CVE-2015-8866

CRITICAL Year: 2015
CVSS v3 Score
9.6
Critical
CVSS v2 Score
6.8
Medium
Weakness Type
CWE-611
View all →

Vulnerability Description

ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.

Related Vulnerabilities

CVE-2016-6256

CRITICAL
CVSS:9.6(Critical)

SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i....

CWE-6112016

CVE-2018-1000639

CRITICAL
CVSS:9.6(Critical)

LatexDraw version <=4.0 contains a XML External Entity (XXE) vulnerability in SVG parsing functionality that can result in disclosure of data, server side request forgery, port scanning, possible rce....

CWE-6112018

CVE-2018-3881

CRITICAL
CVSS:9.4(Critical)

An exploitable unauthenticated XML external injection vulnerability was identified in FocalScope v2416. A unauthenticated attacker could submit a specially crafted web request to FocalScope's server t...

CWE-6112018

CVE-2013-4334

CRITICAL
CVSS:9.8(Critical)

opWebAPIPlugin 0.5.1, 0.4.0, and 0.1.0: XXE Vulnerabilities

CWE-6112013

CVE-2014-0030

CRITICAL
CVSS:9.8(Critical)

The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.

CWE-6112014

CVE-2014-125087

CRITICAL
CVSS:9.8(Critical)

A vulnerability was found in java-xmlbuilder up to 1.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference....

CWE-6112014