MidnightBSD

Advisories for sync

CVE-2019-20191 MEDIUM

Oxygen XML Editor 21.1.1 allows XXE to read any file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
sync oxygen_xml_author *
sync oxygen_xml_developer *
sync oxygen_xml_editor *
CVE-2021-46827

An issue was discovered in Oxygen XML WebHelp before 22.1 build 2021082006 and 23.x before 23.1 build 2021090310. An XSS vulnerability in search terms proposals (in online documentation generated using Oxygen XML WebHelp) allows attackers to execute JavaScript by convincing a user to type specific text in the WebHelp output search field.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
sync oxygen_xml_developer 22.1
sync oxygen_xml_webhelp *
sync oxygen_xml_developer 23.1
sync oxygen_publishing_engine *
sync oxygen_publishing_engine 23.1
sync oxygen_xml_editor 23.1
sync oxygen_xml_webhelp 22.1
sync oxygen_xml_webhelp 23.1
sync oxygen_publishing_engine 22.1
sync oxygen_xml_author *
sync oxygen_xml_editor 22.1
sync oxygen_xml_author 23.1
sync oxygen_xml_developer *
sync oxygen_xml_editor *
sync oxygen_xml_author 22.1
CVE-2023-26559

A directory traversal vulnerability in Oxygen XML Web Author before 25.0.0.3 build 2023021715 and Oxygen Content Fusion before 5.0.3 build 2023022015 allows an attacker to read files from a WEB-INF directory via a crafted HTTP request. (XML Web Author 24.1.0.3 build 2023021714 and 23.1.1.4 build 2023021715 are also fixed versions.)

Products Affected

Vendor Product Version
sync oxygen_content_fusion *
sync oxygen_xml_web_author *