CVE-2018-1000889

HIGH Year: 2018
CVSS v3 Score
8.8
High
CVSS v2 Score
6.8
Medium
Weakness Type
CWE-611
View all →

Vulnerability Description

Logisim Evolution version 2.14.3 and earlier contains an XML External Entity (XXE) vulnerability in Circuit file loading functionality (loadXmlFrom in src/com/cburch/logisim/file/XmlReader.java) that can result in information leak, possible RCE depending on system configuration. This attack appears to be exploitable via the victim opening a specially crafted circuit file. This vulnerability appears to have been fixed in 2.14.4.

Related Vulnerabilities

CVE-2010-3322

HIGH
CVSS:8.8(High)

The XML parser in Splunk 4.0.0 through 4.1.4 allows remote authenticated users to obtain sensitive information and gain privileges via an XML External Entity (XXE) attack to unknown vectors.

CWE-6112010

CVE-2014-0225

HIGH
CVSS:8.8(High)

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references ...

CWE-6112014

CVE-2014-2296

HIGH
CVSS:8.8(High)

XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remo...

CWE-6112014

CVE-2016-5851

HIGH
CVSS:8.8(High)

python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted document.

CWE-6112016

CVE-2016-8526

HIGH
CVSS:8.8(High)

Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to an XML external entities (XXE). XXEs are a way to permit XML parsers to access storage that exist on external systems. If ...

CWE-6112016

CVE-2017-1000021

HIGH
CVSS:8.8(High)

LogicalDoc Community Edition 7.5.3 and prior is vulnerable to XXE when indexing XML documents.

CWE-6112017