CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-JJ54-8F66-C5PC
Vulnerability from github – Published: 2025-06-10 20:10 – Updated: 2025-06-10 20:10Summary
GeoServer Web Feature Service (WFS) web service was found to be vulnerable to GeoTools CVE-2025-30220 XML External Entity (XXE) processing attack.
It is possible to trigger the parsing of external DTDs and entities, bypassing standard entity resolvers. This allows for Out-of-Band (OOB) data exfiltration of local files accessible by the GeoServer process, and Service Side Request Forgery (SSRF).
Details
While direct entity resolution is managed by application property ENTITY_RESOLUTION_ALLOWLIST for XML Parsing, this restriction was not being used by the GeoTools library when building an in-memory XSD Library Schema representation.
This bypasses GeoServer's AllowListEntityResolver enabling XXE attacks.
PoC
No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS service.
Impact
- Information Disclosure:
This vulnerability allows unauthenticated attackers to read arbitrary files from the server's filesystem that are accessible to the GeoServer process.
This can lead to exposure of sensitive information including configuration files, credentials, and system files. The attack can be performed remotely without authentication, making it particularly severe.
- Server-Side Request Forgery (SSRF)
The mechanism inherently allows forcing GeoServer to make HTTP requests to arbitrary URLs, enabling SSRF attacks against internal network resources
References
- CVE-2025-30220 XML External Entity (XXE) Processing Vulnerability in XSD schema handling
- External Entities Resolution (GeoServer User Manual)
Acknowledgements
This vulnerability was initially reported via an automated tool described below. Subsequently a duplicate report via @YacineF, and their patience working with the GeoServer project, was instrumental finding in escalating this issue and determining a resolution.
XBOW-025-068 Disclaimer
This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.geoserver.web:gs-web-app"
},
"ranges": [
{
"events": [
{
"introduced": "2.27.0"
},
{
"fixed": "2.27.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.27.0"
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.geoserver:gs-wfs"
},
"ranges": [
{
"events": [
{
"introduced": "2.27.0"
},
{
"fixed": "2.27.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.27.0"
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.26.2"
},
"package": {
"ecosystem": "Maven",
"name": "org.geoserver.web:gs-web-app"
},
"ranges": [
{
"events": [
{
"introduced": "2.26.0"
},
{
"fixed": "2.26.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.26.2"
},
"package": {
"ecosystem": "Maven",
"name": "org.geoserver:gs-wfs"
},
"ranges": [
{
"events": [
{
"introduced": "2.26.0"
},
{
"fixed": "2.26.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.25.6"
},
"package": {
"ecosystem": "Maven",
"name": "org.geoserver.web:gs-web-app"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.25.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.25.6"
},
"package": {
"ecosystem": "Maven",
"name": "org.geoserver:gs-wfs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.25.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-30220"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-10T20:10:06Z",
"nvd_published_at": "2025-06-10T16:15:37Z",
"severity": "HIGH"
},
"details": "## Summary\n\nGeoServer Web Feature Service (WFS) web service was found to be vulnerable to GeoTools CVE-2025-30220 XML External Entity (XXE) processing attack.\n\nIt is possible to trigger the parsing of external DTDs and entities, bypassing standard entity resolvers. This allows for Out-of-Band (OOB) data exfiltration of local files accessible by the GeoServer process, and Service Side Request Forgery (SSRF).\n\n## Details\n\nWhile direct entity resolution is managed by application property ENTITY_RESOLUTION_ALLOWLIST for XML Parsing, this restriction was not being used by the GeoTools library when building an in-memory XSD Library Schema representation.\n\nThis bypasses GeoServer\u0027s AllowListEntityResolver enabling XXE attacks.\n\n## PoC\n\nNo public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS service.\n\n## Impact\n\n* Information Disclosure: \n\n This vulnerability allows unauthenticated attackers to read arbitrary files from the server\u0027s filesystem that are accessible to the GeoServer process.\n \n This can lead to exposure of sensitive information including configuration files, credentials, and system files. The attack can be performed remotely without authentication, making it particularly severe.\n\n* Server-Side Request Forgery (SSRF) \n \n The mechanism inherently allows forcing GeoServer to make HTTP requests to arbitrary URLs, enabling SSRF attacks against internal network resources \n\n## References\n\n* [CVE-2025-30220](https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw) XML External Entity (XXE) Processing Vulnerability in XSD schema handling\n* [External Entities Resolution](https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities) (GeoServer User Manual)\n\n## Acknowledgements\n\nThis vulnerability was initially reported via an automated tool described below. Subsequently a duplicate report via @YacineF, and their patience working with the GeoServer project, was instrumental finding in escalating this issue and determining a resolution.\n\n### XBOW-025-068 Disclaimer\n\nThis vulnerability was detected using **[XBOW](https://xbow.com/)**, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.",
"id": "GHSA-jj54-8f66-c5pc",
"modified": "2025-06-10T20:10:07Z",
"published": "2025-06-10T20:10:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc"
},
{
"type": "WEB",
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc"
},
{
"type": "WEB",
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30220"
},
{
"type": "WEB",
"url": "https://github.com/geonetwork/core-geonetwork/pull/8757"
},
{
"type": "WEB",
"url": "https://github.com/geonetwork/core-geonetwork/pull/8803"
},
{
"type": "WEB",
"url": "https://github.com/geonetwork/core-geonetwork/pull/8812"
},
{
"type": "WEB",
"url": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities"
},
{
"type": "PACKAGE",
"url": "https://github.com/geoserver/geoserver"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "[XBOW-025-068] XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service"
}
GHSA-JJ7F-WQMM-8Q5F
Vulnerability from github – Published: 2022-05-17 00:35 – Updated: 2022-05-17 00:35An XXE vulnerability has been identified in OPC Foundation UA .NET Sample Code before 2017-03-21 and Local Discovery Server (LDS) before 1.03.367. Among the affected products are Siemens SIMATIC PCS7 (All versions V8.1 and earlier), SIMATIC WinCC (All versions < V7.4 SP1), SIMATIC WinCC Runtime Professional (All versions < V14 SP1), SIMATIC NET PC Software, and SIMATIC IT Production Suite. By sending specially crafted packets to the OPC Discovery Server at port 4840/tcp, an attacker might cause the system to access various resources chosen by the attacker.
{
"affected": [],
"aliases": [
"CVE-2017-12069"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-30T19:29:00Z",
"severity": "HIGH"
},
"details": "An XXE vulnerability has been identified in OPC Foundation UA .NET Sample Code before 2017-03-21 and Local Discovery Server (LDS) before 1.03.367. Among the affected products are Siemens SIMATIC PCS7 (All versions V8.1 and earlier), SIMATIC WinCC (All versions \u003c V7.4 SP1), SIMATIC WinCC Runtime Professional (All versions \u003c V14 SP1), SIMATIC NET PC Software, and SIMATIC IT Production Suite. By sending specially crafted packets to the OPC Discovery Server at port 4840/tcp, an attacker might cause the system to access various resources chosen by the attacker.",
"id": "GHSA-jj7f-wqmm-8q5f",
"modified": "2022-05-17T00:35:07Z",
"published": "2022-05-17T00:35:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12069"
},
{
"type": "WEB",
"url": "https://opcfoundation-onlineapplications.org/faq/SecurityBulletins/OPC_Foundation_Security_Bulletin_CVE-2017-12069.pdf"
},
{
"type": "WEB",
"url": "https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-535640.pdf"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100559"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039510"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJP7-4G9F-H4V5
Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2022-05-13 01:04A XML external entity (XXE) vulnerability exists in the import.cgi of the web interface component of the Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67.
{
"affected": [],
"aliases": [
"CVE-2018-7230"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-09T23:29:00Z",
"severity": "HIGH"
},
"details": "A XML external entity (XXE) vulnerability exists in the import.cgi of the web interface component of the Schneider Electric\u0027s Pelco Sarix Professional in all firmware versions prior to 3.29.67.",
"id": "GHSA-jjp7-4g9f-h4v5",
"modified": "2022-05-13T01:04:05Z",
"published": "2022-05-13T01:04:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7230"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-058-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJWR-5CFH-7XWH
Vulnerability from github – Published: 2025-07-15 18:04 – Updated: 2025-07-15 18:04Impact
Two related XXE injection possibilities have been discovered, impacting all versions of DSpace prior to 7.6.4, 8.2 and 9.1.
- External entities are not disabled when parsing XML files during import of an archive (in Simple Archive Format), either from command-line (
./dspace importcommand) or from the "Batch Import (Zip)" user interface feature. (Likely impacts all versions of DSpace 1.x <= 7.6.3, 8.0 <= 8.1, and 9.0) - External entities are also not explicitly disabled when parsing XML responses from some upstream services (ArXiv, Crossref, OpenAIRE, Creative Commons) used in import from external sources via the user interface or REST API. (Impacts all versions of DSpace 7.0 <= 7.6.3, 8.0 <= 8.1 and 9.0)
An XXE injection in these files may result in a connection being made to an attacker's site or a local path readable by the Tomcat user, with content potentially being injected into a metadata field. In the latter case, this may result in sensitive content disclosure, including retrieving arbitrary files or configurations from the server where DSpace is running or content from remote URLs. The ability to include content from a remote URL could result in a request forgery attack, and disclosure of sensitive information in the response.
The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted by an administrator (who would trigger the import). * The most severe practical impact is a case where an attacker obtains DSpace administrator credentials and uses the Batch Import feature with a malicious SAF archive to expose sensitive local files readable by the Tomcat user, or secrets and access tokens from an authenticated service via request forgery. * An attacker without administrative credentials might use some other tactic to convince an administrator to import a malicious SAF archive they have supplied.
The Import from External Sources feature has a narrower attack vector. While this feature is usable by any DSpace Submitter, the malicious payload must be provided by the external source (e.g. arXiv, Crossref, OpenAIRE, or Creative Commons). No known method exists for an attacker to inject XXE via content uploads. Instead, the service itself would need to be compromised in such a way that it would inject a malicious payload into its API response.
Patches
The fix is included in DSpace 7.6.4, 8.2 and 9.1. Please upgrade to one of these versions.
If you cannot upgrade immediately, it is possible to manually patch your DSpace backend. (No changes are necessary to the frontend.) A pull request exists which can be used to patch systems running DSpace 7.6.x, 8.x or 9.0. This pull request provides central methods to retrieve Java XML, SAX, JAXB XML document builders with safe default settings, including XXE protection. * Pull request for 7.x: https://github.com/DSpace/DSpace/pull/11032 (Downloadable patch file) * Pull request for 8.x: https://github.com/DSpace/DSpace/pull/11034 (Downloadable patch file) * Pull request for 9.0: https://github.com/DSpace/DSpace/pull/11035 (Downloadable patch file)
Apply the patch to your DSpace
If at all possible, we recommend upgrading your DSpace site based on the upgrade instructions. However, if you are unable to do so, you can manually apply the above patches to your DSpace backend as follows:
1. Download the appropriate patch file to the machine where DSpace backend is running
2. From the [dspace-src] folder, apply the patch, e.g. git apply [name-of-file].patch
3. Now, update your DSpace site (based loosely on the Upgrade instructions). This generally involves three steps:
1. Rebuild DSpace, e.g. mvn -U clean package (This will recompile all DSpace backend code)
2. Redeploy DSpace, e.g. ant update (This will copy all newly built code to your installation directory). Depending on your setup you also may need to copy the updated "server" webapp over to your Tomcat webapps folder.
3. Restart Tomcat (or runnable JAR)
Workarounds
Patching the system is the recommended fix. It is not possible to fully protect your system via workarounds.
That said, until you are able to patch your system or upgrade, you can apply these best practices: * Administrators must carefully inspect any SAF archives (they did not construct themselves) before importing. If SAF archives are too large to manually inspect, you should avoid importing them until your site is patched. * As necessary, affected external services can be disabled (see documentation) to mitigate the ability for a malicious payload to be delivered via external service APIs.
Credits
Discovered & reported by Pablo Picurelli Ortiz (@superpegaso2703) Code fix developed by Kim Shepherd (@kshepherd) of The Library Code
For more information
- XXE Cheat Sheet / Explanations
- If you have any questions or comments about this advisory, please contact us at security@dspace.org
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.dspace:dspace-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.dspace:dspace-api"
},
"ranges": [
{
"events": [
{
"introduced": "8.0"
},
{
"fixed": "8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.dspace:dspace-api"
},
"ranges": [
{
"events": [
{
"introduced": "9.0"
},
{
"fixed": "9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53621"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-15T18:04:53Z",
"nvd_published_at": "2025-07-15T15:15:25Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nTwo related XXE injection possibilities have been discovered, **impacting all versions of DSpace prior to 7.6.4, 8.2 and 9.1**.\n\n1. External entities are not disabled when parsing XML files during import of an archive (in [Simple Archive Format](https://wiki.lyrasis.org/pages/viewpage.action?pageId=104566653)), either from command-line (`./dspace import` command) or from the \"Batch Import (Zip)\" user interface feature. _(Likely impacts all versions of DSpace 1.x \u003c= 7.6.3, 8.0 \u003c= 8.1, and 9.0)_\n2. External entities are also not explicitly disabled when parsing XML responses from some upstream services (ArXiv, Crossref, OpenAIRE, Creative Commons) used in [import from external sources](https://wiki.lyrasis.org/pages/viewpage.action?pageId=104566672) via the user interface or REST API. _(Impacts all versions of DSpace 7.0 \u003c= 7.6.3, 8.0 \u003c= 8.1 and 9.0)_\n\nAn XXE injection in these files may result in a connection being made to an attacker\u0027s site or a local path readable by the Tomcat user, with content potentially being injected into a metadata field. In the latter case, this may result in sensitive content disclosure, including retrieving arbitrary files or configurations from the server where DSpace is running or content from remote URLs. The ability to include content from a remote URL could result in a request forgery attack, and disclosure of sensitive information in the response.\n\n**The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators** (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted by an administrator (who would trigger the import).\n* **The most severe practical impact** is a case where an attacker obtains DSpace administrator credentials and uses the Batch Import feature with a malicious SAF archive to expose sensitive local files readable by the Tomcat user, or secrets and access tokens from an authenticated service via request forgery.\n* An attacker without administrative credentials might use some other tactic to convince an administrator to import a malicious SAF archive they have supplied.\n\n**The Import from External Sources feature has a narrower attack vector**. While this feature is usable by any DSpace Submitter, the malicious payload must be provided *by the external source* (e.g. arXiv, Crossref, OpenAIRE, or Creative Commons). No known method exists for an attacker to inject XXE via content uploads. Instead, the service itself would need to be compromised in such a way that it would inject a malicious payload into its API response.\n\n### Patches\n\nThe fix is included in DSpace 7.6.4, 8.2 and 9.1. Please upgrade to one of these versions.\n\nIf you cannot upgrade immediately, it is possible to manually patch your DSpace backend. (No changes are necessary to the frontend.) A pull request exists which can be used to patch systems running DSpace 7.6.x, 8.x or 9.0. This pull request provides central methods to retrieve Java XML, SAX, JAXB XML document builders with safe default settings, including XXE protection.\n* Pull request for 7.x: https://github.com/DSpace/DSpace/pull/11032 ([Downloadable patch file](https://github.com/DSpace/DSpace/pull/11032.patch))\n* Pull request for 8.x: https://github.com/DSpace/DSpace/pull/11034 ([Downloadable patch file](https://github.com/DSpace/DSpace/pull/11034.patch))\n* Pull request for 9.0: https://github.com/DSpace/DSpace/pull/11035 ([Downloadable patch file](https://github.com/DSpace/DSpace/pull/11035.patch))\n\n#### Apply the patch to your DSpace\nIf at all possible, we recommend upgrading your DSpace site based on the upgrade instructions. However, if you are unable to do so, you can manually apply the above patches to your DSpace backend as follows:\n1. Download the appropriate patch file to the machine where DSpace backend is running\n2. From the `[dspace-src]` folder, apply the patch, e.g. `git apply [name-of-file].patch`\n3. Now, update your DSpace site (based loosely on the Upgrade instructions). This generally involves three steps:\n 1. Rebuild DSpace, e.g. `mvn -U clean package` (This will recompile all DSpace backend code)\n 2. Redeploy DSpace, e.g. `ant update` (This will copy all newly built code to your installation directory). Depending on your setup you also may need to copy the updated \"server\" webapp over to your Tomcat webapps folder.\n 3. Restart Tomcat (or runnable JAR)\n\n### Workarounds\n**Patching the system is the recommended fix.** It is not possible to fully protect your system via workarounds.\n\nThat said, until you are able to patch your system or upgrade, you can apply these best practices:\n* Administrators must carefully inspect any SAF archives (they did not construct themselves) before importing. If SAF archives are too large to manually inspect, you should avoid importing them until your site is patched.\n* As necessary, affected external services can be disabled (see [documentation](https://wiki.lyrasis.org/pages/viewpage.action?pageId=104566672)) to mitigate the ability for a malicious payload to be delivered via external service APIs.\n\n\n### Credits\nDiscovered \u0026 reported by Pablo Picurelli Ortiz (@superpegaso2703)\nCode fix developed by Kim Shepherd (@kshepherd) of The Library Code\n\n### For more information\n* [XXE Cheat Sheet / Explanations](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n* If you have any questions or comments about this advisory, please contact us at [security@dspace.org](mailto:security@dspace.org)",
"id": "GHSA-jjwr-5cfh-7xwh",
"modified": "2025-07-15T18:04:53Z",
"published": "2025-07-15T18:04:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-jjwr-5cfh-7xwh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53621"
},
{
"type": "WEB",
"url": "https://github.com/DSpace/DSpace/pull/11032"
},
{
"type": "WEB",
"url": "https://github.com/DSpace/DSpace/pull/11032.patch"
},
{
"type": "WEB",
"url": "https://github.com/DSpace/DSpace/pull/11034"
},
{
"type": "WEB",
"url": "https://github.com/DSpace/DSpace/pull/11034.patch"
},
{
"type": "WEB",
"url": "https://github.com/DSpace/DSpace/pull/11035"
},
{
"type": "WEB",
"url": "https://github.com/DSpace/DSpace/pull/11035.patch"
},
{
"type": "PACKAGE",
"url": "https://github.com/DSpace/DSpace"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "DSpace is vulnerable to XML External Entity injection during archive imports "
}
GHSA-JJX4-28Q5-R3GR
Vulnerability from github – Published: 2025-10-24 15:31 – Updated: 2025-10-24 15:31Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.
{
"affected": [],
"aliases": [
"CVE-2025-46425"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-24T14:15:42Z",
"severity": "MODERATE"
},
"details": "Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.",
"id": "GHSA-jjx4-28q5-r3gr",
"modified": "2025-10-24T15:31:26Z",
"published": "2025-10-24T15:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46425"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000382899/dsa-2025-393-security-update-for-storage-center-dell-storage-manager-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JJXH-VPF5-JM42
Vulnerability from github – Published: 2025-01-22 00:33 – Updated: 2025-01-22 15:32An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie
project, allowing an attacker to inject malicious XML entities. This
vulnerability occurs due to insecure parsing of XML input using the
DocumentBuilderFactory class without disabling external entity
resolution. An attacker can exploit this vulnerability to read arbitrary
files on the server or perform server-side request forgery (SSRF)
attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk
branch.
{
"affected": [],
"aliases": [
"CVE-2025-23195"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-21T22:15:12Z",
"severity": "HIGH"
},
"details": "An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie \nproject, allowing an attacker to inject malicious XML entities. This \nvulnerability occurs due to insecure parsing of XML input using the \n`DocumentBuilderFactory` class without disabling external entity \nresolution. An attacker can exploit this vulnerability to read arbitrary\n files on the server or perform server-side request forgery (SSRF) \nattacks. The issue has been fixed in both Ambari 2.7.9 and the trunk \nbranch.",
"id": "GHSA-jjxh-vpf5-jm42",
"modified": "2025-01-22T15:32:33Z",
"published": "2025-01-22T00:33:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23195"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/hsb6mvxd7g37dq1ygtd0pd88gs9tfcwq"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/01/21/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JMHH-HG4R-G2C2
Vulnerability from github – Published: 2022-05-13 01:09 – Updated: 2025-04-20 03:40xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service
{
"affected": [],
"aliases": [
"CVE-2017-1000061"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-17T13:18:00Z",
"severity": "HIGH"
},
"details": "xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service",
"id": "GHSA-jmhh-hg4r-g2c2",
"modified": "2025-04-20T03:40:45Z",
"published": "2022-05-13T01:09:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000061"
},
{
"type": "WEB",
"url": "https://github.com/lsh123/xmlsec/issues/43"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2492"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3PWHBRWXR3RNPHDSTQI6UWDG5ETOQ7VR"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3PWHBRWXR3RNPHDSTQI6UWDG5ETOQ7VR"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JPX5-QV8Q-FWXP
Vulnerability from github – Published: 2024-03-28 21:30 – Updated: 2024-03-28 21:30Dell PowerProtect Data Manager, version 19.15, contains an XML External Entity Injection vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to information disclosure, denial-of-service.
{
"affected": [],
"aliases": [
"CVE-2024-25971"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-28T19:15:48Z",
"severity": "MODERATE"
},
"details": "Dell PowerProtect Data Manager, version 19.15, contains an XML External Entity Injection vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to information disclosure, denial-of-service.",
"id": "GHSA-jpx5-qv8q-fwxp",
"modified": "2024-03-28T21:30:31Z",
"published": "2024-03-28T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25971"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000223556/dsa-2024-132-security-update-dell-power-protect-data-manager-for-multiple-security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-JQ6W-J2RM-C2QQ
Vulnerability from github – Published: 2023-03-22 00:30 – Updated: 2023-03-23 18:30Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.
{
"affected": [],
"aliases": [
"CVE-2022-41696"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-21T23:15:00Z",
"severity": "MODERATE"
},
"details": "Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.",
"id": "GHSA-jq6w-j2rm-c2qq",
"modified": "2023-03-23T18:30:19Z",
"published": "2023-03-22T00:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41696"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JQ8C-J47C-VVWM
Vulnerability from github – Published: 2022-09-23 00:00 – Updated: 2022-09-27 22:14An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previous versions are also affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "soap:soap"
},
"ranges": [
{
"events": [
{
"introduced": "2.2"
},
{
"last_affected": "2.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-40705"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-27T22:14:56Z",
"nvd_published_at": "2022-09-22T09:15:00Z",
"severity": "HIGH"
},
"details": "An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previous versions are also affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GHSA-jq8c-j47c-vvwm",
"modified": "2022-09-27T22:14:56Z",
"published": "2022-09-23T00:00:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40705"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/02yo04w93rdjmllz4454lvodn5xzhwhl"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/09/22/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache SOAP\u0027s RPCRouterServlet allows reading of arbitrary files over HTTP"
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.