Search for packages
| purl | pkg:nuget/libxml2@2.7.8.5 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1155-4sem-aaaq
Aliases: CVE-2015-7499 GHSA-jxjr-5h69-qw3w |
Moderate severity vulnerability that affects nokogiri | There are no reported fixed by versions. |
|
VCID-1ynh-xcuu-aaae
Aliases: CVE-2016-4447 |
Improper Restriction of Operations within the Bounds of a Memory Buffer The xmlParseElementDecl function in parser.c in libxml2 allows context-dependent attackers to cause a denial of service (heap-based buffer underread and application crash) via a crafted file, involving xmlParseName. | There are no reported fixed by versions. |
|
VCID-29mt-tpku-aaab
Aliases: CVE-2021-3517 GHSA-jw9f-hh49-cvp9 |
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application. | There are no reported fixed by versions. |
|
VCID-2fyr-85vm-aaak
Aliases: CVE-2023-45322 |
** DISPUTED ** libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail." | There are no reported fixed by versions. |
|
VCID-3xsz-q8j4-aaaj
Aliases: CVE-2015-5312 GHSA-xjqg-9jvg-fgx2 |
High severity vulnerability that affects nokogiri | There are no reported fixed by versions. |
|
VCID-4z87-yfha-aaaq
Aliases: CVE-2023-39615 |
** DISPUTED ** Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input. | There are no reported fixed by versions. |
|
VCID-6zrf-f1cm-aaah
Aliases: CVE-2015-8242 |
Improper Restriction of Operations within the Bounds of a Memory Buffer The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. | There are no reported fixed by versions. |
|
VCID-7nr1-p57s-aaaj
Aliases: CVE-2016-1833 |
Out-of-bounds Read The htmlCurrentChar function in libxml2, as used in Apple iOS, OS X, tvOS, and watchOS, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document. | There are no reported fixed by versions. |
|
VCID-9ast-t7b4-aaaj
Aliases: CVE-2016-2073 |
Improper Restriction of Operations within the Bounds of a Memory Buffer The htmlParseNameComplex function in HTMLparser.c in libxml2 allows attackers to cause a denial of service (out-of-bounds read) via a crafted XML document. | There are no reported fixed by versions. |
|
VCID-b8ge-qb4s-aaad
Aliases: CVE-2022-40304 |
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked. | There are no reported fixed by versions. |
|
VCID-d1f6-59hf-aaaf
Aliases: CVE-2019-19956 |
xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. | There are no reported fixed by versions. |
|
VCID-d7ye-gyq7-aaad
Aliases: CVE-2017-7375 |
Improper Restriction of XML External Entity Reference A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable). | There are no reported fixed by versions. |
|
VCID-e47u-5zh7-aaad
Aliases: CVE-2016-9318 |
libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. | There are no reported fixed by versions. |
|
VCID-ej8b-efns-aaae
Aliases: CVE-2017-5130 |
Out-of-bounds Write An integer overflow in xmlmemory.c in libxml2, as used in Google Chrome and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted XML file. | There are no reported fixed by versions. |
|
VCID-fke8-gpzm-aaad
Aliases: CVE-2022-40303 |
An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault. | There are no reported fixed by versions. |
|
VCID-gn1q-6cht-aaap
Aliases: CVE-2021-3537 GHSA-286v-pcf5-25rc |
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability. | There are no reported fixed by versions. |
|
VCID-jrju-mshh-aaae
Aliases: CVE-2016-1837 |
Use After Free Multiple use-after-free vulnerabilities in the (1) htmlPArsePubidLiteral and (2) htmlParseSystemiteral functions in libxml2, as used in Apple iOS, OS X, tvOS, and watchOS, allow remote attackers to cause a denial of service via a crafted XML document. | There are no reported fixed by versions. |
|
VCID-jtq1-n4bm-aaan
Aliases: CVE-2015-8806 GHSA-7hp2-xwpj-95jq |
Nokogiri, dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) | There are no reported fixed by versions. |
|
VCID-m7ct-1jfm-aaaj
Aliases: CVE-2018-14404 GHSA-6qvp-r6r3-9p7h |
A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. | There are no reported fixed by versions. |
|
VCID-mpuz-tm4y-aaad
Aliases: CVE-2016-4658 GHSA-fr52-4hqw-p27f |
Nokogiri does not forbid namespace nodes in XPointer ranges | There are no reported fixed by versions. |
|
VCID-n3rk-tdn9-aaaa
Aliases: CVE-2022-23308 |
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. | There are no reported fixed by versions. |
|
VCID-n4gm-zpen-aaaa
Aliases: CVE-2015-7500 |
Improper Restriction of Operations within the Bounds of a Memory Buffer The xmlParseMisc function in parser.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags. | There are no reported fixed by versions. |
|
VCID-nmvj-q8r8-aaap
Aliases: CVE-2015-8317 |
Improper Restriction of Operations within the Bounds of a Memory Buffer The xmlParseXMLDecl function in parser.c in libxml2 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read. | There are no reported fixed by versions. |
|
VCID-nuy6-81wq-aaaa
Aliases: CVE-2017-18258 GHSA-882p-jqgm-f45g |
Moderate severity vulnerability that affects nokogiri | There are no reported fixed by versions. |
|
VCID-pf6b-dxvk-aaan
Aliases: CVE-2016-5131 |
Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. | There are no reported fixed by versions. |
|
VCID-q523-t29q-aaaj
Aliases: CVE-2016-1839 |
Out-of-bounds Read The xmlDictAddString function in libxml2, as used in Apple iOS, OS X, tvOS, and watchOS, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document. | There are no reported fixed by versions. |
|
VCID-qk21-h42j-aaas
Aliases: CVE-2015-8710 |
Improper Restriction of Operations within the Bounds of a Memory Buffer The htmlParseComment function in HTMLparser.c in libxml2 allows attackers to obtain sensitive information, cause a denial of service (out-of-bounds heap memory access and application crash), or possibly have unspecified other impact via an unclosed HTML comment. | There are no reported fixed by versions. |
|
VCID-qky4-p9ky-aaan
Aliases: CVE-2016-3627 |
Improper Input Validation The xmlStringGetNodeList function in tree.c in libxml2, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document. | There are no reported fixed by versions. |
|
VCID-sdba-sgwc-aaaj
Aliases: CVE-2021-3541 |
A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service. | There are no reported fixed by versions. |
|
VCID-sqpm-y8sb-aaac
Aliases: CVE-2015-8241 |
Improper Restriction of Operations within the Bounds of a Memory Buffer The xmlNextChar function in libxml2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. | There are no reported fixed by versions. |
|
VCID-su55-rp7r-aaaq
Aliases: CVE-2016-1840 |
Improper Restriction of Operations within the Bounds of a Memory Buffer Heap-based buffer overflow in the xmlFAParsePosCharGroup function in libxml2, as used in Apple iOS, OS X, tvOS, and watchOS, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. | There are no reported fixed by versions. |
|
VCID-swer-ap9v-aaam
Aliases: CVE-2015-7497 |
Improper Restriction of Operations within the Bounds of a Memory Buffer Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 allows context-dependent attackers to cause a denial of service via unspecified vectors. | There are no reported fixed by versions. |
|
VCID-th6j-c7js-aaaf
Aliases: CVE-2017-16932 GHSA-x2fm-93ww-ggvx |
parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities. | There are no reported fixed by versions. |
|
VCID-tx3d-7hjt-aaab
Aliases: CVE-2016-4483 |
Deserialization of Untrusted Data The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627. | There are no reported fixed by versions. |
|
VCID-ucwr-c93v-aaag
Aliases: CVE-2016-9596 |
Uncontrolled Resource Consumption libxml2, as used in Red Hat JBoss Core Services and when in recovery mode, allows context-dependent attackers to cause a denial of service (stack consumption) via a crafted XML document. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-3627. | There are no reported fixed by versions. |
|
VCID-uem6-z7mb-aaae
Aliases: CVE-2015-7498 |
Improper Restriction of Operations within the Bounds of a Memory Buffer Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure. | There are no reported fixed by versions. |
|
VCID-uspk-9kg9-aaas
Aliases: CVE-2016-9598 |
Out-of-bounds Read libxml2, as used in Red Hat JBoss Core Services, allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted XML document. NOTE: this vulnerability exists because of a missing fix for CVE-2016-4483. | There are no reported fixed by versions. |
|
VCID-vekd-aqst-aaas
Aliases: CVE-2017-15412 GHSA-r58r-74gx-6wx3 |
Use After Free Use after free in libxml2, as used in Google Chrome and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | There are no reported fixed by versions. |
|
VCID-vjpb-z8u8-aaab
Aliases: CVE-2017-7376 |
Improper Restriction of Operations within the Bounds of a Memory Buffer Buffer overflow in libxml2 allows remote attackers to execute arbitrary code by leveraging an incorrect limit for port values when handling redirects. | There are no reported fixed by versions. |
|
VCID-w7vw-1nq3-aaac
Aliases: CVE-2016-1838 |
Out-of-bounds Read The xmlPArserPrintFileContextInternal function in libxml2, as used in Apple iOS, OS X, tvOS, and watchOS, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document. | There are no reported fixed by versions. |
|
VCID-wdr9-vsu9-aaap
Aliases: CVE-2021-3518 GHSA-v4f8-2847-rwm7 |
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability. | There are no reported fixed by versions. |
|
VCID-wf9x-r3us-aaaj
Aliases: CVE-2016-4448 |
Use of Externally-Controlled Format String Format string vulnerability in libxml2 allows attackers to have unspecified impact via format string specifiers in unknown vectors. | There are no reported fixed by versions. |
|
VCID-wsnx-wfhq-aaap
Aliases: CVE-2016-1834 |
Improper Restriction of Operations within the Bounds of a Memory Buffer Heap-based buffer overflow in the xmlStrncat function in libxml2, as used in Apple iOS, OS X, tvOS, and watchOS, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. | There are no reported fixed by versions. |
|
VCID-xaum-qp9b-aaae
Aliases: CVE-2022-29824 |
In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well. | There are no reported fixed by versions. |
|
VCID-ydsa-nwvx-aaag
Aliases: CVE-2016-1836 |
Use After Free Use-after-free vulnerability in the xmlDictComputeFastKey function in libxml2, as used in Apple iOS, OS X, tvOS, and watchOS, allows remote attackers to cause a denial of service via a crafted XML document. | There are no reported fixed by versions. |
|
VCID-ydvn-fhb3-aaah
Aliases: CVE-2012-2871 |
Uncontrolled Resource Consumption libxml2, as used in Google Chrome, does not properly support a cast of an unspecified variable during handling of XSL transforms, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document, related to the _xmlNs data structure in include/libxml/tree.h. | There are no reported fixed by versions. |
|
VCID-yu35-r34h-aaam
Aliases: CVE-2016-1762 |
Improper Restriction of Operations within the Bounds of a Memory Buffer The xmlNextChar function in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document. | There are no reported fixed by versions. |
|
VCID-zew4-4yut-aaap
Aliases: CVE-2016-4449 |
Improper Input Validation XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2, when not in validating mode, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors. | There are no reported fixed by versions. |
|
VCID-zqqw-fe14-aaac
Aliases: CVE-2017-16931 |
parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||