CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-HXXP-6546-WV6R
Vulnerability from github – Published: 2021-07-02 18:36 – Updated: 2023-10-27 15:58Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with the ability to control the report files parsed using this plugin to have Jenkins parse a crafted report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins Selenium HTML report Plugin 1.1 disables external entity resolution for its XML parser.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:seleniumhtmlreport"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21672"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2021-07-01T20:14:49Z",
"nvd_published_at": "2021-06-30T17:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers with the ability to control the report files parsed using this plugin to have Jenkins parse a crafted report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nJenkins Selenium HTML report Plugin 1.1 disables external entity resolution for its XML parser.",
"id": "GHSA-hxxp-6546-wv6r",
"modified": "2023-10-27T15:58:03Z",
"published": "2021-07-02T18:36:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21672"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/seleniumhtmlreport-plugin/commit/5ca59b8c7d23af4450dc7f19c1b4107d59063ae1"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/seleniumhtmlreport-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2329"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/06/30/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/04/14/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins Selenium HTML report Plugin"
}
GHSA-J22Q-32G5-7C29
Vulnerability from github – Published: 2022-05-13 01:25 – Updated: 2022-05-13 01:25www.modified-shop.org modified eCommerce Shopsoftware 2.0.2.2 rev 10690 has XXE in api/it-recht-kanzlei/api-it-recht-kanzlei.php.
{
"affected": [],
"aliases": [
"CVE-2017-8110"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-25T17:59:00Z",
"severity": "CRITICAL"
},
"details": "www.modified-shop.org modified eCommerce Shopsoftware 2.0.2.2 rev 10690 has XXE in api/it-recht-kanzlei/api-it-recht-kanzlei.php.",
"id": "GHSA-j22q-32g5-7c29",
"modified": "2022-05-13T01:25:26Z",
"published": "2022-05-13T01:25:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8110"
},
{
"type": "WEB",
"url": "http://jgj212.blogspot.hk/2017/04/modified-ecommerce-shopsoftware-2022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J23M-3CCJ-PXXW
Vulnerability from github – Published: 2025-12-24 21:30 – Updated: 2025-12-24 21:30KYOCERA Net Admin 3.4.0906 contains an XML External Entity (XXE) injection vulnerability in the Multi-Set Template Editor that allows unauthenticated attackers to read arbitrary system files. Attackers can craft a malicious XML file with external entity references to retrieve sensitive configuration data like database credentials through an out-of-band channel attack.
{
"affected": [],
"aliases": [
"CVE-2019-25253"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-24T20:15:53Z",
"severity": "HIGH"
},
"details": "KYOCERA Net Admin 3.4.0906 contains an XML External Entity (XXE) injection vulnerability in the Multi-Set Template Editor that allows unauthenticated attackers to read arbitrary system files. Attackers can craft a malicious XML file with external entity references to retrieve sensitive configuration data like database credentials through an out-of-band channel attack.",
"id": "GHSA-j23m-3ccj-pxxw",
"modified": "2025-12-24T21:30:34Z",
"published": "2025-12-24T21:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25253"
},
{
"type": "WEB",
"url": "https://global.kyocera.com"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44430"
},
{
"type": "WEB",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5459.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J28W-MFMP-M73W
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection.
{
"affected": [],
"aliases": [
"CVE-2018-6486"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-02T14:29:00Z",
"severity": "CRITICAL"
},
"details": "XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), versions 16.10, 16.20, 17.10. This vulnerability could be exploited to allow a XML External Entity (XXE) injection.",
"id": "GHSA-j28w-mfmp-m73w",
"modified": "2022-05-13T01:32:01Z",
"published": "2022-05-13T01:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6486"
},
{
"type": "WEB",
"url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102902"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J2C4-RR9Q-8J5C
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:32BlogEngine.NET 3.3 allows XXE attacks via the POST body to metaweblog.axd.
{
"affected": [],
"aliases": [
"CVE-2018-14485"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-07T18:29:00Z",
"severity": "CRITICAL"
},
"details": "BlogEngine.NET 3.3 allows XXE attacks via the POST body to metaweblog.axd.",
"id": "GHSA-j2c4-rr9q-8j5c",
"modified": "2024-04-04T00:32:00Z",
"published": "2022-05-24T16:45:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14485"
},
{
"type": "WEB",
"url": "https://github.com/rxtur/BlogEngine.NET/commits/master"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46106"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/151063/BlogEngine-3.3-XML-External-Entity-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J2WX-Q7QW-R37W
Vulnerability from github – Published: 2023-09-05 00:30 – Updated: 2024-04-04 07:26IBM Financial Transaction Manager for SWIFT Services 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 258786.
{
"affected": [],
"aliases": [
"CVE-2023-35892"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-05T00:15:07Z",
"severity": "CRITICAL"
},
"details": "IBM Financial Transaction Manager for SWIFT Services 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 258786.",
"id": "GHSA-j2wx-q7qw-r37w",
"modified": "2024-04-04T07:26:22Z",
"published": "2023-09-05T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35892"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/258786"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7030359"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-J33P-XV8J-C84J
Vulnerability from github – Published: 2022-05-17 00:34 – Updated: 2022-05-17 00:34Multiple XML external entity (XXE) vulnerabilities in the OpenText Documentum Administrator 7.2.0180.0055 allow remote authenticated users to list the contents of arbitrary directories, read arbitrary files, cause a denial of service, or, on Windows, obtain Documentum user hashes via a (1) crafted DTD, involving unspecified XML structures in a request to xda/com/documentum/ucf/server/transport/impl/GAIRConnector or crafted XML file in a MediaProfile file (2) import or (3) check in.
{
"affected": [],
"aliases": [
"CVE-2017-14526"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-28T01:29:00Z",
"severity": "HIGH"
},
"details": "Multiple XML external entity (XXE) vulnerabilities in the OpenText Documentum Administrator 7.2.0180.0055 allow remote authenticated users to list the contents of arbitrary directories, read arbitrary files, cause a denial of service, or, on Windows, obtain Documentum user hashes via a (1) crafted DTD, involving unspecified XML structures in a request to xda/com/documentum/ucf/server/transport/impl/GAIRConnector or crafted XML file in a MediaProfile file (2) import or (3) check in.",
"id": "GHSA-j33p-xv8j-c84j",
"modified": "2022-05-17T00:34:47Z",
"published": "2022-05-17T00:34:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14526"
},
{
"type": "WEB",
"url": "https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2017/Sep/58"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J343-8C44-P9W7
Vulnerability from github – Published: 2023-03-09 18:30 – Updated: 2023-03-15 18:30An XML External Entity injection (XXE) vulnerability in ENOVIA Live Collaboration V6R2013xE allows Remote File inclusions.
{
"affected": [],
"aliases": [
"CVE-2023-1288"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-09T17:15:00Z",
"severity": "CRITICAL"
},
"details": "An XML External Entity injection (XXE) vulnerability in ENOVIA Live Collaboration V6R2013xE allows Remote File inclusions.",
"id": "GHSA-j343-8c44-p9w7",
"modified": "2023-03-15T18:30:29Z",
"published": "2023-03-09T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1288"
},
{
"type": "WEB",
"url": "https://www.3ds.com/vulnerability/advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J379-9JR9-W5CQ
Vulnerability from github – Published: 2018-12-21 17:48 – Updated: 2022-09-14 22:25Square Open Source Retrofit versions prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contain a XML External Entity (XXE) vulnerability in JAXB. An attacker could use this to remotely read files from the file system or to perform SSRF. This vulnerability appears to have been fixed in commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.squareup.retrofit2:retrofit"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000844"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:41:45Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Square Open Source Retrofit versions prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contain a XML External Entity (XXE) vulnerability in JAXB. An attacker could use this to remotely read files from the file system or to perform SSRF. This vulnerability appears to have been fixed in commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437.",
"id": "GHSA-j379-9jr9-w5cq",
"modified": "2022-09-14T22:25:34Z",
"published": "2018-12-21T17:48:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000844"
},
{
"type": "WEB",
"url": "https://github.com/square/retrofit/pull/2735"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-j379-9jr9-w5cq"
},
{
"type": "PACKAGE",
"url": "https://github.com/square/retrofit"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity (XXE) vulnerability in Square Retrofit"
}
GHSA-J3GF-GCJ2-HMM5
Vulnerability from github – Published: 2024-12-19 18:31 – Updated: 2024-12-19 18:31Improper Restriction of XML External Entity Reference vulnerability in OpenText™ Operations Bridge Manager allows Input Data Manipulation.
The vulnerability could be exploited to confidential information
This issue affects Operations Bridge Manager: 2017.05, 2017.11, 2018.05, 2018.11, 2019.05, 2019.11, 2020.05, 2020.10.
{
"affected": [],
"aliases": [
"CVE-2021-22501"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-19T17:15:06Z",
"severity": "MODERATE"
},
"details": "Improper Restriction of XML External Entity Reference vulnerability in OpenText\u2122 Operations Bridge Manager allows Input Data Manipulation.\u00a0\n\nThe vulnerability could be exploited to confidential information\n\nThis issue affects Operations Bridge Manager: 2017.05, 2017.11, 2018.05, 2018.11, 2019.05, 2019.11, 2020.05, 2020.10.",
"id": "GHSA-j3gf-gcj2-hmm5",
"modified": "2024-12-19T18:31:37Z",
"published": "2024-12-19T18:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22501"
},
{
"type": "WEB",
"url": "https://portal.microfocus.com/s/article/KM000037407?language=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:C/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.