CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-Q48R-XG9H-78M8
Vulnerability from github – Published: 2022-11-15 12:00 – Updated: 2022-11-22 00:12Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "concrete5/concrete5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.5.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "concrete5/concrete5"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-43689"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-22T00:12:47Z",
"nvd_published_at": "2022-11-14T23:15:00Z",
"severity": "MODERATE"
},
"details": "Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure.",
"id": "GHSA-q48r-xg9h-78m8",
"modified": "2022-11-22T00:12:47Z",
"published": "2022-11-15T12:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43689"
},
{
"type": "WEB",
"url": "https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes"
},
{
"type": "WEB",
"url": "https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes"
},
{
"type": "PACKAGE",
"url": "https://github.com/concretecms/concretecms"
},
{
"type": "WEB",
"url": "https://github.com/concretecms/concretecms/releases/8.5.10"
},
{
"type": "WEB",
"url": "https://github.com/concretecms/concretecms/releases/9.1.3"
},
{
"type": "WEB",
"url": "https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Concrete CMS vulnerable to XML External Entity"
}
GHSA-Q4M6-R7VG-PR4J
Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33IBM Jazz Foundation (IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6) is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 143501.
{
"affected": [],
"aliases": [
"CVE-2018-1588"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-25T15:29:00Z",
"severity": "HIGH"
},
"details": "IBM Jazz Foundation (IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6) is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 143501.",
"id": "GHSA-q4m6-r7vg-pr4j",
"modified": "2022-05-13T01:33:06Z",
"published": "2022-05-13T01:33:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1588"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/143501"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10731511"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-Q4MM-89Q2-XFFG
Vulnerability from github – Published: 2022-05-17 01:52 – Updated: 2024-02-09 16:27The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "phpmyadmin/phpmyadmin"
},
"ranges": [
{
"events": [
{
"introduced": "3.4.0"
},
{
"fixed": "3.4.7.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpmyadmin/phpmyadmin"
},
"ranges": [
{
"events": [
{
"introduced": "3.3.0"
},
{
"fixed": "3.3.10.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2011-4107"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-09T16:27:56Z",
"nvd_published_at": "2011-11-17T19:55:00Z",
"severity": "MODERATE"
},
"details": "The `simplexml_load_string` function in the XML import plug-in (`libraries/import/xml.php`) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.",
"id": "GHSA-q4mm-89q2-xffg",
"modified": "2024-02-09T16:27:57Z",
"published": "2022-05-17T01:52:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4107"
},
{
"type": "WEB",
"url": "https://github.com/phpmyadmin/phpmyadmin/commit/2fbf631384fd8cded55f4500cb87b129442f9ed2"
},
{
"type": "WEB",
"url": "https://github.com/phpmyadmin/phpmyadmin/commit/34d99de000de9d15cfdf5e9cc8b7682d51110bbd"
},
{
"type": "WEB",
"url": "https://github.com/phpmyadmin/phpmyadmin/commit/5fa86b8e81565c15ddbc359e8f59ecd829a2b717"
},
{
"type": "WEB",
"url": "https://github.com/phpmyadmin/phpmyadmin/commit/a5e206fbd2ca814042cfc1bb7dd3b40c28ce3fb5"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=751112"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71108"
},
{
"type": "PACKAGE",
"url": "https://github.com/phpmyadmin/phpmyadmin"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069625.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069635.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069649.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.org/files/view/106511/phpmyadmin-fileread.txt"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2011/Nov/21"
},
{
"type": "WEB",
"url": "http://securityreason.com/securityalert/8533"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2012/dsa-2391"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2011/11/03/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2011/11/03/5"
},
{
"type": "WEB",
"url": "http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "phpMyAdmin vulnerable to XML external entity (XXE) injection attack"
}
GHSA-Q4Q3-6VR4-QQ23
Vulnerability from github – Published: 2024-08-15 18:31 – Updated: 2024-08-15 21:31XML External Entity (XXE) vulnerability in Terminalfour 8.0.0001 through 8.3.18 and XML JDBC versions up to 1.0.4 allows authenticated users to submit malicious XML via unspecified features which could lead to various actions such as accessing the underlying server, remote code execution (RCE), or performing Server-Side Request Forgery (SSRF) attacks.
{
"affected": [],
"aliases": [
"CVE-2024-22218"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-15T18:15:19Z",
"severity": "HIGH"
},
"details": "XML External Entity (XXE) vulnerability in Terminalfour 8.0.0001 through 8.3.18 and XML JDBC versions up to 1.0.4 allows authenticated users to submit malicious XML via unspecified features which could lead to various actions such as accessing the underlying server, remote code execution (RCE), or performing Server-Side Request Forgery (SSRF) attacks.",
"id": "GHSA-q4q3-6vr4-qq23",
"modified": "2024-08-15T21:31:19Z",
"published": "2024-08-15T18:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22218"
},
{
"type": "WEB",
"url": "https://docs.terminalfour.com/articles/release-notes-highlights"
},
{
"type": "WEB",
"url": "https://docs.terminalfour.com/release-notes/security-notices/cve-2024-22218--cve-2024-22219"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q4XF-3PMQ-3HW8
Vulnerability from github – Published: 2022-01-06 20:41 – Updated: 2021-03-29 16:20In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.11.4"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.nifi:nifi"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.12.0-RC1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-13940"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-29T16:20:14Z",
"nvd_published_at": "2020-10-01T20:15:00Z",
"severity": "MODERATE"
},
"details": "In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).",
"id": "GHSA-q4xf-3pmq-3hw8",
"modified": "2021-03-29T16:20:14Z",
"published": "2022-01-06T20:41:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13940"
},
{
"type": "WEB",
"url": "https://github.com/apache/nifi/commit/7f0416ee8bdcee95e28409cc6fae9c1394c2a798"
},
{
"type": "WEB",
"url": "https://nifi.apache.org/security#CVE-2020-13940"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference in Apache NiFi"
}
GHSA-Q56H-JJJ6-52MF
Vulnerability from github – Published: 2022-05-17 01:24 – Updated: 2024-04-16 16:27The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.poi:poi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-3529"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-07T22:42:15Z",
"nvd_published_at": "2014-09-04T17:55:00Z",
"severity": "MODERATE"
},
"details": "The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"id": "GHSA-q56h-jjj6-52mf",
"modified": "2024-04-16T16:27:05Z",
"published": "2022-05-17T01:24:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3529"
},
{
"type": "WEB",
"url": "https://github.com/apache/poi/commit/103b45073c7b504236588b3acc146530205af53c"
},
{
"type": "WEB",
"url": "https://github.com/apache/poi/commit/236c3c52a9b90688b2e57ec503559409e29f33ed"
},
{
"type": "WEB",
"url": "https://github.com/apache/poi/commit/6050a68d5adfb4ffef1edb778add09bcee32d1c3"
},
{
"type": "WEB",
"url": "https://github.com/apache/poi/commit/d72bd78c19dfb7b57395a66ae8d9269d59a87bd2"
},
{
"type": "WEB",
"url": "https://github.com/apache/poi/commit/eabb6a924be24abb879372d0bc967e0d316b2cf8"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95770"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/poi"
},
{
"type": "WEB",
"url": "https://lucene.apache.org/solr/solrnews.html#18-august-2014-recommendation-to-update-apache-poi-in-apache-solr-480-481-and-490-installations"
},
{
"type": "WEB",
"url": "http://poi.apache.org/changes.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1370.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1398.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1399.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1400.html"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21996759"
},
{
"type": "WEB",
"url": "http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Improper Restriction of XML External Entity Reference in Apache POI"
}
GHSA-Q595-R7RH-MC9H
Vulnerability from github – Published: 2026-01-14 00:31 – Updated: 2026-01-14 00:31Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests.
{
"affected": [],
"aliases": [
"CVE-2022-50899"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T23:15:52Z",
"severity": "HIGH"
},
"details": "Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests.",
"id": "GHSA-q595-r7rh-mc9h",
"modified": "2026-01-14T00:31:28Z",
"published": "2026-01-14T00:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50899"
},
{
"type": "WEB",
"url": "https://geonetwork-opensource.org"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/50982"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/geonetwork-xml-external-entity-xxe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q695-424C-RGVG
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13An improper restriction of XML external entity (XXE) reference vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to read any arbitrary file from the file system and send a specifically crafted request to the firewall that causes the service to crash. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.10; PAN-OS 10.0 versions earlier than PAN-OS 10.0.6. This issue does not affect Prisma Access.
{
"affected": [],
"aliases": [
"CVE-2021-3055"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-08T17:15:00Z",
"severity": "MODERATE"
},
"details": "An improper restriction of XML external entity (XXE) reference vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to read any arbitrary file from the file system and send a specifically crafted request to the firewall that causes the service to crash. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.10; PAN-OS 10.0 versions earlier than PAN-OS 10.0.6. This issue does not affect Prisma Access.",
"id": "GHSA-q695-424c-rgvg",
"modified": "2022-05-24T19:13:19Z",
"published": "2022-05-24T19:13:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3055"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2021-3055"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q6PR-2FQ6-V4RV
Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2024-04-04 01:34The Transition Technologies "The Scheduler" app 5.1.3 for Jira allows XXE due to a weakly configured/parameterized XML parser. It was fixed in the versions 5.2.1 and 3.3.7
{
"affected": [],
"aliases": [
"CVE-2018-14383"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-07T15:15:00Z",
"severity": "HIGH"
},
"details": "The Transition Technologies \"The Scheduler\" app 5.1.3 for Jira allows XXE due to a weakly configured/parameterized XML parser. It was fixed in the versions 5.2.1 and 3.3.7",
"id": "GHSA-q6pr-2fq6-v4rv",
"modified": "2024-04-04T01:34:40Z",
"published": "2022-05-24T16:52:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14383"
},
{
"type": "WEB",
"url": "https://marketplace.atlassian.com/apps/37456/the-scheduler?hosting=server\u0026tab=versions"
},
{
"type": "WEB",
"url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2018-022_jira_plugin_the_scheduler.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q723-3768-2877
Vulnerability from github – Published: 2022-05-14 03:10 – Updated: 2022-05-14 03:10The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.
{
"affected": [],
"aliases": [
"CVE-2017-3208"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-11T17:29:00Z",
"severity": "CRITICAL"
},
"details": "The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.",
"id": "GHSA-q723-3768-2877",
"modified": "2022-05-14T03:10:11Z",
"published": "2022-05-14T03:10:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3208"
},
{
"type": "WEB",
"url": "https://codewhitesec.blogspot.com/2017/04/amf.html"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/307983"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97384"
},
{
"type": "WEB",
"url": "http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.