CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-GXVP-6GXM-GHQV
Vulnerability from github – Published: 2022-11-23 18:30 – Updated: 2022-11-29 21:30Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.
{
"affected": [],
"aliases": [
"CVE-2022-40771"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-23T18:15:00Z",
"severity": "MODERATE"
},
"details": "Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.",
"id": "GHSA-gxvp-6gxm-ghqv",
"modified": "2022-11-29T21:30:27Z",
"published": "2022-11-23T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40771"
},
{
"type": "WEB",
"url": "https://manageengine.com"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/products/service-desk/CVE-2022-40771.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H22X-HM8G-RXPG
Vulnerability from github – Published: 2022-05-17 00:29 – Updated: 2022-07-01 20:36When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.8.1"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.opennlp:opennlp-tools"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.0"
},
{
"fixed": "1.8.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-12620"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-01T20:36:40Z",
"nvd_published_at": "2017-10-03T01:29:00Z",
"severity": "CRITICAL"
},
"details": "When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected.",
"id": "GHSA-h22x-hm8g-rxpg",
"modified": "2022-07-01T20:36:40Z",
"published": "2022-05-17T00:29:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12620"
},
{
"type": "WEB",
"url": "http://opennlp.apache.org/news/cve-2017-12620.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference in Apache OpenNLP"
}
GHSA-H2JW-98WW-486C
Vulnerability from github – Published: 2022-05-21 00:00 – Updated: 2022-05-27 00:00A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.13), Teamcenter V13.0 (All versions < V13.0.0.9). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem.
{
"affected": [],
"aliases": [
"CVE-2022-29801"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-20T13:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in Teamcenter V12.4 (All versions \u003c V12.4.0.13), Teamcenter V13.0 (All versions \u003c V13.0.0.9). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem.",
"id": "GHSA-h2jw-98ww-486c",
"modified": "2022-05-27T00:00:24Z",
"published": "2022-05-21T00:00:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29801"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-789162.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H2VQ-7GF2-QW9V
Vulnerability from github – Published: 2022-05-17 00:30 – Updated: 2023-10-23 17:24XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "UmbracoCms.Web"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.7.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-15280"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-26T23:13:52Z",
"nvd_published_at": "2017-10-12T08:29:00Z",
"severity": "MODERATE"
},
"details": "XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to `Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs`.",
"id": "GHSA-h2vq-7gf2-qw9v",
"modified": "2023-10-23T17:24:47Z",
"published": "2022-05-17T00:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15280"
},
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco-CMS/commit/5dde2efe0d2b3a47d17439e03acabb7ea2befb64"
},
{
"type": "PACKAGE",
"url": "https://github.com/umbraco/Umbraco-CMS"
},
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco-CMS/blob/release-7.7.3/src/Umbraco.Web/Umbraco.Web.csproj"
},
{
"type": "WEB",
"url": "http://issues.umbraco.org/issue/U4-10506"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Umbraco CMS XXE Vulnerability"
}
GHSA-H384-PH77-3699
Vulnerability from github – Published: 2023-03-21 18:30 – Updated: 2023-03-24 22:19A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The name of the patch is e54abadc777715b6dcb545c13214d1dea63df6c9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-223403.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "weixin-python"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-25082"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-21T22:41:46Z",
"nvd_published_at": "2023-03-21T18:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The name of the patch is e54abadc777715b6dcb545c13214d1dea63df6c9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-223403.",
"id": "GHSA-h384-ph77-3699",
"modified": "2023-03-24T22:19:53Z",
"published": "2023-03-21T18:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25082"
},
{
"type": "WEB",
"url": "https://github.com/zwczou/weixin-python/pull/30"
},
{
"type": "WEB",
"url": "https://github.com/zwczou/weixin-python/commit/e54abadc777715b6dcb545c13214d1dea63df6c9"
},
{
"type": "PACKAGE",
"url": "https://github.com/zwczou/weixin-python"
},
{
"type": "WEB",
"url": "https://github.com/zwczou/weixin-python/releases/tag/v0.5.5"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.223403"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.223403"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "weixin-python XML External Entity vulnerability"
}
GHSA-H455-6C5F-P957
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2022-12-03 00:30IBM InfoSphere Global Name Management 5.0 and 6.0 and IBM InfoSphere Identity Insight 8.1 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162890.
{
"affected": [],
"aliases": [
"CVE-2019-4433"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-20T19:15:00Z",
"severity": "HIGH"
},
"details": "IBM InfoSphere Global Name Management 5.0 and 6.0 and IBM InfoSphere Identity Insight 8.1 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162890.",
"id": "GHSA-h455-6c5f-p957",
"modified": "2022-12-03T00:30:19Z",
"published": "2022-05-24T16:54:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4433"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/162890"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10958079"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10958081"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-H4WX-78P9-FWXW
Vulnerability from github – Published: 2022-11-16 12:00 – Updated: 2025-04-30 20:27SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control XML input files for the 'Publish SourceMonitor results' post-build step to have agent processes parse a crafted file that uses external entities for extraction of secrets from the Jenkins agent or server-side request forgery.
Because Jenkins agent processes usually execute build tools whose input (source code, build scripts, etc.) is controlled externally, this vulnerability only has a real impact in very narrow circumstances: when attackers can control XML files, but are unable to change build steps, Jenkinsfiles, test code that gets executed on the agents, or similar.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.thalesgroup.hudson.plugins:sourcemonitor"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-45396"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-21T22:24:17Z",
"nvd_published_at": "2022-11-15T20:15:00Z",
"severity": "MODERATE"
},
"details": "SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to control XML input files for the \u0027Publish SourceMonitor results\u0027 post-build step to have agent processes parse a crafted file that uses external entities for extraction of secrets from the Jenkins agent or server-side request forgery.\n\nBecause Jenkins agent processes usually execute build tools whose input (source code, build scripts, etc.) is controlled externally, this vulnerability only has a real impact in very narrow circumstances: when attackers can control XML files, but are unable to change build steps, Jenkinsfiles, test code that gets executed on the agents, or similar.",
"id": "GHSA-h4wx-78p9-fwxw",
"modified": "2025-04-30T20:27:35Z",
"published": "2022-11-16T12:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45396"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/sourcemonitor-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2927"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/11/15/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability on agents in Jenkins SourceMonitor Plugin"
}
GHSA-H57P-MM7W-9RCX
Vulnerability from github – Published: 2022-05-14 01:56 – Updated: 2022-05-14 01:56An XXE vulnerability in the OPC UA Java and .NET Legacy Stack can allow remote attackers to trigger a denial of service.
{
"affected": [],
"aliases": [
"CVE-2018-12585"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-14T21:29:00Z",
"severity": "HIGH"
},
"details": "An XXE vulnerability in the OPC UA Java and .NET Legacy Stack can allow remote attackers to trigger a denial of service.",
"id": "GHSA-h57p-mm7w-9rcx",
"modified": "2022-05-14T01:56:13Z",
"published": "2022-05-14T01:56:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12585"
},
{
"type": "WEB",
"url": "https://opcfoundation-onlineapplications.org/faq/SecurityBulletins/OPC_Foundation_Security_Bulletin_CVE-2018-12585.pdf"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105538"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H67G-969J-MGR3
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:02BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd.
{
"affected": [],
"aliases": [
"CVE-2019-11392"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-21T19:15:00Z",
"severity": "HIGH"
},
"details": "BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd.",
"id": "GHSA-h67g-969j-mgr3",
"modified": "2024-04-04T01:02:36Z",
"published": "2022-05-24T16:48:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11392"
},
{
"type": "WEB",
"url": "https://www.securitymetrics.com/blog/blogenginenet-xml-external-entity-attacks"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H755-H99P-9FFV
Vulnerability from github – Published: 2022-05-14 01:40 – Updated: 2024-01-08 20:11An issue was discovered in weixin-java-tools. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file. NOTE: this issue exists because of an incomplete fix for CVE-2018-20318.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.github.binarywang:weixin-java-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.2.B"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-5312"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-08T20:11:00Z",
"nvd_published_at": "2019-01-04T16:29:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in weixin-java-tools. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file. NOTE: this issue exists because of an incomplete fix for CVE-2018-20318.",
"id": "GHSA-h755-h99p-9ffv",
"modified": "2024-01-08T20:11:00Z",
"published": "2022-05-14T01:40:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5312"
},
{
"type": "WEB",
"url": "https://github.com/Wechat-Group/WxJava/issues/903"
},
{
"type": "WEB",
"url": "https://github.com/Wechat-Group/WxJava/issues/903#issuecomment-453747039"
},
{
"type": "WEB",
"url": "https://github.com/Wechat-Group/WxJava/commit/8ec61d1328f50e23cd14285a950ca57a088b32b2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity Reference in weixin-java-tools"
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.