CWE-611

IBM Platform Symphony 7.1 Fix Pack 1 and 7.1.1 and IBM Spectrum Symphony 7.1.2 and 7.2.0.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 146189.

SolarWinds SFTP/SCP server through 2018-09-10 is vulnerable to XXE via a world readable and writable configuration file that allows an attacker to exfiltrate data.

IBM DataPower Gateway 7.1.0.0 – 7.1.0.23, 7.2.0.0 – 7.2.0.21, 7.5.0.0 – 7.5.0.16, 7.5.1.0 – 7.5.1.15, 7.5.2.0 – 7.5.2.15, and 7.6.0.0 – 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 – 7.7.1.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 144950.

An XML External Entity (XXE) vulnerability exists in HTML Form Entry 3.7.0, as distributed in OpenMRS Reference Application 2.8.0.

PDF-XChange Editor through 7.0.326.1 allows remote attackers to cause a denial of service (resource consumption) via a crafted x:xmpmeta structure, a related issue to CVE-2003-1564.

FsPro Labs Event Log Explorer 4.6.1.2115 has “.elx” FileType XML External Entity Injection.