Explore CVEs related to XXE vulnerabilities, filtered by published year. This list is sorted by most recent disclosures first and supports filtering by CVSS and EPSS risk scores.
Includes the most recent vulnerability disclosures and trends, helping security teams quickly identify high-risk issues and exploitation likelihood.
You're viewing XXE CVEs published in 2020. View full CVE list
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2020-28736 | Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). | 8.8 | 0.48% | 2020-12-30 | 2024-11-21 |
| CVE-2020-28734 | Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. | 8.8 | 0.48% | 2020-12-30 | 2024-11-21 |
| CVE-2020-26247 | Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. Thi | 2.6 | 0.26% | 2020-12-30 | 2024-11-21 |
| CVE-2020-35604 | An XXE attack can occur in Kronos WebTA 5.0.4 when SAML is used. | 9.8 | 0.46% | 2020-12-21 | 2024-11-21 |
| CVE-2020-35123 | In Zimbra Collaboration Suite Network Edition versions < 9.0.0 P10 and 8.8.15 P17, there exists an XXE vulnerability in the saml consumer store extension, which is vulnerable to XXE attacks. This has been fixed in Zimbra Collaboration Suite Network edition 9.0.0 Patch 10 and 8.8.15 Patch 17. | 6.5 | 0.80% | 2020-12-17 | 2024-11-21 |
| CVE-2020-29436 | Sonatype Nexus Repository Manager 3.x before 3.29.0 allows a user with admin privileges to configure the system to gain access to content outside of NXRM via an XXE vulnerability. Fixed in version 3.29.0. | 6.5 | 0.51% | 2020-12-17 | 2024-11-21 |
| CVE-2020-26513 | An issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. The ReqIF XML data, used by the codebeamer ALM application to import projects, is parsed by insecurely configured software components, which can be abused for XML External Entity Attacks. | 5.5 | 0.24% | 2020-12-07 | 2024-11-21 |
| CVE-2020-25649 | A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. | 7.5 | 0.07% | 2020-12-03 | 2024-11-21 |
| CVE-2020-2324 | Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 7.5 | 0.15% | 2020-12-03 | 2024-11-21 |
| CVE-2020-26229 | TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploite | 3.7 | 0.27% | 2020-11-23 | 2024-11-21 |
| CVE-2020-7572 | A CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary XML code and obtain disclosure of confidential data, denial of service, server side request forgery due to improper configuration of the XML parser. | 8.8 | 0.47% | 2020-11-19 | 2024-11-21 |
| CVE-2020-7032 | An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2. | 6.5 | 0.43% | 2020-11-13 | 2024-11-21 |
| CVE-2020-24454 | Improper Restriction of XML External Entity Reference in subsystem forIntel(R) Quartus(R) Prime Pro Edition before version 20.3 and Intel(R) Quartus(R) Prime Standard Edition before version 20.2 may allow unauthenticated user to potentially enable information disclosure via network access. | 7.5 | 0.39% | 2020-11-12 | 2024-11-21 |
| CVE-2020-27017 | Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability. | 4.9 | 1.00% | 2020-11-09 | 2024-11-21 |
| CVE-2020-15352 | An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. | 7.2 | 6.55% | 2020-10-27 | 2024-11-21 |
| CVE-2020-25186 | An XXE vulnerability exists within LeviStudioU Release Build 2019-09-21 and prior when processing parameter entities, which may allow file disclosure. | 7.5 | 0.22% | 2020-10-22 | 2024-11-21 |
| CVE-2020-4772 | An XML External Entity Injection (XXE) vulnerability may impact IBM Curam Social Program Management 7.0.9 and 7.0.10. A remote attacker could exploit this vulnerability to expose sensitive information, denial of service, server side request forgery or consume memory resources. IBM X-Force ID: 189150. | 8.1 | 0.54% | 2020-10-12 | 2024-11-21 |
| CVE-2020-15232 | In mapfish-print before version 3.24, a user can do to an XML External Entity (XXE) attack with the provided SDL style. | 9.3 | 0.34% | 2020-10-02 | 2024-11-21 |
| CVE-2020-13940 | In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE). | 5.5 | 0.96% | 2020-10-01 | 2024-11-21 |
| CVE-2020-8256 | A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to gain arbitrary file reading access through Pulse Collaboration via XML External Entity (XXE) vulnerability. | 4.9 | 3.91% | 2020-09-30 | 2024-11-21 |