CWE-776

Medium likelihood

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Parent: CWE-674 - Uncontrolled Recursion

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

75 vulnerabilities with CWE-776
CVE-2020-6856 MEDIUM
SOS JobScheduler 1.12 and 1.13.2 - XML External Entity Injection in JOC Cockpit
CVSS 6.5
CVE-2020-5227 MEDIUM
feedgen < 0.9.0 - XML Denial of Service via Entity Expansion
CVSS 4.4
CVE-2019-19144 CRITICAL
Quantum DXi6702 2.3.0.3 - XML External Entity Injection via rest/Users Endpoint
CVSS 9.8
CVE-2019-20104 HIGH
Atlassian Crowd < 3.2.11 - Denial of Service via XML Entity Expansion
CVSS 7.5
CVE-2019-11253 HIGH
Kubernetes v1.0-1.12 and < v1.13.12, v1.14.8, v1.15.5, v1.16.2 - Denial of Service via Malicious YAML/JSON Payloads
CVSS 7.5
CVE-2019-12401 HIGH
Apache Solr 1.3.0-1.4.1, 3.1.0-3.6.2, 4.0.0-4.10.4 - XML Entity Expansion via Update Handler
CVSS 7.5
CVE-2019-15903 HIGH
libexpat < 2.2.8 - XML External Entity Injection via DTD Parsing
CVSS 7.5
CVE-2019-15160 HIGH
SweetXml < 0.6.6 - Denial of Service via XML Entity Expansion
CVSS 7.5
CVE-2019-5442 HIGH
Pippo 1.12.0 - Denial of Service via XML Entity Expansion
CVSS 7.5
CVE-2019-5427 HIGH
c3p0 <0.9.5.4 - Info Disclosure
CVSS 7.5
CVE-2018-10868 HIGH
redhat-certification 7 - XML External Entity Injection via XMLRPC Status Reply
CVSS 7.5
CVE-2017-18640 HIGH
SnakeYAML < 1.26 - XML Entity Expansion via Alias Feature
CVSS 7.5
CVE-2017-5644 MEDIUM
Apache POI < 3.15 - Denial of Service via XML Entity Expansion
CVSS 5.5
CVE-2015-9541 HIGH
Qt < 5.12.8 - XML External Entity Injection via QXmlStreamReader
CVSS 7.5
CVE-2014-2228 CRITICAL
HP Fortify SCA <2.2 RC3 - Code Injection
CVSS 9.8
CVE-2013-4335 CRITICAL
opOpenSocialPlugin 0.8.2.1, > 0.9.9.2, 0.9.13, 1.2.6 - XML External Entity Injection
CVSS 9.8
CVE-2013-6461 MEDIUM
Nokogiri 1.5.0-1.5.10 - Denial of Service via XML Entity Expansion
CVSS 6.5
CVE-2013-6460 MEDIUM
Nokogiri 1.5.0-1.5.10 - Denial of Service via XML Entity Expansion
CVSS 6.5
CVE-2012-3340 MEDIUM
IBM InfoSphere Guardium 8.0, 8.01, 8.2 - Authenticated XML External Entity Injection
CVSS 4.3
CVE-2012-6685 HIGH
Nokogiri < 1.5.4 - XML External Entity Injection
CVSS 7.5
CVE-2011-3288 HIGH
Cisco Unified Presence < 8.5(4) - Denial of Service via XML Entity Expansion
CVSS 7.5
CVE-2011-1755 HIGH
jabberd2 < 2.2.14 - Denial of Service via XML Entity Expansion
CVSS 7.5
CVE-2009-1955 HIGH
Apache APR-util < 1.3.7 - Denial of Service via XML Entity Expansion
CVSS 7.5
CVE-2008-3281 MEDIUM
libxml2 < 2.6.32 - Denial of Service via Recursive Entity Expansion in DTDs
CVSS 6.5
CVE-2003-1564 MEDIUM
libxml2 < 2.5.0 - Denial of Service via Recursive Entity Expansion
CVSS 6.5
Details
Vulnerabilities 75
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits