Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-GXVP-6GXM-GHQV

Vulnerability from github – Published: 2022-11-23 18:30 – Updated: 2022-11-29 21:30
VLAI
Details

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40771"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-23T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.",
  "id": "GHSA-gxvp-6gxm-ghqv",
  "modified": "2022-11-29T21:30:27Z",
  "published": "2022-11-23T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40771"
    },
    {
      "type": "WEB",
      "url": "https://manageengine.com"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/products/service-desk/CVE-2022-40771.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H22X-HM8G-RXPG

Vulnerability from github – Published: 2022-05-17 00:29 – Updated: 2022-07-01 20:36
VLAI
Summary
Improper Restriction of XML External Entity Reference in Apache OpenNLP
Details

When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.8.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.opennlp:opennlp-tools"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.0"
            },
            {
              "fixed": "1.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-12620"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-01T20:36:40Z",
    "nvd_published_at": "2017-10-03T01:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected.",
  "id": "GHSA-h22x-hm8g-rxpg",
  "modified": "2022-07-01T20:36:40Z",
  "published": "2022-05-17T00:29:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12620"
    },
    {
      "type": "WEB",
      "url": "http://opennlp.apache.org/news/cve-2017-12620.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in Apache OpenNLP"
}

GHSA-H2JW-98WW-486C

Vulnerability from github – Published: 2022-05-21 00:00 – Updated: 2022-05-27 00:00
VLAI
Details

A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.13), Teamcenter V13.0 (All versions < V13.0.0.9). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-20T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in Teamcenter V12.4 (All versions \u003c V12.4.0.13), Teamcenter V13.0 (All versions \u003c V13.0.0.9). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem.",
  "id": "GHSA-h2jw-98ww-486c",
  "modified": "2022-05-27T00:00:24Z",
  "published": "2022-05-21T00:00:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29801"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-789162.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H2VQ-7GF2-QW9V

Vulnerability from github – Published: 2022-05-17 00:30 – Updated: 2023-10-23 17:24
VLAI
Summary
Umbraco CMS XXE Vulnerability
Details

XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "UmbracoCms.Web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-15280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-26T23:13:52Z",
    "nvd_published_at": "2017-10-12T08:29:00Z",
    "severity": "MODERATE"
  },
  "details": "XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to `Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs`.",
  "id": "GHSA-h2vq-7gf2-qw9v",
  "modified": "2023-10-23T17:24:47Z",
  "published": "2022-05-17T00:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15280"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/commit/5dde2efe0d2b3a47d17439e03acabb7ea2befb64"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umbraco/Umbraco-CMS"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/blob/release-7.7.3/src/Umbraco.Web/Umbraco.Web.csproj"
    },
    {
      "type": "WEB",
      "url": "http://issues.umbraco.org/issue/U4-10506"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Umbraco CMS XXE Vulnerability"
}

GHSA-H384-PH77-3699

Vulnerability from github – Published: 2023-03-21 18:30 – Updated: 2023-03-24 22:19
VLAI
Summary
weixin-python XML External Entity vulnerability
Details

A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The name of the patch is e54abadc777715b6dcb545c13214d1dea63df6c9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-223403.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "weixin-python"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-25082"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-21T22:41:46Z",
    "nvd_published_at": "2023-03-21T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address this issue. The name of the patch is e54abadc777715b6dcb545c13214d1dea63df6c9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-223403.",
  "id": "GHSA-h384-ph77-3699",
  "modified": "2023-03-24T22:19:53Z",
  "published": "2023-03-21T18:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25082"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zwczou/weixin-python/pull/30"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zwczou/weixin-python/commit/e54abadc777715b6dcb545c13214d1dea63df6c9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zwczou/weixin-python"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zwczou/weixin-python/releases/tag/v0.5.5"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.223403"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.223403"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "weixin-python XML External Entity vulnerability"
}

GHSA-H455-6C5F-P957

Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2022-12-03 00:30
VLAI
Details

IBM InfoSphere Global Name Management 5.0 and 6.0 and IBM InfoSphere Identity Insight 8.1 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162890.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-4433"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-20T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM InfoSphere Global Name Management 5.0 and 6.0 and IBM InfoSphere Identity Insight 8.1 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162890.",
  "id": "GHSA-h455-6c5f-p957",
  "modified": "2022-12-03T00:30:19Z",
  "published": "2022-05-24T16:54:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4433"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/162890"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10958079"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10958081"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H4WX-78P9-FWXW

Vulnerability from github – Published: 2022-11-16 12:00 – Updated: 2025-04-30 20:27
VLAI
Summary
XXE vulnerability on agents in Jenkins SourceMonitor Plugin
Details

SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Publish SourceMonitor results' post-build step to have agent processes parse a crafted file that uses external entities for extraction of secrets from the Jenkins agent or server-side request forgery.

Because Jenkins agent processes usually execute build tools whose input (source code, build scripts, etc.) is controlled externally, this vulnerability only has a real impact in very narrow circumstances: when attackers can control XML files, but are unable to change build steps, Jenkinsfiles, test code that gets executed on the agents, or similar.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.thalesgroup.hudson.plugins:sourcemonitor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-45396"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-21T22:24:17Z",
    "nvd_published_at": "2022-11-15T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to control XML input files for the \u0027Publish SourceMonitor results\u0027 post-build step to have agent processes parse a crafted file that uses external entities for extraction of secrets from the Jenkins agent or server-side request forgery.\n\nBecause Jenkins agent processes usually execute build tools whose input (source code, build scripts, etc.) is controlled externally, this vulnerability only has a real impact in very narrow circumstances: when attackers can control XML files, but are unable to change build steps, Jenkinsfiles, test code that gets executed on the agents, or similar.",
  "id": "GHSA-h4wx-78p9-fwxw",
  "modified": "2025-04-30T20:27:35Z",
  "published": "2022-11-16T12:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45396"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/sourcemonitor-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2927"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/11/15/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability on agents in Jenkins SourceMonitor Plugin"
}

GHSA-H57P-MM7W-9RCX

Vulnerability from github – Published: 2022-05-14 01:56 – Updated: 2022-05-14 01:56
VLAI
Details

An XXE vulnerability in the OPC UA Java and .NET Legacy Stack can allow remote attackers to trigger a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-12585"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-14T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "An XXE vulnerability in the OPC UA Java and .NET Legacy Stack can allow remote attackers to trigger a denial of service.",
  "id": "GHSA-h57p-mm7w-9rcx",
  "modified": "2022-05-14T01:56:13Z",
  "published": "2022-05-14T01:56:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12585"
    },
    {
      "type": "WEB",
      "url": "https://opcfoundation-onlineapplications.org/faq/SecurityBulletins/OPC_Foundation_Security_Bulletin_CVE-2018-12585.pdf"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105538"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H67G-969J-MGR3

Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:02
VLAI
Details

BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11392"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-21T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd.",
  "id": "GHSA-h67g-969j-mgr3",
  "modified": "2024-04-04T01:02:36Z",
  "published": "2022-05-24T16:48:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11392"
    },
    {
      "type": "WEB",
      "url": "https://www.securitymetrics.com/blog/blogenginenet-xml-external-entity-attacks"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H755-H99P-9FFV

Vulnerability from github – Published: 2022-05-14 01:40 – Updated: 2024-01-08 20:11
VLAI
Summary
XML External Entity Reference in weixin-java-tools
Details

An issue was discovered in weixin-java-tools. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file. NOTE: this issue exists because of an incomplete fix for CVE-2018-20318.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.github.binarywang:weixin-java-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.2.B"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-5312"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-08T20:11:00Z",
    "nvd_published_at": "2019-01-04T16:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in weixin-java-tools. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file. NOTE: this issue exists because of an incomplete fix for CVE-2018-20318.",
  "id": "GHSA-h755-h99p-9ffv",
  "modified": "2024-01-08T20:11:00Z",
  "published": "2022-05-14T01:40:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5312"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Wechat-Group/WxJava/issues/903"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Wechat-Group/WxJava/issues/903#issuecomment-453747039"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Wechat-Group/WxJava/commit/8ec61d1328f50e23cd14285a950ca57a088b32b2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML External Entity Reference in weixin-java-tools"
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.