CVE ID | Published | Description | Score | Severity |
---|---|---|---|---|
An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. | 9.8 |
Critical |
||
An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). | 9.8 |
Critical |
||
An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). | 9.8 |
Critical |
||
libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate). | 7.5 |
High |
||
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. | 7.5 |
High |
||
libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time. | 5.5 |
Medium |
||
In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. | 7.5 |
High |
||
libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. | 8.1 |
High |
||
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. | 7.5 |
High |
||
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. | 9.8 |
Critical |
||
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. | 6.5 |
Medium |
||
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. | 9.8 |
Critical |
||
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. | 9.8 |
Critical |
||
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function. | 7.5 |
High |
||
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES. | 9.8 |
Critical |