U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:xmlsoft:libxml2:2.7.7:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 58 matching records.
Displaying matches 41 through 58.
Vuln ID Summary CVSS Severity
CVE-2015-8317

The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read.

Published: December 15, 2015; 4:59:09 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2015-8242

The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.

Published: December 15, 2015; 4:59:07 PM -0500
V3.x:(not available)
V2.0: 5.8 MEDIUM
CVE-2015-8241

The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.

Published: December 15, 2015; 4:59:06 PM -0500
V3.x:(not available)
V2.0: 6.4 MEDIUM
CVE-2015-7500

A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to crash.

Published: December 15, 2015; 4:59:05 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2015-7499

A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to leak potentially sensitive information.

Published: December 15, 2015; 4:59:03 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2015-7498

A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to crash.

Published: December 15, 2015; 4:59:02 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2015-7497

A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to crash.

Published: December 15, 2015; 4:59:01 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2015-5312

The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.

Published: December 15, 2015; 4:59:00 PM -0500
V3.x:(not available)
V2.0: 7.1 HIGH
CVE-2014-3660

parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.

Published: November 04, 2014; 11:55:06 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2013-0339

libxml2 through 2.9.1 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because libxml2 already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed and each affected application would need its own CVE.

Published: January 21, 2014; 1:55:09 PM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2013-2877

parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state.

Published: July 10, 2013; 6:55:02 AM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2013-0338

libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity.

Published: April 25, 2013; 7:55:01 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-0841

CVE-2012-0841 libxml2: hash table collisions CPU usage DoS

Published: December 21, 2012; 12:46:14 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2012-5134

Heap-based buffer underflow in the xmlParseAttValueComplex function in parser.c in libxml2 2.9.0 and earlier, as used in Google Chrome before 23.0.1271.91 and other products, allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted entities in an XML document.

Published: November 27, 2012; 8:55:01 PM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2012-2871

libxml2 2.9.0-rc1 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly support a cast of an unspecified variable during handling of XSL transforms, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document, related to the _xmlNs data structure in include/libxml/tree.h.

Published: August 31, 2012; 3:55:01 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2011-1944

Integer overflow in xpath.c in libxml2 2.6.x through 2.6.32 and 2.7.x through 2.7.8, and libxml 1.8.16 and earlier, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted XML file that triggers a heap-based buffer overflow when adding a new namespace node, related to handling of XPath expressions.

Published: September 02, 2011; 12:55:03 PM -0400
V3.x:(not available)
V2.0: 9.3 HIGH
CVE-2010-4494

Double free vulnerability in libxml2 2.7.8 and other versions, as used in Google Chrome before 8.0.552.215 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to XPath handling.

Published: December 07, 2010; 4:00:09 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2010-4008

libxml2 before 2.7.8, as used in Google Chrome before 7.0.517.44, Apple Safari 5.0.2 and earlier, and other products, reads from invalid memory locations during processing of malformed XPath expressions, which allows context-dependent attackers to cause a denial of service (application crash) via a crafted XML document.

Published: November 16, 2010; 8:00:02 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM