CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-Q74F-RF27-8HXC
Vulnerability from github – Published: 2023-10-31 00:31 – Updated: 2023-11-06 16:34An issue in OpenCRX v.5.2.2 allows a remote attacker to execute arbitrary code via a crafted request.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.opencrx:opencrx-client"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46502"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-01T17:14:19Z",
"nvd_published_at": "2023-10-30T23:15:08Z",
"severity": "CRITICAL"
},
"details": "An issue in OpenCRX v.5.2.2 allows a remote attacker to execute arbitrary code via a crafted request.",
"id": "GHSA-q74f-rf27-8hxc",
"modified": "2023-11-06T16:34:04Z",
"published": "2023-10-31T00:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46502"
},
{
"type": "WEB",
"url": "https://github.com/opencrx/opencrx/commit/ce7a71db0bb34ecbcb0e822d40598e410a48b399"
},
{
"type": "WEB",
"url": "https://gist.github.com/spookhorror/9519fc66d3946e887e4a86c06ddbee0e"
},
{
"type": "PACKAGE",
"url": "https://github.com/opencrx/opencrx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenCRX allows a remote attacker to execute arbitrary code via a crafted request"
}
GHSA-Q74V-WMPG-RR8Q
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2024-04-04 01:12lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system.
{
"affected": [],
"aliases": [
"CVE-2019-13358"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-05T21:15:00Z",
"severity": "HIGH"
},
"details": "lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system.",
"id": "GHSA-q74v-wmpg-rr8q",
"modified": "2024-04-04T01:12:23Z",
"published": "2022-05-24T16:49:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13358"
},
{
"type": "WEB",
"url": "https://github.com/opencats/OpenCATS/pull/440"
},
{
"type": "WEB",
"url": "https://doddsecurity.com/312/xml-external-entity-injection-xxe-in-opencats-applicant-tracking-system"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/164253/OpenCats-0.9.4-2-XML-Injection.html"
},
{
"type": "WEB",
"url": "http://www.opencats.org/news"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q7XG-HH3Q-HC68
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2023-10-27 14:19Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.7.0"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:config-file-provider"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21642"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-13T19:17:13Z",
"nvd_published_at": "2021-04-21T15:15:00Z",
"severity": "HIGH"
},
"details": "Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nJenkins Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser.",
"id": "GHSA-q7xg-hh3q-hc68",
"modified": "2023-10-27T14:19:48Z",
"published": "2022-05-24T17:48:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21642"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/config-file-provider-plugin/commit/5f845bc015be769e595088bab11ec36c767671e1"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/config-file-provider-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2204"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/04/21/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity Reference vulnerability in Jenkins Config File Provider Plugin"
}
GHSA-Q876-XVXF-R2H2
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36The NetIQ Identity Manager Plugins before 4.6.1 contained various XML External XML Entity (XXE) handling flaws that could be used by attackers to leak information or cause denial of service attacks.
{
"affected": [],
"aliases": [
"CVE-2017-7426"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-01T20:29:00Z",
"severity": "CRITICAL"
},
"details": "The NetIQ Identity Manager Plugins before 4.6.1 contained various XML External XML Entity (XXE) handling flaws that could be used by attackers to leak information or cause denial of service attacks.",
"id": "GHSA-q876-xvxf-r2h2",
"modified": "2022-05-13T01:36:22Z",
"published": "2022-05-13T01:36:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7426"
},
{
"type": "WEB",
"url": "https://www.novell.com/support/kb/doc.php?id=7021173"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q87H-3PPQ-WWF5
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-10-19 19:00An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2.
{
"affected": [],
"aliases": [
"CVE-2020-7032"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-13T01:15:00Z",
"severity": "MODERATE"
},
"details": "An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2.",
"id": "GHSA-q87h-3ppq-wwf5",
"modified": "2022-10-19T19:00:24Z",
"published": "2022-05-24T17:34:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7032"
},
{
"type": "WEB",
"url": "https://downloads.avaya.com/css/P8/documents/101072249"
},
{
"type": "WEB",
"url": "https://sec-consult.com/vulnerability-lab/advisory/blind-out-of-band-xml-external-entity-injection-in-avaya-web-license-manager"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/160123/Avaya-Web-License-Manager-XML-Injection.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/Nov/31"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q8X7-F6F7-8J2H
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2024-04-04 02:49SAP NetWeaver Application Server Java (User Management Engine), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; does not sufficiently validate the LDAP data source configuration XML document accepted from an untrusted source, leading to Missing XML Validation.
{
"affected": [],
"aliases": [
"CVE-2020-6202"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-10T21:15:00Z",
"severity": "HIGH"
},
"details": "SAP NetWeaver Application Server Java (User Management Engine), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; does not sufficiently validate the LDAP data source configuration XML document accepted from an untrusted source, leading to Missing XML Validation.",
"id": "GHSA-q8x7-f6f7-8j2h",
"modified": "2024-04-04T02:49:10Z",
"published": "2022-05-24T17:10:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6202"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2847787"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q9CP-MC96-M4W2
Vulnerability from github – Published: 2020-11-23 21:18 – Updated: 2024-02-05 11:16Problem
It has been discovered that RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions.
At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed.
Solution
Update to TYPO3 version 10.4.10 that fixes the problem described.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.4.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.4.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26229"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-11-23T21:16:32Z",
"nvd_published_at": "2020-11-23T22:15:12Z",
"severity": "LOW"
},
"details": "### Problem\nIt has been discovered that RSS widgets are susceptible to XML external entity processing.\nThis vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions.\n\nAt least with _libxml2_ version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed.\n\n### Solution\nUpdate to TYPO3 version 10.4.10 that fixes the problem described.",
"id": "GHSA-q9cp-mc96-m4w2",
"modified": "2024-02-05T11:16:11Z",
"published": "2020-11-23T21:18:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-q9cp-mc96-m4w2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26229"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26229.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26229.yaml"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-core-sa-2020-012"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity in Dashboard Widget"
}
GHSA-Q9GV-R7Q5-76R2
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14IBM Security Access Manager for Web is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources.
{
"affected": [],
"aliases": [
"CVE-2016-3027"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-01T20:59:00Z",
"severity": "MODERATE"
},
"details": "IBM Security Access Manager for Web is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources.",
"id": "GHSA-q9gv-r7q5-76r2",
"modified": "2022-05-13T01:14:04Z",
"published": "2022-05-13T01:14:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3027"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg21994440"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96127"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QC7W-4567-84WV
Vulnerability from github – Published: 2024-06-07 20:30 – Updated: 2024-06-07 20:30Numerous components utilizing PHP's DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:
- XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.
- XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendframework"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendframework"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-07T20:30:06Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Numerous components utilizing PHP\u0027s DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:\n\n- XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.\n- XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.",
"id": "GHSA-qc7w-4567-84wv",
"modified": "2024-06-07T20:30:06Z",
"published": "2024-06-07T20:30:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/225a8c9f1c3bc08c0bddf22486a8a39ff7186ac1"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/5dab7b8e77741dbba56209616b7815bb04f4c561"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/68d0756c596baeefad0b733b42ef2657d09c7f4e"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/bbcf41e676ef6d8f16ea9d6499050bca0787eb6c"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/ee7f81cc996fb1c16c7dae23eca9ec013ab74730"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/fbeba98d5a9924b026a5dd98f679143fd6be89ea"
},
{
"type": "WEB",
"url": "https://framework.zend.com/security/advisory/ZF2014-01"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2014-01.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/zendframework/zendframework"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Zendframework vulnerable to XXE/XEE attacks"
}
GHSA-QCFC-HMRC-59X7
Vulnerability from github – Published: 2026-01-11 15:31 – Updated: 2026-01-16 19:10Missing XML Validation vulnerability in Apache Struts, Apache Struts.
This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.
Users are recommended to upgrade to version 6.1.1, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.struts:struts2-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"last_affected": "2.3.37"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.struts:struts2-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"last_affected": "2.5.33"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.struts:struts2-core"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 2.2.1"
},
"package": {
"ecosystem": "Maven",
"name": "com.opensymphony:xwork"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 6.1.1"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.struts.xwork:xwork-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68493"
],
"database_specific": {
"cwe_ids": [
"CWE-112",
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-13T21:49:00Z",
"nvd_published_at": "2026-01-11T13:15:45Z",
"severity": "HIGH"
},
"details": "Missing XML Validation vulnerability in Apache Struts, Apache Struts.\n\nThis issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.\n\nUsers are recommended to upgrade to version 6.1.1, which fixes the issue.",
"id": "GHSA-qcfc-hmrc-59x7",
"modified": "2026-01-16T19:10:45Z",
"published": "2026-01-11T15:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68493"
},
{
"type": "WEB",
"url": "https://cwiki.apache.org/confluence/display/WW/S2-069"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/struts"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/01/11/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Struts 2 is Missing XML Validation"
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.