Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-FPQ4-MCF9-C5W9

Vulnerability from github – Published: 2022-05-17 05:02 – Updated: 2024-02-15 03:30
VLAI
Details

The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-3489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-10-03T21:55:00Z",
    "severity": "MODERATE"
  },
  "details": "The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.",
  "id": "GHSA-fpq4-mcf9-c5w9",
  "modified": "2024-02-15T03:30:19Z",
  "published": "2022-05-17T05:02:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3489"
    },
    {
      "type": "WEB",
      "url": "https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=849173"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2012-09/msg00102.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2012-10/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2012-10/msg00024.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2012-1263.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/50635"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/50718"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/50859"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/50946"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2012/dsa-2534"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2012:139"
    },
    {
      "type": "WEB",
      "url": "http://www.postgresql.org/about/news/1407"
    },
    {
      "type": "WEB",
      "url": "http://www.postgresql.org/docs/8.3/static/release-8-3-20.html"
    },
    {
      "type": "WEB",
      "url": "http://www.postgresql.org/docs/8.4/static/release-8-4-13.html"
    },
    {
      "type": "WEB",
      "url": "http://www.postgresql.org/docs/9.0/static/release-9-0-9.html"
    },
    {
      "type": "WEB",
      "url": "http://www.postgresql.org/docs/9.1/static/release-9-1-5.html"
    },
    {
      "type": "WEB",
      "url": "http://www.postgresql.org/support/security"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/55074"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1542-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQ34-JRJ4-RRGQ

Vulnerability from github – Published: 2022-05-14 01:55 – Updated: 2022-05-14 01:55
VLAI
Details

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka "MS XML Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-8494"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-10T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka \"MS XML Remote Code Execution Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.",
  "id": "GHSA-fq34-jrj4-rrgq",
  "modified": "2022-05-14T01:55:58Z",
  "published": "2022-05-14T01:55:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8494"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8494"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105457"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041844"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQ39-62GX-8HQX

Vulnerability from github – Published: 2026-05-19 12:31 – Updated: 2026-06-29 17:32
VLAI
Summary
TYPO3 ke_search XML External Entity Injection
Details

In TYPO3 faceted fulltext search (ke_search), the OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index. This has been patched in versions 7.0.1, 6.6.1, 5.6.2 and 4.6.7.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "tpwd/ke_search"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "tpwd/ke_search"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "tpwd/ke_search"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "tpwd/ke_search"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46722"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-29T17:32:26Z",
    "nvd_published_at": "2026-05-19T10:16:25Z",
    "severity": "MODERATE"
  },
  "details": "In TYPO3 faceted fulltext search (`ke_search`), the OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index. This has been patched in versions 7.0.1, 6.6.1, 5.6.2 and 4.6.7.",
  "id": "GHSA-fq39-62gx-8hqx",
  "modified": "2026-06-29T17:32:26Z",
  "published": "2026-05-19T12:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46722"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/tpwd/ke_search/CVE-2026-46722.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tpwd/ke_search"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-ext-sa-2026-011"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "TYPO3 ke_search XML External Entity Injection"
}

GHSA-FQGG-8QCM-J2CR

Vulnerability from github – Published: 2025-04-17 00:30 – Updated: 2025-04-17 00:30
VLAI
Details

Overview

XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents. (CWE-611)

Description

Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.2, including 9.3.x and 8.3.x, do not correctly protect Data Access XMLParserFactoryProducer against out-of-band XML External Entity Reference.

Impact

By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24911"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-16T23:15:45Z",
    "severity": "MODERATE"
  },
  "details": "Overview \n\n\n\n\u00a0\n\n\n\nXML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents. (CWE-611) \n\n\n\n\u00a0\n\n\n\nDescription \n\n\n\n\u00a0\n\n\n\nHitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.2, including 9.3.x and 8.3.x, do not correctly protect Data Access XMLParserFactoryProducer against out-of-band XML External Entity Reference. \n\n\n\n\u00a0\n\n\n\nImpact \n\n\n\n\u00a0\n\n\n\nBy submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning.",
  "id": "GHSA-fqgg-8qcm-j2cr",
  "modified": "2025-04-17T00:30:26Z",
  "published": "2025-04-17T00:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24911"
    },
    {
      "type": "WEB",
      "url": "https://support.pentaho.com/hc/en-us/articles/35783689016589--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Restriction-of-XML-External-Entity-Reference-Versions-before-10-2-0-2-including-9-3-x-Impacted-CVE-2025-24911"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQP3-633W-R5GJ

Vulnerability from github – Published: 2022-05-13 01:17 – Updated: 2022-05-13 01:17
VLAI
Details

Adobe ColdFusion has an XML external entity (XXE) injection vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11286"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-01T08:29:00Z",
    "severity": "HIGH"
  },
  "details": "Adobe ColdFusion has an XML external entity (XXE) injection vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.",
  "id": "GHSA-fqp3-633w-r5gj",
  "modified": "2022-05-13T01:17:38Z",
  "published": "2022-05-13T01:17:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11286"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/coldfusion/apsb17-30.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100715"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039321"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQQP-7V7W-5XHP

Vulnerability from github – Published: 2025-09-29 06:30 – Updated: 2025-09-29 06:30
VLAI
Details

A vulnerability was identified in Bjskzy Zhiyou ERP up to 11.0. Affected by this vulnerability is the function openForm of the component com.artery.richclient.RichClientService. Such manipulation of the argument contentString leads to xml external entity reference. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11140"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-29T04:15:40Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was identified in Bjskzy Zhiyou ERP up to 11.0. Affected by this vulnerability is the function openForm of the component com.artery.richclient.RichClientService. Such manipulation of the argument contentString leads to xml external entity reference. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-fqqp-7v7w-5xhp",
  "modified": "2025-09-29T06:30:27Z",
  "published": "2025-09-29T06:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11140"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FightingLzn9/vul/blob/main/%E6%97%B6%E7%A9%BA%E6%99%BA%E5%8F%8Berp-3.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.326217"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.326217"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.658090"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FR47-W293-V3QJ

Vulnerability from github – Published: 2023-07-25 06:30 – Updated: 2024-04-04 06:20
VLAI
Details

Applicant Programme Ver.7.06 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32639"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-25T04:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Applicant Programme Ver.7.06 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.",
  "id": "GHSA-fr47-w293-v3qj",
  "modified": "2024-04-04T06:20:41Z",
  "published": "2023-07-25T06:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32639"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN37857022"
    },
    {
      "type": "WEB",
      "url": "https://www.moj.go.jp/MINJI/minji06_00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FR4X-V988-5548

Vulnerability from github – Published: 2023-06-13 12:30 – Updated: 2024-04-04 04:46
VLAI
Details

Improper restriction of XML external entity reference (XXE) vulnerability exists in FRENIC RHC Loader v1.1.0.3 and earlier. If a user opens a specially crafted project file, sensitive information on the system where the affected product is installed may be disclosed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-29498"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-13T10:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Improper restriction of XML external entity reference (XXE) vulnerability exists in FRENIC RHC Loader v1.1.0.3 and earlier. If a user opens a specially crafted project file, sensitive information on the system where the affected product is installed may be disclosed.",
  "id": "GHSA-fr4x-v988-5548",
  "modified": "2024-04-04T04:46:13Z",
  "published": "2023-06-13T12:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29498"
    },
    {
      "type": "WEB",
      "url": "https://felib.fujielectric.co.jp/download/details.htm?dataid=45829407\u0026site=global\u0026lang=en"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU97809354"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FR78-8877-W87J

Vulnerability from github – Published: 2022-05-14 01:42 – Updated: 2022-05-14 01:42
VLAI
Details

runelite version <= runelite-parent-1.4.23 contains a XML External Entity (XXE) vulnerability in Man in the middle runscape services call that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000834"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-20T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "runelite version \u003c= runelite-parent-1.4.23 contains a XML External Entity (XXE) vulnerability in Man in the middle runscape services call that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.",
  "id": "GHSA-fr78-8877-w87j",
  "modified": "2022-05-14T01:42:26Z",
  "published": "2022-05-14T01:42:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000834"
    },
    {
      "type": "WEB",
      "url": "https://github.com/runelite/runelite/issues/6160"
    },
    {
      "type": "WEB",
      "url": "https://0dd.zone/2018/10/28/runelite-XXE-MitM"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FRQP-FR6C-CW58

Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2024-04-04 03:06
VLAI
Details

The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-28973"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-13T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE attacks.",
  "id": "GHSA-frqp-fr6c-cw58",
  "modified": "2024-04-04T03:06:04Z",
  "published": "2022-05-24T17:47:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28973"
    },
    {
      "type": "WEB",
      "url": "https://www.compass-security.com/fileadmin/Research/Advisories/2021-01_CSNC-2021-005_Helix_ALM_XXE.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.