Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-J9XG-V3P9-32VG

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11
VLAI
Details

" Security vulnerability in HCL Commerce Management Center allowing XML external entity (XXE) injection"

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27741"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-13T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "\" Security vulnerability in HCL Commerce Management Center allowing XML external entity (XXE) injection\"",
  "id": "GHSA-j9xg-v3p9-32vg",
  "modified": "2022-05-24T19:11:07Z",
  "published": "2022-05-24T19:11:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27741"
    },
    {
      "type": "WEB",
      "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0089834"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-JC43-H2GQ-6J6C

Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-05-24 17:47
VLAI
Details

IBM WebSphere Application Server 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196648.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20453"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-20T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM WebSphere Application Server 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196648.",
  "id": "GHSA-jc43-h2gq-6j6c",
  "modified": "2022-05-24T17:47:54Z",
  "published": "2022-05-24T17:47:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20453"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196648"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6445171"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JCMM-4PWV-FQP4

Vulnerability from github – Published: 2023-08-04 00:30 – Updated: 2024-04-04 06:32
VLAI
Details

The Foundry Magritte plugin rest-source was found to be vulnerable to an an XML external Entity attack (XXE).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-30951"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-03T22:15:11Z",
    "severity": "MODERATE"
  },
  "details": "The Foundry Magritte plugin rest-source was found to be vulnerable to an an XML external Entity attack (XXE). ",
  "id": "GHSA-jcmm-4pwv-fqp4",
  "modified": "2024-04-04T06:32:25Z",
  "published": "2023-08-04T00:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30951"
    },
    {
      "type": "WEB",
      "url": "https://palantir.safebase.us/?tcuUid=fe021f28-9e25-42c4-acd8-772cd8006ced"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JCWR-X25H-X5FH

Vulnerability from github – Published: 2023-09-25 21:30 – Updated: 2024-05-03 20:26
VLAI
Summary
codehaus-plexus vulnerable to XML injection
Details

A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.codehaus.plexus:plexus-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-4245"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-91"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-26T19:38:53Z",
    "nvd_published_at": "2023-09-25T20:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in codehaus-plexus. The `org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment` fails to sanitize comments for a `--\u003e` sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection. ",
  "id": "GHSA-jcwr-x25h-x5fh",
  "modified": "2024-05-03T20:26:14Z",
  "published": "2023-09-25T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4245"
    },
    {
      "type": "WEB",
      "url": "https://github.com/codehaus-plexus/plexus-utils/issues/3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/codehaus-plexus/plexus-utils/commit/f933e5e78dc2637e485447ed821fe14904f110de"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:2135"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:3906"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2022-4245"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2149843"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/codehaus-plexus/plexus-utils"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-461102"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "codehaus-plexus vulnerable to XML injection"
}

GHSA-JF3W-9WV7-XJMG

Vulnerability from github – Published: 2022-05-17 00:34 – Updated: 2022-05-17 00:34
VLAI
Details

Multiple XML external entity (XXE) vulnerabilities in the OpenText Documentum Webtop 6.8.0160.0073 allow remote authenticated users to list the contents of arbitrary directories, read arbitrary files, cause a denial of service, or, on Windows, obtain Documentum user hashes via a (1) crafted DTD, involving unspecified XML structures in a request to xda/com/documentum/ucf/server/transport/impl/GAIRConnector or crafted XML file in a MediaProfile file (2) import or (3) check in.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14527"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-28T01:29:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple XML external entity (XXE) vulnerabilities in the OpenText Documentum Webtop 6.8.0160.0073 allow remote authenticated users to list the contents of arbitrary directories, read arbitrary files, cause a denial of service, or, on Windows, obtain Documentum user hashes via a (1) crafted DTD, involving unspecified XML structures in a request to xda/com/documentum/ucf/server/transport/impl/GAIRConnector or crafted XML file in a MediaProfile file (2) import or (3) check in.",
  "id": "GHSA-jf3w-9wv7-xjmg",
  "modified": "2022-05-17T00:34:17Z",
  "published": "2022-05-17T00:34:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14527"
    },
    {
      "type": "WEB",
      "url": "https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2017/Sep/58"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JFFQ-528J-MP6C

Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2025-07-02 19:24
VLAI
Summary
Withdrawn Advisory: Improper Restriction of XML External Entity Reference in Mulesoft APIkit
Details

Withdrawn Advisory

This advisory has been withdrawn because it does not affected a package in a supported ecosystem. This link has been maintained to preserve external references.

Original Description

Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.3.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.mule.modules:mule-apikit-module"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-10991"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-24T01:26:08Z",
    "nvd_published_at": "2020-03-27T00:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "## Withdrawn Advisory\nThis advisory has been withdrawn because it does not affected a package in a [supported ecosystem](https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-types-of-security-advisories). This link has been maintained to preserve external references.\n\n## Original Description\n\nMulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java",
  "id": "GHSA-jffq-528j-mp6c",
  "modified": "2025-07-02T19:24:00Z",
  "published": "2022-05-24T17:12:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10991"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mulesoft/apikit/issues/547"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mulesoft/apikit"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Withdrawn Advisory: Improper Restriction of XML External Entity Reference in Mulesoft APIkit",
  "withdrawn": "2025-07-02T19:24:00Z"
}

GHSA-JFG6-4GX3-3V7W

Vulnerability from github – Published: 2025-10-29 15:31 – Updated: 2025-11-05 20:52
VLAI
Summary
Jenkins JDepend Plugin vulnerable to XML external entity attacks
Details

Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to configure input files for the "Report JDepend" step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:jdepend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64134"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-29T22:04:08Z",
    "nvd_published_at": "2025-10-29T14:15:57Z",
    "severity": "HIGH"
  },
  "details": "Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to configure input files for the \"Report JDepend\" step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nAs of publication of this advisory, there is no fix.",
  "id": "GHSA-jfg6-4gx3-3v7w",
  "modified": "2025-11-05T20:52:47Z",
  "published": "2025-10-29T15:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64134"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/jdepend-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-2936"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/10/29/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins JDepend Plugin vulnerable to XML external entity attacks"
}

GHSA-JFJ9-7J5W-6XGX

Vulnerability from github – Published: 2022-05-14 03:46 – Updated: 2024-01-30 22:36
VLAI
Summary
XXE vulnerability in Jenkins Checkstyle Plugin
Details

Jenkins Checkstyle Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jvnet.hudson.plugins:checkstyle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.50"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000009"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T22:36:33Z",
    "nvd_published_at": "2018-01-23T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins Checkstyle Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.",
  "id": "GHSA-jfj9-7j5w-6xgx",
  "modified": "2024-01-30T22:36:33Z",
  "published": "2022-05-14T03:46:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000009"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2018-01-22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in Jenkins Checkstyle Plugin"
}

GHSA-JG82-CXV9-53P9

Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2024-04-04 02:55
VLAI
Details

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Reporter_ImportLicense class. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose file contents in the context of SYSTEM. Was ZDI-CAN-10710.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-15419"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-28T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Reporter_ImportLicense class. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose file contents in the context of SYSTEM. Was ZDI-CAN-10710.",
  "id": "GHSA-jg82-cxv9-53p9",
  "modified": "2024-04-04T02:55:16Z",
  "published": "2022-05-24T17:24:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15419"
    },
    {
      "type": "WEB",
      "url": "https://www.veeam.com/kb3221"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-822"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JHH2-VHMG-X3CQ

Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:54
VLAI
Details

An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-16174"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-09T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity.",
  "id": "GHSA-jhh2-vhmg-x3cq",
  "modified": "2024-04-04T01:54:14Z",
  "published": "2022-05-24T16:55:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16174"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R40"
    },
    {
      "type": "WEB",
      "url": "https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.