Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-HXXP-6546-WV6R

Vulnerability from github – Published: 2021-07-02 18:36 – Updated: 2023-10-27 15:58
VLAI
Summary
XXE vulnerability in Jenkins Selenium HTML report Plugin
Details

Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with the ability to control the report files parsed using this plugin to have Jenkins parse a crafted report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Jenkins Selenium HTML report Plugin 1.1 disables external entity resolution for its XML parser.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:seleniumhtmlreport"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21672"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-01T20:14:49Z",
    "nvd_published_at": "2021-06-30T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers with the ability to control the report files parsed using this plugin to have Jenkins parse a crafted report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nJenkins Selenium HTML report Plugin 1.1 disables external entity resolution for its XML parser.",
  "id": "GHSA-hxxp-6546-wv6r",
  "modified": "2023-10-27T15:58:03Z",
  "published": "2021-07-02T18:36:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21672"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/seleniumhtmlreport-plugin/commit/5ca59b8c7d23af4450dc7f19c1b4107d59063ae1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/seleniumhtmlreport-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2329"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/06/30/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/04/14/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in Jenkins Selenium HTML report Plugin"
}

GHSA-J22Q-32G5-7C29

Vulnerability from github – Published: 2022-05-13 01:25 – Updated: 2022-05-13 01:25
VLAI
Details

www.modified-shop.org modified eCommerce Shopsoftware 2.0.2.2 rev 10690 has XXE in api/it-recht-kanzlei/api-it-recht-kanzlei.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8110"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-25T17:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "www.modified-shop.org modified eCommerce Shopsoftware 2.0.2.2 rev 10690 has XXE in api/it-recht-kanzlei/api-it-recht-kanzlei.php.",
  "id": "GHSA-j22q-32g5-7c29",
  "modified": "2022-05-13T01:25:26Z",
  "published": "2022-05-13T01:25:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8110"
    },
    {
      "type": "WEB",
      "url": "http://jgj212.blogspot.hk/2017/04/modified-ecommerce-shopsoftware-2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J23M-3CCJ-PXXW

Vulnerability from github – Published: 2025-12-24 21:30 – Updated: 2025-12-24 21:30
VLAI
Details

KYOCERA Net Admin 3.4.0906 contains an XML External Entity (XXE) injection vulnerability in the Multi-Set Template Editor that allows unauthenticated attackers to read arbitrary system files. Attackers can craft a malicious XML file with external entity references to retrieve sensitive configuration data like database credentials through an out-of-band channel attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-25253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-24T20:15:53Z",
    "severity": "HIGH"
  },
  "details": "KYOCERA Net Admin 3.4.0906 contains an XML External Entity (XXE) injection vulnerability in the Multi-Set Template Editor that allows unauthenticated attackers to read arbitrary system files. Attackers can craft a malicious XML file with external entity references to retrieve sensitive configuration data like database credentials through an out-of-band channel attack.",
  "id": "GHSA-j23m-3ccj-pxxw",
  "modified": "2025-12-24T21:30:34Z",
  "published": "2025-12-24T21:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25253"
    },
    {
      "type": "WEB",
      "url": "https://global.kyocera.com"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44430"
    },
    {
      "type": "WEB",
      "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5459.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-J28W-MFMP-M73W

Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32
VLAI
Details

XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-6486"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-02T14:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection.",
  "id": "GHSA-j28w-mfmp-m73w",
  "modified": "2022-05-13T01:32:01Z",
  "published": "2022-05-13T01:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6486"
    },
    {
      "type": "WEB",
      "url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102902"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J2C4-RR9Q-8J5C

Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:32
VLAI
Details

BlogEngine.NET 3.3 allows XXE attacks via the POST body to metaweblog.axd.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14485"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-07T18:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "BlogEngine.NET 3.3 allows XXE attacks via the POST body to metaweblog.axd.",
  "id": "GHSA-j2c4-rr9q-8j5c",
  "modified": "2024-04-04T00:32:00Z",
  "published": "2022-05-24T16:45:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14485"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rxtur/BlogEngine.NET/commits/master"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/46106"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/151063/BlogEngine-3.3-XML-External-Entity-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J2WX-Q7QW-R37W

Vulnerability from github – Published: 2023-09-05 00:30 – Updated: 2024-04-04 07:26
VLAI
Details

IBM Financial Transaction Manager for SWIFT Services 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 258786.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35892"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-05T00:15:07Z",
    "severity": "CRITICAL"
  },
  "details": "IBM Financial Transaction Manager for SWIFT Services 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.  IBM X-Force ID:  258786.",
  "id": "GHSA-j2wx-q7qw-r37w",
  "modified": "2024-04-04T07:26:22Z",
  "published": "2023-09-05T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35892"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/258786"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7030359"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J33P-XV8J-C84J

Vulnerability from github – Published: 2022-05-17 00:34 – Updated: 2022-05-17 00:34
VLAI
Details

Multiple XML external entity (XXE) vulnerabilities in the OpenText Documentum Administrator 7.2.0180.0055 allow remote authenticated users to list the contents of arbitrary directories, read arbitrary files, cause a denial of service, or, on Windows, obtain Documentum user hashes via a (1) crafted DTD, involving unspecified XML structures in a request to xda/com/documentum/ucf/server/transport/impl/GAIRConnector or crafted XML file in a MediaProfile file (2) import or (3) check in.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14526"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-28T01:29:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple XML external entity (XXE) vulnerabilities in the OpenText Documentum Administrator 7.2.0180.0055 allow remote authenticated users to list the contents of arbitrary directories, read arbitrary files, cause a denial of service, or, on Windows, obtain Documentum user hashes via a (1) crafted DTD, involving unspecified XML structures in a request to xda/com/documentum/ucf/server/transport/impl/GAIRConnector or crafted XML file in a MediaProfile file (2) import or (3) check in.",
  "id": "GHSA-j33p-xv8j-c84j",
  "modified": "2022-05-17T00:34:47Z",
  "published": "2022-05-17T00:34:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14526"
    },
    {
      "type": "WEB",
      "url": "https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2017/Sep/58"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J343-8C44-P9W7

Vulnerability from github – Published: 2023-03-09 18:30 – Updated: 2023-03-15 18:30
VLAI
Details

An XML External Entity injection (XXE) vulnerability in ENOVIA Live Collaboration V6R2013xE allows Remote File inclusions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1288"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-09T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An XML External Entity injection (XXE) vulnerability in ENOVIA Live Collaboration V6R2013xE allows Remote File inclusions.",
  "id": "GHSA-j343-8c44-p9w7",
  "modified": "2023-03-15T18:30:29Z",
  "published": "2023-03-09T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1288"
    },
    {
      "type": "WEB",
      "url": "https://www.3ds.com/vulnerability/advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J379-9JR9-W5CQ

Vulnerability from github – Published: 2018-12-21 17:48 – Updated: 2022-09-14 22:25
VLAI
Summary
XML External Entity (XXE) vulnerability in Square Retrofit
Details

Square Open Source Retrofit versions prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contain a XML External Entity (XXE) vulnerability in JAXB. An attacker could use this to remotely read files from the file system or to perform SSRF. This vulnerability appears to have been fixed in commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.squareup.retrofit2:retrofit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000844"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:41:45Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Square Open Source Retrofit versions prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contain a XML External Entity (XXE) vulnerability in JAXB. An attacker could use this to remotely read files from the file system or to perform SSRF. This vulnerability appears to have been fixed in commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437.",
  "id": "GHSA-j379-9jr9-w5cq",
  "modified": "2022-09-14T22:25:34Z",
  "published": "2018-12-21T17:48:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000844"
    },
    {
      "type": "WEB",
      "url": "https://github.com/square/retrofit/pull/2735"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-j379-9jr9-w5cq"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/square/retrofit"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML External Entity (XXE) vulnerability in Square Retrofit"
}

GHSA-J3GF-GCJ2-HMM5

Vulnerability from github – Published: 2024-12-19 18:31 – Updated: 2024-12-19 18:31
VLAI
Details

Improper Restriction of XML External Entity Reference vulnerability in OpenText™ Operations Bridge Manager allows Input Data Manipulation. 

The vulnerability could be exploited to confidential information

This issue affects Operations Bridge Manager: 2017.05, 2017.11, 2018.05, 2018.11, 2019.05, 2019.11, 2020.05, 2020.10.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22501"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-19T17:15:06Z",
    "severity": "MODERATE"
  },
  "details": "Improper Restriction of XML External Entity Reference vulnerability in OpenText\u2122 Operations Bridge Manager allows Input Data Manipulation.\u00a0\n\nThe vulnerability could be exploited to confidential information\n\nThis issue affects Operations Bridge Manager: 2017.05, 2017.11, 2018.05, 2018.11, 2019.05, 2019.11, 2020.05, 2020.10.",
  "id": "GHSA-j3gf-gcj2-hmm5",
  "modified": "2024-12-19T18:31:37Z",
  "published": "2024-12-19T18:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22501"
    },
    {
      "type": "WEB",
      "url": "https://portal.microfocus.com/s/article/KM000037407?language=en_US"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:C/RE:M/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.