another bypass than the previously reported CVE-2024-47873, the regexes from the findCharSet method, which is used for determining the current encoding can be bypassed by using a payload in the...

7.5CVSS7.5AI score0.00718EPSS
Exploits1References5Affected Software2
CVE
CVE
added 2024/11/18 7:48 p.m.69 views

CVE-2024-48917

CVE-2024-48917 (PhpSpreadsheet XXE bypass) : The XmlScanner in PhpSpreadsheet can be bypassed via the encoding detection logic (findCharSet) when processing XML with UTF-7 payloads, allowing an XML External Entity attack. A comment injection at the end of the file encoding tag (e.g., encoding="UT...

7.5CVSS7.5AI score0.00718EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2024/11/18 5:3 p.m.87 views

CVE-2024-47873

PhpSpreadsheet's XML scanner contains a bypass that can enable XML External Entity (XXE) attacks. The findCharSet/scan logic can be bypassed by encoding tricks (e.g., UCS-4, UTF-7) and encoding guessing, allowing sanitizers to be circumvented. Affected versions are prior to 1.9.4, 2.1.3, 2.3.2, a...

7.5CVSS7.4AI score0.0076EPSS
Exploits1References4Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2024/11/15 1:50 p.m.14 views

Security Bulletin: IBM Engineering Lifecycle Optimization - Engineering Insights is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data.

Summary IBM Engineering Lifecycle Optimization - Engineering Insights ENI is vulnerable to an XML External Entity Injection XXE attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. In XML parsers, when XML...

8.2CVSS6.8AI score0.00679EPSS
Exploits0Affected Software1
NVD
NVD
added 2024/10/14 2:15 p.m.19 views

CVE-2024-8602

When the XML is read from the codes in the PDF and parsed using a DocumentBuilder, the default settings of the DocumentBuilder allow for an XXE XML External Entity attack. Further information on this can be found on the website of the Open Worldwide Application Security Project OWASP. An attacker...

6.3CVSS0.00393EPSS
Exploits1References2
Cvelist
Cvelist
added 2024/10/14 1:10 p.m.30 views

CVE-2024-8602 XML Eternal Entity Attack in the Software Library taxstatement.jar

When the XML is read from the codes in the PDF and parsed using a DocumentBuilder, the default settings of the DocumentBuilder allow for an XXE XML External Entity attack. Further information on this can be found on the website of the Open Worldwide Application Security Project OWASP. An attacker...

6.3CVSS0.00393EPSS
Exploits1References2
OSV
OSV
added 2024/10/07 8:3 p.m.13 views

CVE-2024-45293 XML External Entity Reference (XXE) in PHPSpreadsheet's XLSX reader

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel XLS...

7.5CVSS6.1AI score0.02799EPSS
Exploits1References3
CVE
CVE
added 2024/09/27 3:57 p.m.40 views

CVE-2024-45745

TopQuadrant TopBraid EDG before version 8.0.1 is vulnerable to an XXE-style flaw: an authenticated attacker can upload an XML DTD file and execute JavaScript to read local files or access URLs. The root cause is an XML DTD handling/upload feature that allows external entity resolution. Impact is ...

5CVSS3.9AI score0.00278EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2024/09/10 4:15 p.m.17 views

CVE-2023-37233

Loftware Spectrum before 4.6 HF14 allows authenticated XXE attacks...

8.8CVSS0.00445EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2024/08/29 5:58 p.m.28 views

XXE in PHPSpreadsheet encoding is returned

Summary Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. LFI-attack Details Check $pattern = '/encoding=".?"/'; easy to bypass. Just use a single quote symbol '. So payload looks like this:...

8.8CVSS6.7AI score0.0057EPSS
Exploits1References4Affected Software2
Rows per page
Query Builder