CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-QQ48-V63V-876M
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2023-02-03 21:30IBM i2 Intelligent Analyis Platform 9.0.0 through 9.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 157007.
{
"affected": [],
"aliases": [
"CVE-2019-4062"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-30T14:15:00Z",
"severity": "HIGH"
},
"details": "IBM i2 Intelligent Analyis Platform 9.0.0 through 9.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 157007.",
"id": "GHSA-qq48-v63v-876m",
"modified": "2023-02-03T21:30:35Z",
"published": "2022-05-24T16:51:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4062"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/157007"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10881746"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-QQC2-6QQ8-P574
Vulnerability from github – Published: 2022-02-25 00:00 – Updated: 2025-04-17 21:30A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML files to access local or remote content. A successful exploit could potentially cause a denial-of-service condition and allow the attacker to arbitrarily read any local file via system-level services.
{
"affected": [],
"aliases": [
"CVE-2020-14478"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-24T19:15:00Z",
"severity": "HIGH"
},
"details": "A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML files to access local or remote content. A successful exploit could potentially cause a denial-of-service condition and allow the attacker to arbitrarily read any local file via system-level services.",
"id": "GHSA-qqc2-6qq8-p574",
"modified": "2025-04-17T21:30:37Z",
"published": "2022-02-25T00:00:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14478"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-177-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QRFF-FQPR-45F9
Vulnerability from github – Published: 2021-12-09 00:01 – Updated: 2021-12-14 00:01National Library of the Netherlands digger < 6697d1269d981e35e11f240725b16401b5ce3db5 is affected by a XML External Entity (XXE) vulnerability. Since XML parsing resolves external entities, a malicious XML stream could leak internal files and/or cause a DoS.
{
"affected": [],
"aliases": [
"CVE-2021-44556"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-08T12:15:00Z",
"severity": "CRITICAL"
},
"details": "National Library of the Netherlands digger \u003c 6697d1269d981e35e11f240725b16401b5ce3db5 is affected by a XML External Entity (XXE) vulnerability. Since XML parsing resolves external entities, a malicious XML stream could leak internal files and/or cause a DoS.",
"id": "GHSA-qrff-fqpr-45f9",
"modified": "2021-12-14T00:01:40Z",
"published": "2021-12-09T00:01:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44556"
},
{
"type": "WEB",
"url": "https://github.com/KBNLresearch/digger/pull/1"
},
{
"type": "WEB",
"url": "https://github.com/KBNLresearch/digger"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QRH7-X6FP-C2MP
Vulnerability from github – Published: 2022-05-17 05:09 – Updated: 2024-05-21 20:12The XML libraries for Python, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.3.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.4.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-1664"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-21T20:12:01Z",
"nvd_published_at": "2013-04-03T00:55:00Z",
"severity": "MODERATE"
},
"details": "The XML libraries for Python, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.",
"id": "GHSA-qrh7-x6fp-c2mp",
"modified": "2024-05-21T20:12:01Z",
"published": "2022-05-17T05:09:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1664"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/nova/+bug/1100282"
},
{
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
{
"type": "WEB",
"url": "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html"
},
{
"type": "WEB",
"url": "http://bugs.python.org/issue17239"
},
{
"type": "WEB",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0657.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0658.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"
},
{
"type": "WEB",
"url": "http://ubuntu.com/usn/usn-1757-1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/02/19/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/02/19/4"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "XML Entity Expansion (XEE) in Django"
}
GHSA-QRP9-23P7-G5MF
Vulnerability from github – Published: 2024-02-27 18:31 – Updated: 2025-02-13 19:10XML External Entity injection in Apache Ambari versions <= 2.7.7, Users are recommended to upgrade to version 2.7.8, which fixes this issue.
More Details:
Oozie Workflow Scheduler had a vulnerability that allowed for root-level file reading and privilege escalation from low-privilege users. The vulnerability was caused through lack of proper user input validation.
This vulnerability is known as an XML External Entity (XXE) injection attack. Attackers can exploit XXE vulnerabilities to read arbitrary files on the server, including sensitive system files. In theory, it might be possible to use this to escalate privileges.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.ambari.contrib.views:wfmanager"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50380"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-27T21:53:34Z",
"nvd_published_at": "2024-02-27T17:15:11Z",
"severity": "MODERATE"
},
"details": "XML External Entity injection in Apache Ambari versions \u003c= 2.7.7,\u00a0Users are recommended to upgrade to version 2.7.8, which fixes this issue.\n\nMore Details:\n\nOozie Workflow Scheduler had a vulnerability that allowed for root-level file reading and privilege escalation from low-privilege users. The vulnerability was caused through lack of proper user input validation.\n\nThis vulnerability is known as an XML External Entity (XXE) injection attack. Attackers can exploit XXE vulnerabilities to read arbitrary files on the server, including sensitive system files. In theory, it might be possible to use this to escalate privileges.",
"id": "GHSA-qrp9-23p7-g5mf",
"modified": "2025-02-13T19:10:30Z",
"published": "2024-02-27T18:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50380"
},
{
"type": "WEB",
"url": "https://github.com/apache/ambari/commit/d9652e4611ea36208d5f748028b3a9cd980e6edb"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/ambari"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/qrt7mq7v7zyrh1qsh1gkg1m7clysvy32"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/02/27/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Ambari XML External Entity injection"
}
GHSA-QV32-7R6P-XHHH
Vulnerability from github – Published: 2018-10-19 16:39 – Updated: 2021-09-16 21:06XMPCore in Adobe XMP Toolkit for Java before 5.1.3 allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.adobe.xmp:xmpcore"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-4216"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:52:48Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "XMPCore in Adobe XMP Toolkit for Java before 5.1.3 allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"id": "GHSA-qv32-7r6p-xhhh",
"modified": "2021-09-16T21:06:35Z",
"published": "2018-10-19T16:39:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4216"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-qv32-7r6p-xhhh"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/xmpcore/apsb16-24.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/91717"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Moderate severity vulnerability that affects com.adobe.xmp:xmpcore"
}
GHSA-QVV4-58RX-F26C
Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2024-04-04 02:31XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request involving util/xmlrpc/Handler.ashx.
{
"affected": [],
"aliases": [
"CVE-2017-17762"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-29T19:29:00Z",
"severity": "HIGH"
},
"details": "XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request involving util/xmlrpc/Handler.ashx.",
"id": "GHSA-qvv4-58rx-f26c",
"modified": "2024-04-04T02:31:42Z",
"published": "2022-05-24T16:59:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17762"
},
{
"type": "WEB",
"url": "https://gist.github.com/jonaslejon/5f92779848360a1a1e676af0795bd9aa"
},
{
"type": "WEB",
"url": "https://kryptera.se/sarbarhet-i-episerver"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QVWF-W35M-6R95
Vulnerability from github – Published: 2022-05-14 03:49 – Updated: 2023-07-06 22:05XMLBundle version 0.1.7 is vulnerable to XXE attacks which can result in denial of service attacks.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "desperado/xml-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-1000477"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-06T22:05:33Z",
"nvd_published_at": "2018-01-03T18:29:00Z",
"severity": "HIGH"
},
"details": "XMLBundle version 0.1.7 is vulnerable to XXE attacks which can result in denial of service attacks.",
"id": "GHSA-qvwf-w35m-6r95",
"modified": "2023-07-06T22:05:33Z",
"published": "2022-05-14T03:49:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000477"
},
{
"type": "WEB",
"url": "https://github.com/pravednik/xmlBundle/issues/2"
},
{
"type": "WEB",
"url": "https://github.com/pravednik/xmlBundle/pull/5/commits/803d8cb34b972e67c2144b8b36575f97d14ef1d6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "XXE Vulnerability in XMLBundle 0.1.7"
}
GHSA-QW37-CXPJ-W543
Vulnerability from github – Published: 2025-04-04 18:30 – Updated: 2026-04-01 18:34Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps allows XML Injection. This issue affects Easy Google Maps: from n/a through 1.11.17.
{
"affected": [],
"aliases": [
"CVE-2025-32138"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-04T16:15:22Z",
"severity": "MODERATE"
},
"details": "Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps allows XML Injection. This issue affects Easy Google Maps: from n/a through 1.11.17.",
"id": "GHSA-qw37-cxpj-w543",
"modified": "2026-04-01T18:34:29Z",
"published": "2025-04-04T18:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32138"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/google-maps-easy/vulnerability/wordpress-easy-google-maps-plugin-1-11-17-xml-external-entity-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-QWGX-59JW-QFG9
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-07-01 11:55In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.xmlgraphics:batik"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-5662"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-01T11:55:03Z",
"nvd_published_at": "2017-04-18T14:59:00Z",
"severity": "HIGH"
},
"details": "In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.",
"id": "GHSA-qwgx-59jw-qfg9",
"modified": "2022-07-01T11:55:03Z",
"published": "2022-05-13T01:14:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5662"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2546"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2547"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0319"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4215"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "https://xmlgraphics.apache.org/security.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97948"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038334"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference in Apache Batik"
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.