CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1693 vulnerabilities reference this CWE, most recent first.
GHSA-MJM5-8P7X-R4CV
Vulnerability from github – Published: 2023-11-08 18:30 – Updated: 2023-11-08 18:30An incorrect permission assignment in the TopoGrafix DataPlugin for GPX could result in information disclosure. An attacker could exploit this vulnerability by getting a user to open a specially crafted data file.
{
"affected": [],
"aliases": [
"CVE-2023-5136"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-732"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-08T16:15:11Z",
"severity": "MODERATE"
},
"details": "An incorrect permission assignment in the TopoGrafix DataPlugin for GPX could result in information disclosure. An attacker could exploit this vulnerability by getting a user to open a specially crafted data file.\n",
"id": "GHSA-mjm5-8p7x-r4cv",
"modified": "2023-11-08T18:30:31Z",
"published": "2023-11-08T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5136"
},
{
"type": "WEB",
"url": "https://www.ni.com/en/support/documentation/supplemental/23/incorrect-permission-assignment-in-the-topografix-dataplug-for-gpx.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MM8J-9X84-M9CV
Vulnerability from github – Published: 2021-06-16 17:34 – Updated: 2021-04-06 21:44OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.mikesamuel:json-sanitizer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23899"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-06T21:44:01Z",
"nvd_published_at": "2021-01-13T16:15:00Z",
"severity": "CRITICAL"
},
"details": "OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.",
"id": "GHSA-mm8j-9x84-m9cv",
"modified": "2021-04-06T21:44:01Z",
"published": "2021-06-16T17:34:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23899"
},
{
"type": "WEB",
"url": "https://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e"
},
{
"type": "WEB",
"url": "https://github.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Arbitrary code injection in json-sanitizer"
}
GHSA-MM8X-P4PR-4P9F
Vulnerability from github – Published: 2024-02-06 09:31 – Updated: 2024-02-14 00:35The XML parser in Magic xpi Integration Platform 4.13.4 allows XXE attacks, e.g., via onItemImport.
{
"affected": [],
"aliases": [
"CVE-2023-52239"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-06T07:15:10Z",
"severity": "MODERATE"
},
"details": "The XML parser in Magic xpi Integration Platform 4.13.4 allows XXE attacks, e.g., via onItemImport.",
"id": "GHSA-mm8x-p4pr-4p9f",
"modified": "2024-02-14T00:35:41Z",
"published": "2024-02-06T09:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52239"
},
{
"type": "WEB",
"url": "https://ds-security.com/post/xml_external_entity_injection_magic_xpi"
},
{
"type": "WEB",
"url": "https://www2.magicsoftware.com/ver/docs/Downloads/Magicxpi/4.14/Windows/ReleaseNotes4.14.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MMCG-C68Q-4P38
Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2022-05-13 01:11ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability.
{
"affected": [],
"aliases": [
"CVE-2013-1915"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-04-25T23:55:00Z",
"severity": "HIGH"
},
"details": "ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability.",
"id": "GHSA-mmcg-c68q-4p38",
"modified": "2022-05-13T01:11:43Z",
"published": "2022-05-13T01:11:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1915"
},
{
"type": "WEB",
"url": "https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=947842"
},
{
"type": "WEB",
"url": "https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101898.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101911.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102616.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2013-08/msg00020.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2013-08/msg00025.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2013-08/msg00031.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/52847"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/52977"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2013/dsa-2659"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:156"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/04/03/7"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/58810"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MMQW-R4V3-63Q7
Vulnerability from github – Published: 2025-09-26 21:30 – Updated: 2025-09-26 21:30A vulnerability was determined in Jinher OA 2.0. The impacted element is an unknown function of the file /c6/Jhsoft.Web.module/ToolBar/ManageWord.aspx/?text=GetUrl&style=1. This manipulation causes xml external entity reference. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
{
"affected": [],
"aliases": [
"CVE-2025-11035"
],
"database_specific": {
"cwe_ids": [
"CWE-610",
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-26T19:15:34Z",
"severity": "MODERATE"
},
"details": "A vulnerability was determined in Jinher OA 2.0. The impacted element is an unknown function of the file /c6/Jhsoft.Web.module/ToolBar/ManageWord.aspx/?text=GetUrl\u0026style=1. This manipulation causes xml external entity reference. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.",
"id": "GHSA-mmqw-r4v3-63q7",
"modified": "2025-09-26T21:30:29Z",
"published": "2025-09-26T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11035"
},
{
"type": "WEB",
"url": "https://github.com/frwfxc123/CVE/issues/1"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.325982"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.325982"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.658253"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MRVG-P24W-MP92
Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2025-04-12 12:47The _clone function in XML::LibXML before 2.0119 does not properly set the expand_entities option, which allows remote attackers to conduct XML external entity (XXE) attacks via crafted XML data to the (1) new or (2) load_xml function.
{
"affected": [],
"aliases": [
"CVE-2015-3451"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-05-12T19:59:00Z",
"severity": "MODERATE"
},
"details": "The _clone function in XML::LibXML before 2.0119 does not properly set the expand_entities option, which allows remote attackers to conduct XML external entity (XXE) attacks via crafted XML data to the (1) new or (2) load_xml function.",
"id": "GHSA-mrvg-p24w-mp92",
"modified": "2025-04-12T12:47:43Z",
"published": "2022-05-13T01:27:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3451"
},
{
"type": "WEB",
"url": "https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd067580767777e94640b129ae8930a68a30/raw"
},
{
"type": "WEB",
"url": "http://advisories.mageia.org/MGASA-2015-0199.html"
},
{
"type": "WEB",
"url": "http://cpansearch.perl.org/src/SHLOMIF/XML-LibXML-2.0119/Changes"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157448.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157740.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00006.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2015/dsa-3243"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:231"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/04/25/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/04/30/1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/74333"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2592-1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MVHV-28QJ-949C
Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34A vulnerability in the web-based user interface of Cisco Energy Management Suite Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by convincing a user of an affected system to import a crafted XML file with malicious entries, which could allow the attacker to read and write files within the affected application.
{
"affected": [],
"aliases": [
"CVE-2018-15444"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-08T18:29:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the web-based user interface of Cisco Energy Management Suite Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by convincing a user of an affected system to import a crafted XML file with malicious entries, which could allow the attacker to read and write files within the affected application.",
"id": "GHSA-mvhv-28qj-949c",
"modified": "2022-05-13T01:34:16Z",
"published": "2022-05-13T01:34:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15444"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-ems-xml-xxe"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/research/tra-2018-36"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105860"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MWXW-R5FQ-RX8V
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the certificate and private key.
{
"affected": [],
"aliases": [
"CVE-2021-37425"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-10T22:15:00Z",
"severity": "CRITICAL"
},
"details": "Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the certificate and private key.",
"id": "GHSA-mwxw-r5fq-rx8v",
"modified": "2022-05-24T19:10:48Z",
"published": "2022-05-24T19:10:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37425"
},
{
"type": "WEB",
"url": "https://www.altova.com/mobiletogether"
},
{
"type": "WEB",
"url": "https://www.redteam-pentesting.de/advisories/rt-sa-2021-002"
},
{
"type": "WEB",
"url": "https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Aug/12"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MXVX-H4RP-CJRC
Vulnerability from github – Published: 2022-05-13 01:54 – Updated: 2022-05-13 01:54UML Designer version <= 8.0.0 contains a XML External Entity (XXE) vulnerability in XML parser for plugins that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via malicious plugins.xml file.
{
"affected": [],
"aliases": [
"CVE-2018-1000837"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-20T15:29:00Z",
"severity": "CRITICAL"
},
"details": "UML Designer version \u003c= 8.0.0 contains a XML External Entity (XXE) vulnerability in XML parser for plugins that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via malicious plugins.xml file.",
"id": "GHSA-mxvx-h4rp-cjrc",
"modified": "2022-05-13T01:54:14Z",
"published": "2022-05-13T01:54:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000837"
},
{
"type": "WEB",
"url": "https://github.com/ObeoNetwork/UML-Designer/issues/1035"
},
{
"type": "WEB",
"url": "https://0dd.zone/2018/10/28/uml-designer-XXE"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P2HQ-X27F-8MX5
Vulnerability from github – Published: 2022-01-31 00:00 – Updated: 2022-02-05 00:00Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) attacks.
{
"affected": [],
"aliases": [
"CVE-2021-46660"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-30T00:15:00Z",
"severity": "CRITICAL"
},
"details": "Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) attacks.",
"id": "GHSA-p2hq-x27f-8mx5",
"modified": "2022-02-05T00:00:58Z",
"published": "2022-01-31T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46660"
},
{
"type": "WEB",
"url": "https://help.signiant.com/flight-deck/general/release-notes-15-1"
},
{
"type": "WEB",
"url": "https://www.signiant.com/technology/security"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.