Export limit exceeded: 352548 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 16388 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (3065 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-22380 | 1 Maff | 1 Electronic Delivery Check System | 2025-06-05 | 5.5 Medium |
| Electronic Delivery Check System (Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version) March, Heisei 31 era edition Ver.14.0.001.002 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker. | ||||
| CVE-2024-45033 | 1 Apache | 1 Apache-airflow-providers-fab | 2025-06-03 | 8.1 High |
| Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged users could continue to be logged in even after the password was changed. This only happened when the password was changed with CLI. The problem does not happen in case change was done with webserver thus this is different from CVE-2023-40273 https://github.com/advisories/GHSA-pm87-24wq-r8w9 which was addressed in Apache-Airflow 2.7.0 Users are recommended to upgrade to version 1.5.2, which fixes the issue. | ||||
| CVE-2023-45718 | 1 Hcltech | 1 Sametime | 2025-06-03 | 3.9 Low |
| Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session. | ||||
| CVE-2024-0350 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2025-06-03 | 3.1 Low |
| A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. VDB-250118 is the identifier assigned to this vulnerability. | ||||
| CVE-2023-45139 | 1 Fonttools | 1 Fonttools | 2025-06-03 | 7.5 High |
| fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0. | ||||
| CVE-2024-21722 | 1 Joomla | 1 Joomla\! | 2025-06-02 | 6.3 Medium |
| The MFA management features did not properly terminate existing user sessions when a user's MFA methods have been modified. | ||||
| CVE-2024-23525 | 1 Tozt | 1 Spreadsheet\ | 2025-06-02 | 6.5 Medium |
| The Spreadsheet::ParseXLSX package before 0.30 for Perl allows XXE attacks because it neglects to use the no_xxe option of XML::Twig. | ||||
| CVE-2018-20843 | 8 Canonical, Debian, Fedoraproject and 5 more | 12 Ubuntu Linux, Debian Linux, Fedora and 9 more | 2025-05-30 | 7.5 High |
| In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). | ||||
| CVE-2023-28152 | 1 Independentsoft | 1 Jword | 2025-05-30 | 5.3 Medium |
| An issue was discovered in Independentsoft JWord before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. | ||||
| CVE-2023-28151 | 1 Independentsoft | 1 Jspreadsheet | 2025-05-30 | 5.3 Medium |
| An issue was discovered in Independentsoft JSpreadsheet before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. | ||||
| CVE-2023-28150 | 1 Independentsoft | 1 Jodf | 2025-05-30 | 5.3 Medium |
| An issue was discovered in Independentsoft JODF before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. | ||||
| CVE-2020-36772 | 1 Cloudlinux | 1 Cagefs | 2025-05-30 | 4.4 Medium |
| CloudLinux CageFS 7.0.8-2 or below insufficiently restricts file paths supplied to the sendmail proxy command. This allows local users to read and write arbitrary files of certain file formats outside the CageFS environment. | ||||
| CVE-2022-34716 | 2 Microsoft, Redhat | 5 .net, .net Core, Powershell and 2 more | 2025-05-29 | 5.9 Medium |
| .NET Spoofing Vulnerability | ||||
| CVE-2019-5641 | 1 Rapid7 | 1 Insightvm | 2025-05-29 | 3.3 Low |
| Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user | ||||
| CVE-2023-4554 | 3 Linux, Microsoft, Opentext | 3 Linux Kernel, Windows, Appbuilder | 2025-05-29 | 4.9 Medium |
| Improper Restriction of XML External Entity Reference vulnerability in OpenText AppBuilder on Windows, Linux allows Server Side Request Forgery, Probe System Files. AppBuilder's XML processor is vulnerable to XML External Entity Processing (XXE), allowing an authenticated user to upload specially crafted XML files to induce server-side request forgery, disclose files local to the server that processes them. This issue affects AppBuilder: from 21.2 before 23.2. | ||||
| CVE-2023-32843 | 1 Mediatek | 36 Mt2735, Mt2737, Mt6297 and 33 more | 2025-05-29 | 7.5 High |
| In 5G Modem, there is a possible system crash due to improper error handling. This could lead to remote denial of service when receiving malformed RRC messages, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01130204; Issue ID: MOLY01130204 (MSV-849). | ||||
| CVE-2022-41226 | 1 Jenkins | 1 Compuware Common Configuration | 2025-05-28 | 9.8 Critical |
| Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2022-2888 | 1 Octoprint | 1 Octoprint | 2025-05-28 | 4.4 Medium |
| If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists. | ||||
| CVE-2022-41241 | 1 Jenkins | 1 Rqm | 2025-05-28 | 9.8 Critical |
| Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||||
| CVE-2022-3251 | 1 Ikus-soft | 1 Minarca | 2025-05-28 | 5.3 Medium |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/minarca prior to 4.2.2. | ||||