CVSS: 9.8EPSS: 1%CPEs: 10EXPL: 1CVE-2014-2228
https://notcve.org/view.php?id=CVE-2014-2228
The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages. La extensión XStream en HP Fortify SCA versiones anteriores a 2.2 RC3, permite a atacantes remotos ejecutar código arbitrario por medio de una deserialización no segura de mensajes XML. • https://web.archive.org/web/20140425095352/http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Remote-code-execution-and-XML-Entity-Expansion-injection/ba-p/6403370 • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14868
https://notcve.org/view.php?id=CVE-2017-14868
Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension. Las versiones anteriores a la 2.3.11 de Restlet Framework, al emplear SimpleXMLProvider, permiten que atacantes remotos acedan a archivos arbitrarios mediante un ataque de XXE en una petición HTTP de la API REST. Esto afecta al uso de la extensión Jax-rs. • https://github.com/restlet/restlet-framework-java/issues/1286 https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements https://lgtm.com/blog/restlet_CVE-2017-14868 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2017-14949
https://notcve.org/view.php?id=CVE-2017-14949
Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation. Las versiones anteriores a la 2.3.12 de Restlet Framework permiten que atacantes remotos accedan a archivos arbitrarios mediante una petición HTTP de la API REST que lleva a cabo un ataque XXE. Esto se debe a que solo las entidades externas (no entidades externas de parámetro) se consideran debidamente. Esto se relaciona con XmlRepresentation, DOMRepresentation, SaxRepresentation y JacksonRepresentation. • https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements https://lgtm.com/blog/restlet_CVE-2017-14949 • CWE-611: Improper Restriction of XML External Entity Reference •