Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-QQ48-V63V-876M

Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2023-02-03 21:30
VLAI
Details

IBM i2 Intelligent Analyis Platform 9.0.0 through 9.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 157007.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-4062"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-30T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM i2 Intelligent Analyis Platform 9.0.0 through 9.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 157007.",
  "id": "GHSA-qq48-v63v-876m",
  "modified": "2023-02-03T21:30:35Z",
  "published": "2022-05-24T16:51:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4062"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/157007"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=ibm10881746"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QQC2-6QQ8-P574

Vulnerability from github – Published: 2022-02-25 00:00 – Updated: 2025-04-17 21:30
VLAI
Details

A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML files to access local or remote content. A successful exploit could potentially cause a denial-of-service condition and allow the attacker to arbitrarily read any local file via system-level services.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-14478"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-24T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML files to access local or remote content. A successful exploit could potentially cause a denial-of-service condition and allow the attacker to arbitrarily read any local file via system-level services.",
  "id": "GHSA-qqc2-6qq8-p574",
  "modified": "2025-04-17T21:30:37Z",
  "published": "2022-02-25T00:00:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14478"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-177-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QRFF-FQPR-45F9

Vulnerability from github – Published: 2021-12-09 00:01 – Updated: 2021-12-14 00:01
VLAI
Details

National Library of the Netherlands digger < 6697d1269d981e35e11f240725b16401b5ce3db5 is affected by a XML External Entity (XXE) vulnerability. Since XML parsing resolves external entities, a malicious XML stream could leak internal files and/or cause a DoS.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44556"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-08T12:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "National Library of the Netherlands digger \u003c 6697d1269d981e35e11f240725b16401b5ce3db5 is affected by a XML External Entity (XXE) vulnerability. Since XML parsing resolves external entities, a malicious XML stream could leak internal files and/or cause a DoS.",
  "id": "GHSA-qrff-fqpr-45f9",
  "modified": "2021-12-14T00:01:40Z",
  "published": "2021-12-09T00:01:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44556"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KBNLresearch/digger/pull/1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KBNLresearch/digger"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QRH7-X6FP-C2MP

Vulnerability from github – Published: 2022-05-17 05:09 – Updated: 2024-05-21 20:12
VLAI
Summary
XML Entity Expansion (XEE) in Django
Details

The XML libraries for Python, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0"
            },
            {
              "fixed": "1.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2013-1664"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-21T20:12:01Z",
    "nvd_published_at": "2013-04-03T00:55:00Z",
    "severity": "MODERATE"
  },
  "details": "The XML libraries for Python, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.",
  "id": "GHSA-qrh7-x6fp-c2mp",
  "modified": "2024-05-21T20:12:01Z",
  "published": "2022-05-17T05:09:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1664"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/nova/+bug/1100282"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/django/django"
    },
    {
      "type": "WEB",
      "url": "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html"
    },
    {
      "type": "WEB",
      "url": "http://bugs.python.org/issue17239"
    },
    {
      "type": "WEB",
      "url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0657.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0658.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"
    },
    {
      "type": "WEB",
      "url": "http://ubuntu.com/usn/usn-1757-1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2013/02/19/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2013/02/19/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "XML Entity Expansion (XEE) in Django"
}

GHSA-QRP9-23P7-G5MF

Vulnerability from github – Published: 2024-02-27 18:31 – Updated: 2025-02-13 19:10
VLAI
Summary
Apache Ambari XML External Entity injection
Details

XML External Entity injection in Apache Ambari versions <= 2.7.7, Users are recommended to upgrade to version 2.7.8, which fixes this issue.

More Details:

Oozie Workflow Scheduler had a vulnerability that allowed for root-level file reading and privilege escalation from low-privilege users. The vulnerability was caused through lack of proper user input validation.

This vulnerability is known as an XML External Entity (XXE) injection attack. Attackers can exploit XXE vulnerabilities to read arbitrary files on the server, including sensitive system files. In theory, it might be possible to use this to escalate privileges.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.ambari.contrib.views:wfmanager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-50380"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-27T21:53:34Z",
    "nvd_published_at": "2024-02-27T17:15:11Z",
    "severity": "MODERATE"
  },
  "details": "XML External Entity injection in Apache Ambari versions \u003c= 2.7.7,\u00a0Users are recommended to upgrade to version 2.7.8, which fixes this issue.\n\nMore Details:\n\nOozie Workflow Scheduler had a vulnerability that allowed for root-level file reading and privilege escalation from low-privilege users. The vulnerability was caused through lack of proper user input validation.\n\nThis vulnerability is known as an XML External Entity (XXE) injection attack. Attackers can exploit XXE vulnerabilities to read arbitrary files on the server, including sensitive system files. In theory, it might be possible to use this to escalate privileges.",
  "id": "GHSA-qrp9-23p7-g5mf",
  "modified": "2025-02-13T19:10:30Z",
  "published": "2024-02-27T18:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50380"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/ambari/commit/d9652e4611ea36208d5f748028b3a9cd980e6edb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/ambari"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/qrt7mq7v7zyrh1qsh1gkg1m7clysvy32"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/02/27/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Ambari XML External Entity injection"
}

GHSA-QV32-7R6P-XHHH

Vulnerability from github – Published: 2018-10-19 16:39 – Updated: 2021-09-16 21:06
VLAI
Summary
Moderate severity vulnerability that affects com.adobe.xmp:xmpcore
Details

XMPCore in Adobe XMP Toolkit for Java before 5.1.3 allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.adobe.xmp:xmpcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-4216"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:52:48Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "XMPCore in Adobe XMP Toolkit for Java before 5.1.3 allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
  "id": "GHSA-qv32-7r6p-xhhh",
  "modified": "2021-09-16T21:06:35Z",
  "published": "2018-10-19T16:39:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4216"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-qv32-7r6p-xhhh"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/xmpcore/apsb16-24.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/91717"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Moderate severity vulnerability that affects com.adobe.xmp:xmpcore"
}

GHSA-QVV4-58RX-F26C

Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2024-04-04 02:31
VLAI
Details

XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request involving util/xmlrpc/Handler.ashx.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-17762"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-29T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request involving util/xmlrpc/Handler.ashx.",
  "id": "GHSA-qvv4-58rx-f26c",
  "modified": "2024-04-04T02:31:42Z",
  "published": "2022-05-24T16:59:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17762"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/jonaslejon/5f92779848360a1a1e676af0795bd9aa"
    },
    {
      "type": "WEB",
      "url": "https://kryptera.se/sarbarhet-i-episerver"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QVWF-W35M-6R95

Vulnerability from github – Published: 2022-05-14 03:49 – Updated: 2023-07-06 22:05
VLAI
Summary
XXE Vulnerability in XMLBundle 0.1.7
Details

XMLBundle version 0.1.7 is vulnerable to XXE attacks which can result in denial of service attacks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "desperado/xml-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-1000477"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-06T22:05:33Z",
    "nvd_published_at": "2018-01-03T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "XMLBundle version 0.1.7 is vulnerable to XXE attacks which can result in denial of service attacks.",
  "id": "GHSA-qvwf-w35m-6r95",
  "modified": "2023-07-06T22:05:33Z",
  "published": "2022-05-14T03:49:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000477"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pravednik/xmlBundle/issues/2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pravednik/xmlBundle/pull/5/commits/803d8cb34b972e67c2144b8b36575f97d14ef1d6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE Vulnerability in XMLBundle 0.1.7"
}

GHSA-QW37-CXPJ-W543

Vulnerability from github – Published: 2025-04-04 18:30 – Updated: 2026-04-01 18:34
VLAI
Details

Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps allows XML Injection. This issue affects Easy Google Maps: from n/a through 1.11.17.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-04T16:15:22Z",
    "severity": "MODERATE"
  },
  "details": "Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps allows XML Injection. This issue affects Easy Google Maps: from n/a through 1.11.17.",
  "id": "GHSA-qw37-cxpj-w543",
  "modified": "2026-04-01T18:34:29Z",
  "published": "2025-04-04T18:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32138"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/google-maps-easy/vulnerability/wordpress-easy-google-maps-plugin-1-11-17-xml-external-entity-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QWGX-59JW-QFG9

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-07-01 11:55
VLAI
Summary
Improper Restriction of XML External Entity Reference in Apache Batik
Details

In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.xmlgraphics:batik"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-5662"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-01T11:55:03Z",
    "nvd_published_at": "2017-04-18T14:59:00Z",
    "severity": "HIGH"
  },
  "details": "In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.",
  "id": "GHSA-qwgx-59jw-qfg9",
  "modified": "2022-07-01T11:55:03Z",
  "published": "2022-05-13T01:14:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5662"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2546"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2547"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0319"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4215"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "type": "WEB",
      "url": "https://xmlgraphics.apache.org/security.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97948"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038334"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in Apache Batik"
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.