CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-PG28-353J-PR59
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2 and 19.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1, 2.2, 2.3 and 2.4. contain an XML External Entity(XXE) Injection vulnerability. A remote unauthenticated malicious user could potentially exploit this vulnerability to cause Denial of Service or information exposure by supplying specially crafted document type definitions (DTDs) in an XML request.
{
"affected": [],
"aliases": [
"CVE-2019-3752"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-16T22:15:00Z",
"severity": "HIGH"
},
"details": "Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2 and 19.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1, 2.2, 2.3 and 2.4. contain an XML External Entity(XXE) Injection vulnerability. A remote unauthenticated malicious user could potentially exploit this vulnerability to cause Denial of Service or information exposure by supplying specially crafted document type definitions (DTDs) in an XML request.",
"id": "GHSA-pg28-353j-pr59",
"modified": "2022-05-24T19:08:20Z",
"published": "2022-05-24T19:08:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3752"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/security/en-us/details/537853/DSA-2019-119-Dell-EMC-Avamar-XML-External-Entity-Injection-Vulnerability"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PG3C-C32P-95VX
Vulnerability from github – Published: 2022-05-17 00:50 – Updated: 2022-05-17 00:50XXE in Dive Assistant - Template Builder in Blackwave Dive Assistant - Desktop Edition 8.0 allows attackers to remotely view local files via a crafted template.xml file.
{
"affected": [],
"aliases": [
"CVE-2017-8918"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-12T18:29:00Z",
"severity": "MODERATE"
},
"details": "XXE in Dive Assistant - Template Builder in Blackwave Dive Assistant - Desktop Edition 8.0 allows attackers to remotely view local files via a crafted template.xml file.",
"id": "GHSA-pg3c-c32p-95vx",
"modified": "2022-05-17T00:50:24Z",
"published": "2022-05-17T00:50:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8918"
},
{
"type": "WEB",
"url": "https://thenopsled.com/Exploit-DB%20Writeup.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PGCF-289Q-WWMJ
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2022-12-03 00:30IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, and 19.0.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162770.
{
"affected": [],
"aliases": [
"CVE-2019-4424"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-20T20:15:00Z",
"severity": "HIGH"
},
"details": "IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, and 19.0.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162770.",
"id": "GHSA-pgcf-289q-wwmj",
"modified": "2022-12-03T00:30:20Z",
"published": "2022-05-24T16:54:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4424"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/162770"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10959537"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PGR7-WPPM-2GMP
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2023-09-28 15:30yWorks yEd Desktop before 3.20.1 allows XXE attacks via an XML or GraphML document.
{
"affected": [],
"aliases": [
"CVE-2020-25215"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-17T19:15:00Z",
"severity": "CRITICAL"
},
"details": "yWorks yEd Desktop before 3.20.1 allows XXE attacks via an XML or GraphML document.",
"id": "GHSA-pgr7-wppm-2gmp",
"modified": "2023-09-28T15:30:15Z",
"published": "2022-05-24T17:28:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25215"
},
{
"type": "WEB",
"url": "https://www.yworks.com/products/yed/download"
},
{
"type": "WEB",
"url": "https://zigrin.com/advisories/yworks-yed-graph-editor-xml-external-entity-injection"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PGWJ-M55X-47M9
Vulnerability from github – Published: 2022-05-13 01:35 – Updated: 2022-05-13 01:35A vulnerability in the web-based UI of Cisco Secure Access Control Server could allow an authenticated, remote attacker to gain read access to certain information in an affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file.
{
"affected": [],
"aliases": [
"CVE-2018-0414"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-05T14:29:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based UI of Cisco Secure Access Control Server could allow an authenticated, remote attacker to gain read access to certain information in an affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file.",
"id": "GHSA-pgwj-m55x-47m9",
"modified": "2022-05-13T01:35:12Z",
"published": "2022-05-13T01:35:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0414"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-acsxxe"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105289"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041688"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PH8X-8Q5Q-F3MH
Vulnerability from github – Published: 2022-05-14 03:21 – Updated: 2022-05-14 03:21The Symantec Management Console prior to ITMS 8.1 RU1, ITMS 8.0_POST_HF6, and ITMS 7.6_POST_HF7 has an issue whereby XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
{
"affected": [],
"aliases": [
"CVE-2017-6323"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-16T19:29:00Z",
"severity": "HIGH"
},
"details": "The Symantec Management Console prior to ITMS 8.1 RU1, ITMS 8.0_POST_HF6, and ITMS 7.6_POST_HF7 has an issue whereby XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.",
"id": "GHSA-ph8x-8q5q-f3mh",
"modified": "2022-05-14T03:21:40Z",
"published": "2022-05-14T03:21:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6323"
},
{
"type": "WEB",
"url": "https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory\u0026pvid=security_advisory\u0026year=\u0026suid=20170628_00"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98621"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PHMG-7CWJ-2HP3
Vulnerability from github – Published: 2025-07-30 21:31 – Updated: 2025-07-30 21:31Dell SmartFabric OS10 Software, versions prior to 10.6.0.5, contains an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.
{
"affected": [],
"aliases": [
"CVE-2025-36608"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-30T19:15:47Z",
"severity": "MODERATE"
},
"details": "Dell SmartFabric OS10 Software, versions prior to 10.6.0.5, contains an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.",
"id": "GHSA-phmg-7cwj-2hp3",
"modified": "2025-07-30T21:31:39Z",
"published": "2025-07-30T21:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36608"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000346195/dsa-2025-259-security-update-for-dell-networking-os10-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PJ2P-4HQ9-W6VQ
Vulnerability from github – Published: 2022-05-17 00:26 – Updated: 2022-05-17 00:26XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery (SSRF) attacks, conduct internal port scans, or have unspecified other impact via an XML request, aka bug #572705.
{
"affected": [],
"aliases": [
"CVE-2017-13706"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-10T13:29:00Z",
"severity": "CRITICAL"
},
"details": "XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery (SSRF) attacks, conduct internal port scans, or have unspecified other impact via an XML request, aka bug #572705.",
"id": "GHSA-pj2p-4hq9-w6vq",
"modified": "2022-05-17T00:26:26Z",
"published": "2022-05-17T00:26:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13706"
},
{
"type": "WEB",
"url": "https://www.lansweeper.com/changelog.aspx"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/144527/Lansweeper-6.0.100.29-XXE-Injection.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2017/Oct/14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PJ6P-9P8X-5MFC
Vulnerability from github – Published: 2026-05-08 06:32 – Updated: 2026-05-14 13:05Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.opencms:opencms-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "16.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-42346"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T13:05:03Z",
"nvd_published_at": "2026-05-08T05:16:09Z",
"severity": "HIGH"
},
"details": "Alkacon OpenCms before 16 allows XXE when the \u003c!DOCTYPE\u003e refers to an external host.",
"id": "GHSA-pj6p-9p8x-5mfc",
"modified": "2026-05-14T13:05:03Z",
"published": "2026-05-08T06:32:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42346"
},
{
"type": "PACKAGE",
"url": "https://github.com/alkacon/opencms-core"
},
{
"type": "WEB",
"url": "https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Alkacon OpenCms is vulnerable to XXE when the \u003c!DOCTYPE\u003e refers to an external host"
}
GHSA-PJ74-PF28-5QJW
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2025-10-22 00:31mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability.
{
"affected": [],
"aliases": [
"CVE-2019-9670"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-29T22:29:00Z",
"severity": "CRITICAL"
},
"details": "mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability.",
"id": "GHSA-pj74-pf28-5qjw",
"modified": "2025-10-22T00:31:41Z",
"published": "2022-05-24T16:46:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9670"
},
{
"type": "WEB",
"url": "https://bugzilla.zimbra.com/show_bug.cgi?id=109129"
},
{
"type": "WEB",
"url": "https://isc.sans.edu/forums/diary/CVE20199670+Zimbra+Collaboration+Suite+XXE+vulnerability/27570"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9670"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46693"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html"
},
{
"type": "WEB",
"url": "http://www.rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.