CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-G556-X5VX-QH59
Vulnerability from github – Published: 2018-10-19 16:50 – Updated: 2022-09-14 19:15AndroidSVG version 1.2.2 is vulnerable to XXE attacks in the SVG parsing component resulting in denial of service and possibly remote code execution
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.caverock:androidsvg"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-1000498"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:36:09Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "AndroidSVG version 1.2.2 is vulnerable to XXE attacks in the SVG parsing component resulting in denial of service and possibly remote code execution",
"id": "GHSA-g556-x5vx-qh59",
"modified": "2022-09-14T19:15:38Z",
"published": "2018-10-19T16:50:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000498"
},
{
"type": "WEB",
"url": "https://github.com/BigBadaboom/androidsvg/issues/122"
},
{
"type": "PACKAGE",
"url": "https://github.com/BigBadaboom/androidsvg"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-g556-x5vx-qh59"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Android SVG vulnerable to XML External Entity (XXE)"
}
GHSA-G558-H4G7-Q46J
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14Pepperminty-Wiki version 0.15 is vulnerable to XXE attacks in the getsvgsize function resulting in denial of service and possibly remote code execution
{
"affected": [],
"aliases": [
"CVE-2017-1000497"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-03T14:29:00Z",
"severity": "CRITICAL"
},
"details": "Pepperminty-Wiki version 0.15 is vulnerable to XXE attacks in the getsvgsize function resulting in denial of service and possibly remote code execution",
"id": "GHSA-g558-h4g7-q46j",
"modified": "2022-05-13T01:14:30Z",
"published": "2022-05-13T01:14:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000497"
},
{
"type": "WEB",
"url": "https://github.com/sbrl/Pepperminty-Wiki/issues/152"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G5JF-3PR8-VJWM
Vulnerability from github – Published: 2022-05-17 02:35 – Updated: 2022-05-17 02:35An XML External Entity (XXE) issue exists in OSCI-Transport 1.2 as used in OSCI Transport Library 1.6.1 (Java) and OSCI Transport Library 1.6 (.NET), exploitable by sending a crafted standard-conforming OSCI message from within the infrastructure.
{
"affected": [],
"aliases": [
"CVE-2017-10670"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-30T12:29:00Z",
"severity": "CRITICAL"
},
"details": "An XML External Entity (XXE) issue exists in OSCI-Transport 1.2 as used in OSCI Transport Library 1.6.1 (Java) and OSCI Transport Library 1.6 (.NET), exploitable by sending a crafted standard-conforming OSCI message from within the infrastructure.",
"id": "GHSA-g5jf-3pr8-vjwm",
"modified": "2022-05-17T02:35:51Z",
"published": "2022-05-17T02:35:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10670"
},
{
"type": "WEB",
"url": "http://blog.sec-consult.com/2017/06/german-e-government-details-vulnerabilities.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2017/Jun/44"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G5MJ-C26G-VMPM
Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-03 20:36Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.8.1"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:TestComplete"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-24443"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-27T01:00:03Z",
"nvd_published_at": "2023-01-26T21:18:00Z",
"severity": "CRITICAL"
},
"details": "Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.",
"id": "GHSA-g5mj-c26g-vmpm",
"modified": "2023-02-03T20:36:33Z",
"published": "2023-01-26T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24443"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/testcomplete-plugin/commit/971003ea578a090ed9a5b9487acb9d2aa93645d3"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/testcomplete-plugin/commit/cfb0fc3cd807cb72c24424cef98ce39710f2e5fb"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2741"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XML Entity Expansion in Jenkins TestComplete support Plugin"
}
GHSA-G5WV-8CPQ-H4X2
Vulnerability from github – Published: 2022-05-14 01:36 – Updated: 2022-05-14 01:36In Aruba ClearPass, disabled API admins can still perform read/write operations. In certain circumstances, API admins in ClearPass which have been disabled may still be able to perform read/write operations on parts of the XML API. This can lead to unauthorized access to the API and complete compromise of the ClearPass instance if an attacker knows of the existence of these accounts.
{
"affected": [],
"aliases": [
"CVE-2018-7063"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-07T21:29:00Z",
"severity": "HIGH"
},
"details": "In Aruba ClearPass, disabled API admins can still perform read/write operations. In certain circumstances, API admins in ClearPass which have been disabled may still be able to perform read/write operations on parts of the XML API. This can lead to unauthorized access to the API and complete compromise of the ClearPass instance if an attacker knows of the existence of these accounts.",
"id": "GHSA-g5wv-8cpq-h4x2",
"modified": "2022-05-14T01:36:39Z",
"published": "2022-05-14T01:36:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7063"
},
{
"type": "WEB",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-007.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G6H2-4X64-C59X
Vulnerability from github – Published: 2022-05-24 16:47 – Updated: 2024-05-30 14:15An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.7"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:token-macro"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10337"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-28T23:09:04Z",
"nvd_published_at": "2019-06-11T14:29:00Z",
"severity": "HIGH"
},
"details": "An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the \"XML\" macro to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.",
"id": "GHSA-g6h2-4x64-c59x",
"modified": "2024-05-30T14:15:27Z",
"published": "2022-05-24T16:47:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10337"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/token-macro-plugin/commit/004319f1b6e2a0f097a096b9df9dc19a5ac0d9b0"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1636"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1851"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/token-macro-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1399"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/06/11/1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108747"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference Jenkins Token Macro Plugin"
}
GHSA-G6RC-H7GR-54HR
Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2024-04-04 02:35An XML External Entity Injection vulnerability exists in Dzone AnswerHub.
{
"affected": [],
"aliases": [
"CVE-2017-15725"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-28T19:15:00Z",
"severity": "HIGH"
},
"details": "An XML External Entity Injection vulnerability exists in Dzone AnswerHub.",
"id": "GHSA-g6rc-h7gr-54hr",
"modified": "2024-04-04T02:35:27Z",
"published": "2022-05-24T16:59:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15725"
},
{
"type": "WEB",
"url": "https://il.linkedin.com/in/nivlevy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G6V7-VQHX-6V6C
Vulnerability from github – Published: 2021-10-12 17:23 – Updated: 2021-10-18 13:50An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.0.2"
},
"package": {
"ecosystem": "Maven",
"name": "org.opencms:opencms-core"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "12.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3312"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2021-10-11T18:55:10Z",
"nvd_published_at": "2021-10-08T15:15:00Z",
"severity": "MODERATE"
},
"details": "An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server\u0027s file system by uploading a crafted SVG document.",
"id": "GHSA-g6v7-vqhx-6v6c",
"modified": "2021-10-18T13:50:38Z",
"published": "2021-10-12T17:23:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3312"
},
{
"type": "WEB",
"url": "https://github.com/alkacon/opencms-core/issues/721"
},
{
"type": "WEB",
"url": "https://github.com/alkacon/opencms-core/issues/725"
},
{
"type": "WEB",
"url": "https://github.com/alkacon/opencms-core/commit/92e035423aa6967822d343e54392d4291648c0ee"
},
{
"type": "PACKAGE",
"url": "https://github.com/alkacon/opencms-core"
},
{
"type": "WEB",
"url": "https://github.com/alkacon/opencms-core/releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity Reference in org.opencms:opencms-core"
}
GHSA-G6WM-2V64-WQ36
Vulnerability from github – Published: 2025-03-10 18:24 – Updated: 2025-03-14 20:29Description
The LocalS3 service's bucket creation endpoint is vulnerable to XML External Entity (XXE) injection. When processing the CreateBucketConfiguration XML document during bucket creation, the service's XML parser is configured to resolve external entities. This allows an attacker to declare an external entity that references an internal URL, which the server will then attempt to fetch when parsing the XML.
The vulnerability specifically occurs in the location constraint processing, where the XML parser resolves external entities without proper validation or restrictions. When the external entity is resolved, the server makes an HTTP request to the specified URL and includes the response content in the parsed XML document.
This vulnerability can be exploited to perform server-side request forgery (SSRF) attacks, allowing an attacker to make requests to internal services or resources that should not be accessible from external networks. The server will include the responses from these internal requests in the resulting bucket configuration, effectively leaking sensitive information.
Steps to Reproduce
- Create an XML document that includes an external entity declaration pointing to the internal target:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://internal-web/flag.txt"> ]>
<CreateBucketConfiguration>
<LocationConstraint>&xxe;</LocationConstraint>
</CreateBucketConfiguration>
- Send a PUT request to create a new bucket with this configuration:
curl -X PUT http://app/test-bucket-2 -H 'Content-Type: application/xml' -d @payload.xml
- Retrieve the bucket location to see the resolved entity content:
curl http://app/test-bucket-2/?location
When these steps are executed, the server processes the XML, resolves the external entity by making a request to the internal URL, and includes the response in the bucket's location constraint. The attacker can then retrieve this information through the bucket location endpoint.
Mitigations
- Disable XML external entity resolution in the XML parser configuration. Most XML parsers have options to disable external entity processing.
- Implement proper input validation for XML documents, rejecting those that contain DOCTYPE declarations or external entity references.
- Use XML parsers that are configured securely by default and don't process external entities.
- If external entity processing is required, implement a whitelist of allowed URLs and validate all URLs before making any requests.
Impact
The vulnerability allows unauthenticated attackers to make the server perform HTTP requests to internal networks and services, potentially exposing sensitive information or enabling further attacks against internal systems. The attacker only needs to be able to send HTTP requests to the LocalS3 service to exploit this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.github.robothy:local-s3-rest"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27136"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-10T18:24:35Z",
"nvd_published_at": "2025-03-10T19:15:40Z",
"severity": "MODERATE"
},
"details": "## Description\n\nThe LocalS3 service\u0027s bucket creation endpoint is vulnerable to XML External Entity (XXE) injection. When processing the CreateBucketConfiguration XML document during bucket creation, the service\u0027s XML parser is configured to resolve external entities. This allows an attacker to declare an external entity that references an internal URL, which the server will then attempt to fetch when parsing the XML.\n\nThe vulnerability specifically occurs in the location constraint processing, where the XML parser resolves external entities without proper validation or restrictions. When the external entity is resolved, the server makes an HTTP request to the specified URL and includes the response content in the parsed XML document.\n\nThis vulnerability can be exploited to perform server-side request forgery (SSRF) attacks, allowing an attacker to make requests to internal services or resources that should not be accessible from external networks. The server will include the responses from these internal requests in the resulting bucket configuration, effectively leaking sensitive information.\n\n## Steps to Reproduce\n\n1. Create an XML document that includes an external entity declaration pointing to the internal target:\n```xml\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003c!DOCTYPE test [ \u003c!ENTITY xxe SYSTEM \"http://internal-web/flag.txt\"\u003e ]\u003e\n\u003cCreateBucketConfiguration\u003e\n \u003cLocationConstraint\u003e\u0026xxe;\u003c/LocationConstraint\u003e\n\u003c/CreateBucketConfiguration\u003e\n```\n\n2. Send a PUT request to create a new bucket with this configuration:\n```bash\ncurl -X PUT http://app/test-bucket-2 -H \u0027Content-Type: application/xml\u0027 -d @payload.xml\n```\n\n3. Retrieve the bucket location to see the resolved entity content:\n```bash\ncurl http://app/test-bucket-2/?location\n```\n\nWhen these steps are executed, the server processes the XML, resolves the external entity by making a request to the internal URL, and includes the response in the bucket\u0027s location constraint. The attacker can then retrieve this information through the bucket location endpoint.\n\n## Mitigations\n\n- Disable XML external entity resolution in the XML parser configuration. Most XML parsers have options to disable external entity processing.\n- Implement proper input validation for XML documents, rejecting those that contain DOCTYPE declarations or external entity references.\n- Use XML parsers that are configured securely by default and don\u0027t process external entities.\n- If external entity processing is required, implement a whitelist of allowed URLs and validate all URLs before making any requests.\n\n## Impact\n\nThe vulnerability allows unauthenticated attackers to make the server perform HTTP requests to internal networks and services, potentially exposing sensitive information or enabling further attacks against internal systems. The attacker only needs to be able to send HTTP requests to the LocalS3 service to exploit this vulnerability.",
"id": "GHSA-g6wm-2v64-wq36",
"modified": "2025-03-14T20:29:09Z",
"published": "2025-03-10T18:24:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Robothy/local-s3/security/advisories/GHSA-g6wm-2v64-wq36"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27136"
},
{
"type": "WEB",
"url": "https://github.com/Robothy/local-s3/commit/d6ed756ceb30c1eb9d4263321ac683d734f8836f"
},
{
"type": "PACKAGE",
"url": "https://github.com/Robothy/local-s3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "LocalS3 CreateBucketConfiguration Endpoint XML External Entity (XXE) Injection"
}
GHSA-G7QQ-6W8P-G7FM
Vulnerability from github – Published: 2022-05-14 01:38 – Updated: 2022-05-14 01:38An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server.
{
"affected": [],
"aliases": [
"CVE-2018-18980"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-06T04:29:00Z",
"severity": "HIGH"
},
"details": "An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server.",
"id": "GHSA-g7qq-6w8p-g7fm",
"modified": "2022-05-14T01:38:17Z",
"published": "2022-05-14T01:38:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18980"
},
{
"type": "WEB",
"url": "https://github.com/x-f1v3/ForCve/issues/5"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/network-monitoring/help/read-me.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.