xmlsoft vulnerabilities and exploits

5
CVSSv2
CVE-2019-19956

xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs....

5
CVSSv2
CVE-2019-5815

Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data....

5.1
CVSSv2
CVE-2019-18197

In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or...

5
CVSSv2
CVE-2019-13117

In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character....

XmlsoftLibxslt
5
CVSSv2
CVE-2019-13118

In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data....

XmlsoftLibxslt
7.5
CVSSv2
CVE-2019-11068

libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded....

6.8
CVSSv2
CVE-2017-15412

Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page....

4.3
CVSSv2
CVE-2016-9596

libxml2, as used in Red Hat JBoss Core Services and when in recovery mode, allows context-dependent attackers to cause a denial of service (stack consumption) via a crafted XML document. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-3627....

4.3
CVSSv2
CVE-2018-14567

libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251....

4.3
CVSSv2
CVE-2016-9598

libxml2, as used in Red Hat JBoss Core Services, allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted XML document. NOTE: this vulnerability exists because of a missing fix for CVE-2016-4483....