CVE-2025-30018

HIGH Year: 2025
CVSS v3 Score
8.6
High
Weakness Type
CWE-611
View all →

Vulnerability Description

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application's confidentiality, with no effect on integrity and availability of the application.

Related Vulnerabilities

CVE-2016-4264

HIGH
CVSS:8.6(High)

The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a craft...

CWE-6112016

CVE-2016-7051

HIGH
CVSS:8.6(High)

XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vec...

CWE-6112016

CVE-2016-9691

HIGH
CVSS:8.6(High)

IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploi...

CWE-6112016

CVE-2018-19244

HIGH
CVSS:8.6(High)

An XML External Entity (XXE) vulnerability exists in the Charles 4.2.7 import/export setup option. If a user imports a "Charles Settings.xml" file from an attacker, an intranet network may be accessed...

CWE-6112018

CVE-2018-19858

HIGH
CVSS:8.6(High)

PrinceXML, versions 10 and below, is vulnerable to XXE due to the lack of protection against external entities. If an attacker passes HTML referencing an XML file (e.g., in an IFRAME element), PrinceX...

CWE-6112018

CVE-2021-3869

HIGH
CVSS:8.6(High)

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

CWE-6112021