Vulnerability Category - XML 注入 - XML Injection

Vulnerability Category — XML Injection

Chinese name:: XML 注入

Detail：: 服务端解析用户提交的xml文件时未对xml文件引用的外部实体做合适的处理，并且实体的URL支持file://和php://等协议，攻击者可以在xml文件中声明URI指向服务器本地的实体造成攻击。

Related Vulnerabilities

SSV ID	Submit Time	Name	Popularity \| Comments
SSV-99792	2023-12-18	SAP BusinessObjects Intelligence 4.3 XXE漏洞(CVE-2022-28213)	6924 \| 0
SSV-99720	2023-07-13	泛微OA e-cology XXE 漏洞	4214 \| 0
SSV-99635	2023-01-22	ManageEngine 多个产品远程命令执行漏洞（CVE-2022-47966）	10103 \| 1
SSV-99543	2022-07-14	Zoho ManageEngine ADAudit Plus 未授权RCE漏洞（CVE-2022-28219）	3429 \| 0
SSV-99508	2022-05-11	ArcGIS Enterprise Portal for ArcGIS 组件XXE漏洞	2380 \| 0
SSV-99413	2021-12-15	DedeCMS XML注入漏洞(CVE-2018-16784)	1713 \| 0
SSV-99235	2021-04-28	wordpress 5.7 授权XXE漏洞（CVE-2021-29447）	10327 \| 0
SSV-99113	2021-01-26	WebSphere XML外部实体注入漏洞（CVE-2020-4949）	7607 \| 0
SSV-99074	2020-12-16	Nexus Repository Manager 3 XML外部实体注入漏洞（CVE-2020-29436）	9814 \| 0
SSV-99065	2020-12-09	IBM Maximo Asset Management XXE漏洞（CVE-2020-4463）	11136 \| 0
SSV-98386	2020-09-22	Apache Cocoon XML外部实体注入（CVE-2020-11991）	10675 \| 0
SSV-98382	2020-09-22	WebSphere XXE 漏洞（CVE-2020-4643）	11064 \| 0
SSV-98209	2020-04-15	WebLogic XXE任意文件读取漏洞（CVE-2020-2949）	10785 \| 0
SSV-98087	2019-10-16	WebLogic 未授权XXE漏洞(CVE-2019-2888)	9684 \| 0
SSV-97933	2019-05-08	Jenkins Swarm Plugin XML external entities information disclosure vulnerability(CVE-2019-10309)	4269 \| 0
SSV-97921	2019-04-22	weblogic CVE-2019-2647等相关XXE漏洞	6022 \| 0
SSV-97890	2019-03-31	phpshe v1.7 XXE 漏洞	5668 \| 0
SSV-97760	2019-01-07	Apache Karaf XXE Vulnerability (CVE-2018-11788)	4406 \| 0
SSV-97632	2018-10-29	WebLogic Web服务测试页 XXE(CVE-2018-3246)	5687 \| 0
SSV-97610	2018-10-16	Apache OFBiz XXE Vulnerability	4925 \| 0
SSV-97543	2018-09-20	JavaMelody组件XXE漏洞	4518 \| 0
SSV-97397	2018-07-04	XXE in WeChat Pay SDK	3996 \| 0
SSV-97382	2018-06-29	KYOCERA Multi-Set Template Editor 3.4 Out-Of-Band XML External Entity Injection	3438 \| 0
SSV-97138	2018-02-24	XXE Zeroday Vulnerability in HP PPM	1364 \| 0
SSV-97124	2018-02-02	Oracle Financial Services Analytical Applications 7.3.5.x / 8.0.x XXE Injection(CVE-2018-2660) / XSS(CVE-2018-2661)	1882 \| 0
SSV-96970	2017-12-11	Cimetrics BACnet Explorer 4.0 XXE Vulnerability	1182 \| 0
SSV-96838	2017-11-09	Shopware 5.3.3: PHP Object Instantiation to Blind XXE	1407 \| 0
SSV-96596	2017-09-28	Apache Commons Jelly connects to url with certain custom doctype definitions.	2091 \| 0
SSV-96466	2017-09-13	Open Fire User Import Export Plugin XML External Entity Injection(CVE-2017-2815)	1479 \| 0
SSV-93122	2017-05-22	openEAP统一登录门户系统存在通用型XXE漏洞	3560 \| 1
SSV-93114	2017-05-18	Oracle PeopleSoft Remote Code Execution: Blind XXE to SYSTEM Shell	1640 \| 0
SSV-93095	2017-05-11	Oracle PeopleSoft HCM 9.2 XXE Injection	1650 \| 0
SSV-92916	2017-04-06	AMF3 Java implementations Improper Restriction of XML External Entity Reference ('XXE')	1492 \| 0
SSV-92552	2016-11-23	SAP NetWeaver AS JAVA - 'BC-BMT-BPM-DSK' XML 外部实体注入漏洞	6385 \| 0
SSV-92397	2016-09-09	Adobe ColdFusion < 11 Update 10 - XML外部实体注入	5625 \| 0
SSV-92048	2016-07-07	Apple Safari for Mac OS X 本地 XXE漏洞	5775 \| 0
SSV-91844	2016-06-15	Data format extension for Jackson XmlMapper XML外部实体漏洞	3807 \| 0
SSV-91691	2016-05-30	AfterLogic WebMail Pro ASP.NET Account Takeover / XXE Injection	4132 \| 0
SSV-91604	2016-05-20	TurboMail XML实体注入漏洞	4179 \| 0
SSV-91444	2016-05-04	万户OA xfire xml实体注入漏洞	4641 \| 0
SSV-91387	2016-04-26	TRS wcm系统 eg_newuser_dowith.jsp XXE漏洞	2445 \| 0
SSV-91057	2016-03-16	mallbuilder多用户商城系统 v5.8.1.1 /api/wechat.php XML注入漏洞	1748 \| 0
SSV-90736	2016-02-15	yonyou OA soapFormat.ajax 参数msg XXE漏洞	2317 \| 0
SSV-90629	2016-01-26	TRS WCM parseXMLFile()函数 XXE漏洞	2426 \| 0
SSV-90236	2016-01-08	Z-BLOG Blind-XXE造成任意文件读取	2490 \| 0
SSV-89958	2015-11-30	用友 hrss/dorado/smartweb2.RPC.d 页面 XXE 漏洞	3364 \| 0
SSV-89428	2015-09-15	WukongCRM 0.5.1 /App/Lib/Action/WeixinAction.class.php XXE漏洞	1525 \| 3
SSV-88762	2014-08-12	SOAPpy 0.12.5 /Parser.py XML注入漏洞	2156 \| 0

Vulnerability Category — XML Injection

Related Vulnerabilities

Hello,