Search Results (3183 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-43990 1 Fanuc 1 Roboguide 2025-04-16 6.1 Medium
The affected product is vulnerable to a network-based attack by threat actors supplying a crafted, malicious XML payload designed to trigger an external entity reference call.
CVE-2022-1331 1 Deltaww 1 Dmars 2025-04-16 5.5 Medium
In four instances DMARS (All versions prior to v2.1.10.24) does not properly restrict references of XML external entities while processing specific project files, which may allow unauthorized information disclosure.
CVE-2021-27498 1 Opener Project 1 Opener 2025-04-16 7.5 High
A specifically crafted packet sent by an attacker to EIPStackGroup OpENer EtherNet/IP commits and versions prior to Feb 10, 2021 may result in a denial-of-service condition.
CVE-2021-27500 1 Opener Project 1 Opener 2025-04-16 7.5 High
A specifically crafted packet sent by an attacker to EIPStackGroup OpENer EtherNet/IP commits and versions prior to Feb 10, 2021 may result in a denial-of-service condition.
CVE-2022-1704 1 Inductiveautomation 1 Ignition 2025-04-16 7.6 High
Due to an XML external entity reference, the software parses XML in the backup/restore functionality without XML security flags, which may lead to a XXE attack while restoring the backup.
CVE-2022-2759 1 Deltaww 1 Delta Robot Automation Studio 2025-04-16 5.5 Medium
Delta Electronics Delta Robot Automation Studio (DRAS) versions prior to 1.13.20 are affected by improper restrictions where the software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. This may allow an attacker to view sensitive documents and information on the affected host.
CVE-2024-46603 1 Elspec-ltd 2 G5dfr, G5dfr Firmware 2025-04-16 7.5 High
An XML External Entity (XXE) vulnerability in Elspec Engineering G5 Digital Fault Recorder Firmware v1.2.1.12 allows attackers to cause a Denial of Service (DoS) via a crafted XML payload.
CVE-2024-46602 1 Elspec-ltd 2 G5dfr, G5dfr Firmware 2025-04-16 7.5 High
An issue was discovered in Elspec G5 digital fault recorder version 1.2.1.12 and earlier. An XML External Entity (XXE) vulnerability may allow an attacker to cause a Denial of Service (DoS) via a crafted XML payload.
CVE-2022-28710 1 Wwbn 1 Avideo 2025-04-15 6.5 Medium
An information disclosure vulnerability exists in the chunkFile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.
CVE-2022-32761 1 Wwbn 1 Avideo 2025-04-15 6.5 Medium
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.
CVE-2015-10003 1 Filezilla-project 1 Filezilla Server 2025-04-15 4.3 Medium
A vulnerability, which was classified as problematic, was found in FileZilla Server up to 0.9.50. This affects an unknown part of the component PORT Handler. The manipulation leads to unintended intermediary. It is possible to initiate the attack remotely. Upgrading to version 0.9.51 is able to address this issue. It is recommended to upgrade the affected component.
CVE-2022-4070 1 Librenms 1 Librenms 2025-04-14 9.8 Critical
Insufficient Session Expiration in GitHub repository librenms/librenms prior to 22.10.0.
CVE-2022-4409 1 Phpmyfaq 1 Phpmyfaq 2025-04-14 7.5 High
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.1.9.
CVE-2022-41967 1 Hypera 1 Dragonfly 2025-04-14 7 High
Dragonfly is a Java runtime dependency management library. Dragonfly v0.3.0-SNAPSHOT does not configure DocumentBuilderFactory to prevent XML external entity (XXE) attacks. This issue is patched in 0.3.1-SNAPSHOT. As a workaround, since Dragonfly only parses XML `SNAPSHOT` versions are being resolved, this vulnerability may be avoided by not trying to resolve `SNAPSHOT` versions.
CVE-2015-3982 1 Djangoproject 1 Django 2025-04-12 N/A
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.
CVE-2016-3720 2 Fasterxml, Fedoraproject 2 Jackson-dataformat-xml, Fedora 2025-04-12 9.8 Critical
XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.
CVE-2015-8744 2 Debian, Qemu 2 Debian Linux, Qemu 2025-04-12 5.5 Medium
QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It occurs when a guest sends a Layer-2 packet smaller than 22 bytes. A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS.
CVE-2014-3530 1 Redhat 10 Jboss Bpms, Jboss Brms, Jboss Data Grid and 7 more 2025-04-12 N/A
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.
CVE-2015-5477 2 Isc, Redhat 4 Bind, Enterprise Linux, Rhel Aus and 1 more 2025-04-12 N/A
named in ISC BIND 9.x before 9.9.7-P2 and 9.10.x before 9.10.2-P3 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via TKEY queries.
CVE-2016-1285 8 Canonical, Debian, Fedoraproject and 5 more 51 Ubuntu Linux, Debian Linux, Fedora and 48 more 2025-04-12 6.8 Medium
named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 does not properly handle DNAME records when parsing fetch reply messages, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed packet to the rndc (aka control channel) interface, related to alist.c and sexpr.c.