Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-GCG5-H35M-25RV

Vulnerability from github – Published: 2024-11-12 21:30 – Updated: 2024-11-22 21:32
VLAI
Details

XSS Attack in mar.jar, Monitoring Archive Utility (MAR Utility), monitoringconsolecommon.jar in TIBCO Software Inc TIBCO Hawk and TIBCO Operational Intelligence

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10218"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-12T20:15:05Z",
    "severity": "CRITICAL"
  },
  "details": "XSS Attack in mar.jar, Monitoring Archive Utility (MAR Utility),\u00a0monitoringconsolecommon.jar\u00a0in TIBCO Software Inc\u00a0TIBCO Hawk and\u00a0TIBCO Operational Intelligence",
  "id": "GHSA-gcg5-h35m-25rv",
  "modified": "2024-11-22T21:32:12Z",
  "published": "2024-11-12T21:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10218"
    },
    {
      "type": "WEB",
      "url": "https://community.tibco.com/advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:L/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:X/U:Green",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-GCHV-364H-R896

Vulnerability from github – Published: 2022-05-06 00:00 – Updated: 2023-10-13 21:07
VLAI
Summary
XML External Entity Reference in apache jena
Details

A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 only. Apache Jena 4.2.x and 4.3.x do not allow external entities.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.jena:jena"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0"
            },
            {
              "fixed": "4.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.4.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-28890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-24T20:52:33Z",
    "nvd_published_at": "2022-05-05T09:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 only. Apache Jena 4.2.x and 4.3.x do not allow external entities.",
  "id": "GHSA-gchv-364h-r896",
  "modified": "2023-10-13T21:07:20Z",
  "published": "2022-05-06T00:00:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28890"
    },
    {
      "type": "PACKAGE",
      "url": "https://gitbox.apache.org/repos/asf/jena.git"
    },
    {
      "type": "WEB",
      "url": "https://jena.apache.org/about_jena/security-advisories.html#cve-2022-28890---processing-external-dtds"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML External Entity Reference in apache jena"
}

GHSA-GCMC-57W6-9878

Vulnerability from github – Published: 2025-07-29 09:31 – Updated: 2025-07-29 09:31
VLAI
Details

SolarWinds Web Help Desk was reported to be affected by an XML External Entity Injection (XXE) vulnerability that could lead to information disclosure. A valid, low-privilege access is required unless the attacker had access to the local server to modify configuration files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26400"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-29T08:15:26Z",
    "severity": "MODERATE"
  },
  "details": "SolarWinds Web Help Desk was reported to be affected by an XML External Entity Injection (XXE) vulnerability that could lead to information disclosure. A valid, low-privilege access is required unless the attacker had access to the local server to modify configuration files.",
  "id": "GHSA-gcmc-57w6-9878",
  "modified": "2025-07-29T09:31:12Z",
  "published": "2025-07-29T09:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26400"
    },
    {
      "type": "WEB",
      "url": "https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-8-7_release_notes.htm"
    },
    {
      "type": "WEB",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26400"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GCP6-QPVH-GGVF

Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2024-04-04 02:45
VLAI
Details

Easy XML Editor through v1.7.8 is affected by: XML External Entity Injection. The impact is: Arbitrary File Read and DoS by consuming resources. The component is: XML Parsing. The attack vector is: Specially crafted XML payload.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-19031"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-30T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Easy XML Editor through v1.7.8 is affected by: XML External Entity Injection. The impact is: Arbitrary File Read and DoS by consuming resources. The component is: XML Parsing. The attack vector is: Specially crafted XML payload.",
  "id": "GHSA-gcp6-qpvh-ggvf",
  "modified": "2024-04-04T02:45:54Z",
  "published": "2022-05-24T17:05:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19031"
    },
    {
      "type": "WEB",
      "url": "https://hackpuntes.com/cve-2019-19031-easy-xml-editor-1-7-8-inyeccion-xml"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/155996/Easy-XML-Editor-1.7.8-XML-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GCQM-MJ95-PMJX

Vulnerability from github – Published: 2022-10-15 12:01 – Updated: 2022-10-15 12:01
VLAI
Details

Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38419"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-14T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction.",
  "id": "GHSA-gcqm-mj95-pmjx",
  "modified": "2022-10-15T12:01:01Z",
  "published": "2022-10-15T12:01:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38419"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/coldfusion/apsb22-44.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GCX3-8MJ9-XGM6

Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19
VLAI
Details

Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS) condition to the other servers by processing a specially crafted XML document.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-01T02:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS) condition to the other servers by processing a specially crafted XML document.",
  "id": "GHSA-gcx3-8mj9-xgm6",
  "modified": "2022-05-24T19:19:22Z",
  "published": "2022-05-24T19:19:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20839"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN33453839/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.antenna.co.jp/news/2021/osdc72-20211027.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-GCXJ-MHMW-GGHW

Vulnerability from github – Published: 2022-05-17 02:41 – Updated: 2022-05-17 02:41
VLAI
Details

IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 1999960.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-9698"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-08T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 1999960.",
  "id": "GHSA-gcxj-mhmw-gghw",
  "modified": "2022-05-17T02:41:26Z",
  "published": "2022-05-17T02:41:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9698"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/119522"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg21999960"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22002258"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96829"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GF6F-95CV-MV72

Vulnerability from github – Published: 2022-05-14 03:06 – Updated: 2022-05-14 03:06
VLAI
Details

Triplea version <= 1.9.0.0.10291 contains a XML External Entity (XXE) vulnerability in Importing game data that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be exploitable via Specially crafted game data file (XML).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000546"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-26T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "Triplea version \u003c= 1.9.0.0.10291 contains a XML External Entity (XXE) vulnerability in Importing game data that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be exploitable via Specially crafted game data file (XML).",
  "id": "GHSA-gf6f-95cv-mv72",
  "modified": "2022-05-14T03:06:31Z",
  "published": "2022-05-14T03:06:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000546"
    },
    {
      "type": "WEB",
      "url": "https://github.com/triplea-game/triplea/issues/3442"
    },
    {
      "type": "WEB",
      "url": "https://0dd.zone/2018/05/31/TripleA-XXE"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GFQH-8V9Q-F2VF

Vulnerability from github – Published: 2023-12-13 12:30 – Updated: 2023-12-13 12:30
VLAI
Details

An XEE vulnerability has been found in Repox, which allows a remote attacker to interfere with the application's XML data processing in the fileupload function, resulting in interaction between the attacker and the server's file system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6721"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-13T10:15:11Z",
    "severity": "HIGH"
  },
  "details": "An XEE vulnerability has been found in Repox, which allows a remote attacker to interfere with the application\u0027s XML data processing in the fileupload function, resulting in interaction between the attacker and the server\u0027s file system.",
  "id": "GHSA-gfqh-8v9q-f2vf",
  "modified": "2023-12-13T12:30:42Z",
  "published": "2023-12-13T12:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6721"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-repox"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GG2J-6Q4V-8GCF

Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-04 19:01
VLAI
Details

"IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 236584."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40747"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-03T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "\"IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 236584.\"",
  "id": "GHSA-gg2j-6q4v-8gcf",
  "modified": "2022-11-04T19:01:15Z",
  "published": "2022-11-04T12:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40747"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6829373"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.