CVE-2024-3572

HIGH Year: 2024
CVSS v3 Score
7.5
High
Weakness Type
CWE-409
View all →

Vulnerability Description

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.

Related Vulnerabilities

CVE-2024-28101

HIGH
CVSS:7.5(High)

The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service (DoS) type vulnerability. ...

CWE-4092024

CVE-2024-7765

HIGH
CVSS:7.5(High)

In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where uploading and repeatedly parsing a large GZIP file can cause a denial of service. The server becomes unresponsive due to memory exhaustion...

CWE-4092024

CVE-2025-30153

HIGH
CVSS:7.5(High)

kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted...

CWE-4092025

CVE-2025-46730

MEDIUM
CVSS:6.8(Medium)

MobSF is a mobile application security testing tool used. Typically, MobSF is deployed on centralized internal or cloud-based servers that also host other security tools and web applications. Access t...

CWE-4092025

CVE-2023-0475

MEDIUM
CVSS:6.5(Medium)

HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.

CWE-4092023