Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-G556-X5VX-QH59

Vulnerability from github – Published: 2018-10-19 16:50 – Updated: 2022-09-14 19:15
VLAI
Summary
Android SVG vulnerable to XML External Entity (XXE)
Details

AndroidSVG version 1.2.2 is vulnerable to XXE attacks in the SVG parsing component resulting in denial of service and possibly remote code execution

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.caverock:androidsvg"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-1000498"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:36:09Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "AndroidSVG version 1.2.2 is vulnerable to XXE attacks in the SVG parsing component resulting in denial of service and possibly remote code execution",
  "id": "GHSA-g556-x5vx-qh59",
  "modified": "2022-09-14T19:15:38Z",
  "published": "2018-10-19T16:50:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000498"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BigBadaboom/androidsvg/issues/122"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/BigBadaboom/androidsvg"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-g556-x5vx-qh59"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Android SVG vulnerable to XML External Entity (XXE)"
}

GHSA-G558-H4G7-Q46J

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14
VLAI
Details

Pepperminty-Wiki version 0.15 is vulnerable to XXE attacks in the getsvgsize function resulting in denial of service and possibly remote code execution

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1000497"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-03T14:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Pepperminty-Wiki version 0.15 is vulnerable to XXE attacks in the getsvgsize function resulting in denial of service and possibly remote code execution",
  "id": "GHSA-g558-h4g7-q46j",
  "modified": "2022-05-13T01:14:30Z",
  "published": "2022-05-13T01:14:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000497"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sbrl/Pepperminty-Wiki/issues/152"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G5JF-3PR8-VJWM

Vulnerability from github – Published: 2022-05-17 02:35 – Updated: 2022-05-17 02:35
VLAI
Details

An XML External Entity (XXE) issue exists in OSCI-Transport 1.2 as used in OSCI Transport Library 1.6.1 (Java) and OSCI Transport Library 1.6 (.NET), exploitable by sending a crafted standard-conforming OSCI message from within the infrastructure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-10670"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-30T12:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An XML External Entity (XXE) issue exists in OSCI-Transport 1.2 as used in OSCI Transport Library 1.6.1 (Java) and OSCI Transport Library 1.6 (.NET), exploitable by sending a crafted standard-conforming OSCI message from within the infrastructure.",
  "id": "GHSA-g5jf-3pr8-vjwm",
  "modified": "2022-05-17T02:35:51Z",
  "published": "2022-05-17T02:35:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10670"
    },
    {
      "type": "WEB",
      "url": "http://blog.sec-consult.com/2017/06/german-e-government-details-vulnerabilities.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2017/Jun/44"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G5MJ-C26G-VMPM

Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-03 20:36
VLAI
Summary
XML Entity Expansion in Jenkins TestComplete support Plugin
Details

Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.8.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:TestComplete"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-24443"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-27T01:00:03Z",
    "nvd_published_at": "2023-01-26T21:18:00Z",
    "severity": "CRITICAL"
  },
  "details": "Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.",
  "id": "GHSA-g5mj-c26g-vmpm",
  "modified": "2023-02-03T20:36:33Z",
  "published": "2023-01-26T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24443"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/testcomplete-plugin/commit/971003ea578a090ed9a5b9487acb9d2aa93645d3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/testcomplete-plugin/commit/cfb0fc3cd807cb72c24424cef98ce39710f2e5fb"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2741"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML Entity Expansion in Jenkins TestComplete support Plugin"
}

GHSA-G5WV-8CPQ-H4X2

Vulnerability from github – Published: 2022-05-14 01:36 – Updated: 2022-05-14 01:36
VLAI
Details

In Aruba ClearPass, disabled API admins can still perform read/write operations. In certain circumstances, API admins in ClearPass which have been disabled may still be able to perform read/write operations on parts of the XML API. This can lead to unauthorized access to the API and complete compromise of the ClearPass instance if an attacker knows of the existence of these accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-07T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Aruba ClearPass, disabled API admins can still perform read/write operations. In certain circumstances, API admins in ClearPass which have been disabled may still be able to perform read/write operations on parts of the XML API. This can lead to unauthorized access to the API and complete compromise of the ClearPass instance if an attacker knows of the existence of these accounts.",
  "id": "GHSA-g5wv-8cpq-h4x2",
  "modified": "2022-05-14T01:36:39Z",
  "published": "2022-05-14T01:36:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7063"
    },
    {
      "type": "WEB",
      "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-007.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6H2-4X64-C59X

Vulnerability from github – Published: 2022-05-24 16:47 – Updated: 2024-05-30 14:15
VLAI
Summary
Improper Restriction of XML External Entity Reference Jenkins Token Macro Plugin
Details

An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.7"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:token-macro"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10337"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-28T23:09:04Z",
    "nvd_published_at": "2019-06-11T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the \"XML\" macro to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.",
  "id": "GHSA-g6h2-4x64-c59x",
  "modified": "2024-05-30T14:15:27Z",
  "published": "2022-05-24T16:47:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10337"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/token-macro-plugin/commit/004319f1b6e2a0f097a096b9df9dc19a5ac0d9b0"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1636"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1851"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/token-macro-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1399"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/06/11/1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108747"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference Jenkins Token Macro Plugin"
}

GHSA-G6RC-H7GR-54HR

Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2024-04-04 02:35
VLAI
Details

An XML External Entity Injection vulnerability exists in Dzone AnswerHub.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15725"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-28T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "An XML External Entity Injection vulnerability exists in Dzone AnswerHub.",
  "id": "GHSA-g6rc-h7gr-54hr",
  "modified": "2024-04-04T02:35:27Z",
  "published": "2022-05-24T16:59:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15725"
    },
    {
      "type": "WEB",
      "url": "https://il.linkedin.com/in/nivlevy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6V7-VQHX-6V6C

Vulnerability from github – Published: 2021-10-12 17:23 – Updated: 2021-10-18 13:50
VLAI
Summary
XML External Entity Reference in org.opencms:opencms-core
Details

An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.0.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencms:opencms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "12.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3312"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-11T18:55:10Z",
    "nvd_published_at": "2021-10-08T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server\u0027s file system by uploading a crafted SVG document.",
  "id": "GHSA-g6v7-vqhx-6v6c",
  "modified": "2021-10-18T13:50:38Z",
  "published": "2021-10-12T17:23:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3312"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alkacon/opencms-core/issues/721"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alkacon/opencms-core/issues/725"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alkacon/opencms-core/commit/92e035423aa6967822d343e54392d4291648c0ee"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/alkacon/opencms-core"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alkacon/opencms-core/releases"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML External Entity Reference in org.opencms:opencms-core"
}

GHSA-G6WM-2V64-WQ36

Vulnerability from github – Published: 2025-03-10 18:24 – Updated: 2025-03-14 20:29
VLAI
Summary
LocalS3 CreateBucketConfiguration Endpoint XML External Entity (XXE) Injection
Details

Description

The LocalS3 service's bucket creation endpoint is vulnerable to XML External Entity (XXE) injection. When processing the CreateBucketConfiguration XML document during bucket creation, the service's XML parser is configured to resolve external entities. This allows an attacker to declare an external entity that references an internal URL, which the server will then attempt to fetch when parsing the XML.

The vulnerability specifically occurs in the location constraint processing, where the XML parser resolves external entities without proper validation or restrictions. When the external entity is resolved, the server makes an HTTP request to the specified URL and includes the response content in the parsed XML document.

This vulnerability can be exploited to perform server-side request forgery (SSRF) attacks, allowing an attacker to make requests to internal services or resources that should not be accessible from external networks. The server will include the responses from these internal requests in the resulting bucket configuration, effectively leaking sensitive information.

Steps to Reproduce

  1. Create an XML document that includes an external entity declaration pointing to the internal target:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://internal-web/flag.txt"> ]>
<CreateBucketConfiguration>
    <LocationConstraint>&xxe;</LocationConstraint>
</CreateBucketConfiguration>
  1. Send a PUT request to create a new bucket with this configuration:
curl -X PUT http://app/test-bucket-2 -H 'Content-Type: application/xml' -d @payload.xml
  1. Retrieve the bucket location to see the resolved entity content:
curl http://app/test-bucket-2/?location

When these steps are executed, the server processes the XML, resolves the external entity by making a request to the internal URL, and includes the response in the bucket's location constraint. The attacker can then retrieve this information through the bucket location endpoint.

Mitigations

  • Disable XML external entity resolution in the XML parser configuration. Most XML parsers have options to disable external entity processing.
  • Implement proper input validation for XML documents, rejecting those that contain DOCTYPE declarations or external entity references.
  • Use XML parsers that are configured securely by default and don't process external entities.
  • If external entity processing is required, implement a whitelist of allowed URLs and validate all URLs before making any requests.

Impact

The vulnerability allows unauthenticated attackers to make the server perform HTTP requests to internal networks and services, potentially exposing sensitive information or enabling further attacks against internal systems. The attacker only needs to be able to send HTTP requests to the LocalS3 service to exploit this vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.github.robothy:local-s3-rest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27136"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-10T18:24:35Z",
    "nvd_published_at": "2025-03-10T19:15:40Z",
    "severity": "MODERATE"
  },
  "details": "## Description\n\nThe LocalS3 service\u0027s bucket creation endpoint is vulnerable to XML External Entity (XXE) injection. When processing the CreateBucketConfiguration XML document during bucket creation, the service\u0027s XML parser is configured to resolve external entities. This allows an attacker to declare an external entity that references an internal URL, which the server will then attempt to fetch when parsing the XML.\n\nThe vulnerability specifically occurs in the location constraint processing, where the XML parser resolves external entities without proper validation or restrictions. When the external entity is resolved, the server makes an HTTP request to the specified URL and includes the response content in the parsed XML document.\n\nThis vulnerability can be exploited to perform server-side request forgery (SSRF) attacks, allowing an attacker to make requests to internal services or resources that should not be accessible from external networks. The server will include the responses from these internal requests in the resulting bucket configuration, effectively leaking sensitive information.\n\n## Steps to Reproduce\n\n1. Create an XML document that includes an external entity declaration pointing to the internal target:\n```xml\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003c!DOCTYPE test [ \u003c!ENTITY xxe SYSTEM \"http://internal-web/flag.txt\"\u003e ]\u003e\n\u003cCreateBucketConfiguration\u003e\n    \u003cLocationConstraint\u003e\u0026xxe;\u003c/LocationConstraint\u003e\n\u003c/CreateBucketConfiguration\u003e\n```\n\n2. Send a PUT request to create a new bucket with this configuration:\n```bash\ncurl -X PUT http://app/test-bucket-2 -H \u0027Content-Type: application/xml\u0027 -d @payload.xml\n```\n\n3. Retrieve the bucket location to see the resolved entity content:\n```bash\ncurl http://app/test-bucket-2/?location\n```\n\nWhen these steps are executed, the server processes the XML, resolves the external entity by making a request to the internal URL, and includes the response in the bucket\u0027s location constraint. The attacker can then retrieve this information through the bucket location endpoint.\n\n## Mitigations\n\n- Disable XML external entity resolution in the XML parser configuration. Most XML parsers have options to disable external entity processing.\n- Implement proper input validation for XML documents, rejecting those that contain DOCTYPE declarations or external entity references.\n- Use XML parsers that are configured securely by default and don\u0027t process external entities.\n- If external entity processing is required, implement a whitelist of allowed URLs and validate all URLs before making any requests.\n\n## Impact\n\nThe vulnerability allows unauthenticated attackers to make the server perform HTTP requests to internal networks and services, potentially exposing sensitive information or enabling further attacks against internal systems. The attacker only needs to be able to send HTTP requests to the LocalS3 service to exploit this vulnerability.",
  "id": "GHSA-g6wm-2v64-wq36",
  "modified": "2025-03-14T20:29:09Z",
  "published": "2025-03-10T18:24:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Robothy/local-s3/security/advisories/GHSA-g6wm-2v64-wq36"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27136"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Robothy/local-s3/commit/d6ed756ceb30c1eb9d4263321ac683d734f8836f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Robothy/local-s3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "LocalS3 CreateBucketConfiguration Endpoint XML External Entity (XXE) Injection"
}

GHSA-G7QQ-6W8P-G7FM

Vulnerability from github – Published: 2022-05-14 01:38 – Updated: 2022-05-14 01:38
VLAI
Details

An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-18980"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-06T04:29:00Z",
    "severity": "HIGH"
  },
  "details": "An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server.",
  "id": "GHSA-g7qq-6w8p-g7fm",
  "modified": "2022-05-14T01:38:17Z",
  "published": "2022-05-14T01:38:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18980"
    },
    {
      "type": "WEB",
      "url": "https://github.com/x-f1v3/ForCve/issues/5"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/network-monitoring/help/read-me.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.