CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-R89J-VHG3-XW33
Vulnerability from github – Published: 2022-05-17 05:13 – Updated: 2024-02-15 21:31The rasterization process in Inkscape before 0.48.4 allows local users to read arbitrary files via an external entity in a SVG file, aka an XML external entity (XXE) injection attack.
{
"affected": [],
"aliases": [
"CVE-2012-5656"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-01-18T11:48:00Z",
"severity": "LOW"
},
"details": "The rasterization process in Inkscape before 0.48.4 allows local users to read arbitrary files via an external entity in a SVG file, aka an XML external entity (XXE) injection attack.",
"id": "GHSA-r89j-vhg3-xw33",
"modified": "2024-02-15T21:31:24Z",
"published": "2022-05-17T05:13:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5656"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/inkscape/+bug/1025185"
},
{
"type": "WEB",
"url": "https://launchpad.net/inkscape/+milestone/0.48.4"
},
{
"type": "WEB",
"url": "http://bazaar.launchpad.net/~inkscape.dev/inkscape/trunk/revision/11931"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-December/095024.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-January/095380.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-January/095398.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2013-02/msg00041.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2013-02/msg00043.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/12/20/3"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/56965"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1712-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R8J4-96MX-RJCC
Vulnerability from github – Published: 2022-01-21 18:13 – Updated: 2022-02-24 18:37skylot/jadx prior to 1.3.2 is vulnerable to Improper Restriction of XML External Entities when a user is tricked into exporting a malicious APK file (via the -e option) containing a crafted AndroidManifest.xml / strings.xml to gradle, leading to possible local file disclosure.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.github.skylot:jadx-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0219"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-21T16:54:58Z",
"nvd_published_at": "2022-01-20T17:15:00Z",
"severity": "MODERATE"
},
"details": "skylot/jadx prior to 1.3.2 is vulnerable to Improper Restriction of XML External Entities when a user is tricked into exporting a malicious APK file (via the -e option) containing a crafted AndroidManifest.xml / strings.xml to gradle, leading to possible local file disclosure.",
"id": "GHSA-r8j4-96mx-rjcc",
"modified": "2022-02-24T18:37:30Z",
"published": "2022-01-21T18:13:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0219"
},
{
"type": "WEB",
"url": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52"
},
{
"type": "PACKAGE",
"url": "https://github.com/skylot/jadx"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference in skylot/jadx"
}
GHSA-R8Q6-PF72-X4JP
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:33An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault <=10.7 allows remote attackers to read arbitrary files or potentially bypass authentication via a crafted DTD in the SAML authentication system.
{
"affected": [],
"aliases": [
"CVE-2019-7442"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-08T21:29:00Z",
"severity": "CRITICAL"
},
"details": "An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault \u003c=10.7 allows remote attackers to read arbitrary files or potentially bypass authentication via a crafted DTD in the SAML authentication system.",
"id": "GHSA-r8q6-pf72-x4jp",
"modified": "2024-04-04T00:33:41Z",
"published": "2022-05-24T16:45:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7442"
},
{
"type": "WEB",
"url": "https://www.octority.com/2019/05/07/cyberark-enterprise-password-vault-xml-external-entity-xxe-injection"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/152801/CyberArk-Enterprise-Password-Vault-10.7-XML-External-Entity-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R96P-G9M9-MJP9
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33Improper Restriction of XML External Entity Reference in subsystem forIntel(R) Quartus(R) Prime Pro Edition before version 20.3 and Intel(R) Quartus(R) Prime Standard Edition before version 20.2 may allow unauthenticated user to potentially enable information disclosure via network access.
{
"affected": [],
"aliases": [
"CVE-2020-24454"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-12T19:15:00Z",
"severity": "HIGH"
},
"details": "Improper Restriction of XML External Entity Reference in subsystem forIntel(R) Quartus(R) Prime Pro Edition before version 20.3 and Intel(R) Quartus(R) Prime Standard Edition before version 20.2 may allow unauthenticated user to potentially enable information disclosure via network access.",
"id": "GHSA-r96p-g9m9-mjp9",
"modified": "2022-05-24T17:33:56Z",
"published": "2022-05-24T17:33:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24454"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00446"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RC57-9R3X-98CQ
Vulnerability from github – Published: 2022-06-17 00:01 – Updated: 2024-07-05 14:26drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.59.0.Final"
},
"package": {
"ecosystem": "Maven",
"name": "org.drools:drools-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.60.0.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41411"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-17T21:54:41Z",
"nvd_published_at": "2022-06-16T10:15:00Z",
"severity": "CRITICAL"
},
"details": "drools \u003c=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.",
"id": "GHSA-rc57-9r3x-98cq",
"modified": "2024-07-05T14:26:30Z",
"published": "2022-06-17T00:01:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41411"
},
{
"type": "WEB",
"url": "https://github.com/apache/incubator-kie-drools/pull/3808"
},
{
"type": "PACKAGE",
"url": "https://github.com/kiegroup/drools"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity Reference in drools"
}
GHSA-RC7F-GRWH-GQV6
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2024-04-04 01:23Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files.
{
"affected": [],
"aliases": [
"CVE-2019-10976"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-26T00:15:00Z",
"severity": "MODERATE"
},
"details": "Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files.",
"id": "GHSA-rc7f-grwh-gqv6",
"modified": "2024-04-04T01:23:15Z",
"published": "2022-05-24T16:51:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10976"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-204-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RC9V-H28F-JCMF
Vulnerability from github – Published: 2018-10-17 19:56 – Updated: 2024-03-04 22:58This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Users are advised to upgrade to either Solr 6.6.4 or Solr 7.3.1 releases both of which address the vulnerability. Once upgrade is complete, no other steps are required. Those releases only allow external entities and Xincludes that refer to local files / zookeeper resources below the Solr instance directory (using Solr's ResourceLoader); usage of absolute URLs is denied. Keep in mind, that external entities and XInclude are explicitly supported to better structure config files in large installations. Before Solr 6 this was no problem, as config files were not accessible through the APIs.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.solr:solr-core"
},
"ranges": [
{
"events": [
{
"introduced": "6.6.0"
},
{
"fixed": "6.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.solr:solr-core"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-8010"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:54:20Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Users are advised to upgrade to either Solr 6.6.4 or Solr 7.3.1 releases both of which address the vulnerability. Once upgrade is complete, no other steps are required. Those releases only allow external entities and Xincludes that refer to local files / zookeeper resources below the Solr instance directory (using Solr\u0027s ResourceLoader); usage of absolute URLs is denied. Keep in mind, that external entities and XInclude are explicitly supported to better structure config files in large installations. Before Solr 6 this was no problem, as config files were not accessible through the APIs.",
"id": "GHSA-rc9v-h28f-jcmf",
"modified": "2024-03-04T22:58:14Z",
"published": "2018-10-17T19:56:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8010"
},
{
"type": "WEB",
"url": "https://github.com/apache/lucene-solr/commit/4ba409e0ff3dc38aad88f7b7ad69a76325272b8"
},
{
"type": "WEB",
"url": "https://github.com/apache/lucene-solr/commit/6c4e45e28494d4d4d04fb89852d18c86fa3d5f8"
},
{
"type": "WEB",
"url": "https://github.com/apache/lucene-solr/commit/6d082d5743dee7e08a86b3f2ef03bc025112512"
},
{
"type": "WEB",
"url": "https://github.com/apache/lucene-solr/commit/96f079b4b47eaadff65c7aaf0e5bafe68e30ec3"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-rc9v-h28f-jcmf"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/SOLR-12316"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://mail-archives.apache.org/mod_mbox/www-announce/201805.mbox/%3C08a801d3f0f9%24df46d300%249dd47900%24%40apache.org%3E"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104239"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "There is a XML external entity expansion (XXE) vulnerability in Apache Solr config files"
}
GHSA-RCC6-6Q2F-M2CW
Vulnerability from github – Published: 2026-05-08 06:32 – Updated: 2026-05-14 13:05Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.opencms:opencms-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-42344"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T13:05:13Z",
"nvd_published_at": "2026-05-08T05:16:09Z",
"severity": "HIGH"
},
"details": "Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.",
"id": "GHSA-rcc6-6q2f-m2cw",
"modified": "2026-05-14T13:05:13Z",
"published": "2026-05-08T06:32:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42344"
},
{
"type": "WEB",
"url": "https://github.com/projectdiscovery/nuclei-templates/issues/8864"
},
{
"type": "PACKAGE",
"url": "https://github.com/alkacon/opencms-core"
},
{
"type": "WEB",
"url": "https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Alkacon OpenCms allows remote unauthenticated attackers to obtain sensitive information"
}
GHSA-RCFJ-PC73-HQV6
Vulnerability from github – Published: 2024-03-18 09:30 – Updated: 2024-08-01 15:31Improper restriction of XML external entity references vulnerability exists in FitNesse all releases, which allows a remote unauthenticated attacker to obtain sensitive information, alter data, or cause a denial-of-service (DoS) condition.
{
"affected": [],
"aliases": [
"CVE-2024-28039"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-18T09:15:06Z",
"severity": "MODERATE"
},
"details": "Improper restriction of XML external entity references vulnerability exists in FitNesse all releases, which allows a remote unauthenticated attacker to obtain sensitive information, alter data, or cause a denial-of-service (DoS) condition.",
"id": "GHSA-rcfj-pc73-hqv6",
"modified": "2024-08-01T15:31:33Z",
"published": "2024-03-18T09:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28039"
},
{
"type": "WEB",
"url": "https://github.com/unclebob/fitnesse"
},
{
"type": "WEB",
"url": "https://github.com/unclebob/fitnesse/blob/master/SECURITY.md"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN94521208"
},
{
"type": "WEB",
"url": "http://fitnesse.org/FitNesseDownload"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RFFC-23Q6-2HQW
Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2024-04-04 02:34Adobe Experience Manager versions 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure.
{
"affected": [],
"aliases": [
"CVE-2019-8082"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-25T15:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Experience Manager versions 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure.",
"id": "GHSA-rffc-23q6-2hqw",
"modified": "2024-04-04T02:34:59Z",
"published": "2022-05-24T16:59:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8082"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb19-48.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.