CVE-2023-4218 – XXE in eclipse.platform / Eclipse IDE
https://notcve.org/view.php?id=CVE-2023-4218
In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch). En las versiones de Eclipse IDE <2023-09 (4.29), algunos archivos con contenido xml se analizan como vulnerables a todo tipo de ataques XXE. El usuario sólo necesita abrir cualquier proyecto maligno o actualizar un proyecto abierto con un archivo vulnerable (por ejemplo, para revisar un repositorio o parche externo). • https://github.com/eclipse-cdt/cdt/commit/c7169b3186d2fef20f97467c3e2ad78e2943ed1b https://github.com/eclipse-emf/org.eclipse.emf/issues/10 https://github.com/eclipse-jdt/eclipse.jdt.core/commit/38dd2a878f45cdb3d8d52090f1d6d1b532fd4c4d https://github.com/eclipse-jdt/eclipse.jdt.ui/commit/13675b1f8a74f47de4da89ed0ded6af7c21dfbec https://github.com/eclipse-pde/eclipse.pde/pull/632 https://github.com/eclipse-pde/eclipse.pde/pull/667 https://github.com/eclipse-platform/eclipse.platform.releng.buildtools/pull/45 https:// • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2017-8315
https://notcve.org/view.php?id=CVE-2017-8315
Eclipse XML parser for the Eclipse IDE versions 2017.2.5 and earlier was found vulnerable to an XML External Entity attack. An attacker can exploit the vulnerability by implementing malicious code on Androidmanifest.xml. El analizador Eclipse XML para Eclipse IDE, en versiones 2017.2.5 y anteriores, es vulnerable a un ataque de XML External Entity. Un atacante puede explotar la vulnerabilidad implementando código malicioso en Androidmanifest.xml. • https://bugs.eclipse.org/bugs/show_bug.cgi?id=519169 https://research.checkpoint.com/parsedroid-targeting-android-development-research-community • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2010-4647 – Eclipse 3.6.1 - Help Server 'help/advanced/content.jsp' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-4647
Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE before 3.6.2 allow remote attackers to inject arbitrary web script or HTML via the query string to (1) help/index.jsp or (2) help/advanced/content.jsp. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Help Contents web (también conocido como Help Server), permite a atacantes remotos inyectar secuencias de comandos web o HTML mediante el query string a (1) help/index.jsp o (2) help/advanced/content.jsp • https://www.exploit-db.com/exploits/34999 https://www.exploit-db.com/exploits/34998 http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052532.html http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052554.html http://openwall.com/lists/oss-security/2011/01/06/16 http://openwall.com/lists/oss-security/2011/01/06/7 http://www.mandriva.com/security/advisories?name=MDVSA-2011:032 http://www.redhat.com/support/errata/RHSA-2011-0568.html http: • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-7271 – Eclipse 3.3.2 IDE - 'Help Server help/advanced/searchView.jsp?SearchWord' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-7271
Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote attackers to inject arbitrary web script or HTML via (1) the searchWord parameter to help/advanced/searchView.jsp or (2) the workingSet parameter in an add action to help/advanced/workingSetManager.jsp, a different issue than CVE-2010-4647. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en la aplicación web Help Contents (tambien conocida como Help Server) en Eclipse IDE, posiblemente v3.3.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de los parámetros (1) searchWord sobre help/advanced/searchView.jsp o (2) workingSet en una acción add sobre help/advanced/workingSetManager.jsp, en una vulnerabilidad distinta a CVE-2010-4647. • https://www.exploit-db.com/exploits/35242 https://www.exploit-db.com/exploits/35243 http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html https://bugs.eclipse.org/bugs/show_bug.cgi?id=223539 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •