CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-RWQH-HFR8-59C3
Vulnerability from github – Published: 2022-05-17 00:25 – Updated: 2022-05-17 00:25The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053.
{
"affected": [],
"aliases": [
"CVE-2014-9487"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-17T14:29:00Z",
"severity": "CRITICAL"
},
"details": "The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053.",
"id": "GHSA-rwqh-hfr8-59c3",
"modified": "2022-05-17T00:25:34Z",
"published": "2022-05-17T00:25:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9487"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1175828"
},
{
"type": "WEB",
"url": "https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201502-04"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/01/03/13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RX7G-4GVJ-H8M6
Vulnerability from github – Published: 2022-05-14 02:46 – Updated: 2025-04-20 03:32XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials.
{
"affected": [],
"aliases": [
"CVE-2016-4312"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-17T02:59:00Z",
"severity": "HIGH"
},
"details": "XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials.",
"id": "GHSA-rx7g-4gvj-h8m6",
"modified": "2025-04-20T03:32:58Z",
"published": "2022-05-14T02:46:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4312"
},
{
"type": "WEB",
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/40239"
},
{
"type": "WEB",
"url": "http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/539199/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/92485"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V232-254C-M6P7
Vulnerability from github – Published: 2025-03-10 18:29 – Updated: 2025-03-10 18:29Description
The LocalS3 project, an S3-compatible storage service, is vulnerable to XML External Entity (XXE) injection through its bucket tagging API. The vulnerability exists because the application processes XML input without properly disabling external entity resolution.
When processing XML data for bucket tagging operations, the application allows the definition and resolution of external entities. This vulnerability allows an attacker to read arbitrary files from the server's filesystem by defining an external entity that references local files.
The vulnerability is particularly severe because it allows direct access to sensitive files on the server's filesystem, bypassing any intended access controls. The XXE vulnerability can be exploited to read any file that the application process has access to, potentially exposing sensitive configuration files, credentials, or other confidential information.
Steps to Reproduce
- Create a bucket in the LocalS3 service using any S3 client (e.g., AWS CLI, boto3)
- Send a PUT request to the bucket tagging endpoint with the following XML payload: ```xml
]> xxe&xxe; ```
```
curl -X PUT \
-H "Host: app" \
-H "Authorization: AWS dummy:dummy" \
-H "Content-Type: application/xml" \
--data-binary @xxe.xml \
http://app/bucket?tagging
```
-
Retrieve the bucket tags using a GET request to the same endpoint
curl -H "Authorization: AWS dummy:dummy" http://app-1/bucket?tagging -
The content of the targeted file will be returned in the tag value
The successful exploitation of this vulnerability results in the contents of sensitive files being disclosed through the XML response, demonstrating the ability to read arbitrary files from the server's filesystem.
Mitigations
- Disable XML external entity resolution in the XML parser configuration
- Implement proper XML parsing security controls such as disabling DTD processing altogether
- Use a safe parser configuration that doesn't process external entities or DTDs by default
- Validate and sanitize all XML input before processing to prevent injection of malicious entities
Impact
Critical severity vulnerability allowing unauthenticated attackers to read arbitrary files from the server's filesystem. This can lead to exposure of sensitive information, configuration files, and system data, potentially enabling further attacks against the system. The impact is heightened by the fact that the vulnerability requires minimal technical knowledge to exploit and can be triggered through standard S3 API operations.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.github.robothy:local-s3-rest"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-10T18:29:27Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Description\nThe LocalS3 project, an S3-compatible storage service, is vulnerable to XML External Entity (XXE) injection through its bucket tagging API. The vulnerability exists because the application processes XML input without properly disabling external entity resolution.\n\nWhen processing XML data for bucket tagging operations, the application allows the definition and resolution of external entities. This vulnerability allows an attacker to read arbitrary files from the server\u0027s filesystem by defining an external entity that references local files.\n\nThe vulnerability is particularly severe because it allows direct access to sensitive files on the server\u0027s filesystem, bypassing any intended access controls. The XXE vulnerability can be exploited to read any file that the application process has access to, potentially exposing sensitive configuration files, credentials, or other confidential information.\n\n## Steps to Reproduce\n1. Create a bucket in the LocalS3 service using any S3 client (e.g., AWS CLI, boto3)\n2. Send a PUT request to the bucket tagging endpoint with the following XML payload:\n ```xml\n \u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n \u003c!DOCTYPE data [\n \u003c!ENTITY xxe SYSTEM \"file:///flag.txt\" \u003e\n ]\u003e\n \u003cTagging\u003e\u003cTagSet\u003e\u003cTag\u003e\u003cKey\u003exxe\u003c/Key\u003e\u003cValue\u003e\u0026xxe;\u003c/Value\u003e\u003c/Tag\u003e\u003c/TagSet\u003e\u003c/Tagging\u003e\n ```\n\n ```\n curl -X PUT \\\n -H \"Host: app\" \\\n -H \"Authorization: AWS dummy:dummy\" \\\n -H \"Content-Type: application/xml\" \\\n --data-binary @xxe.xml \\\n http://app/bucket?tagging\n ```\n\n3. Retrieve the bucket tags using a GET request to the same endpoint\n\n ```\n curl -H \"Authorization: AWS dummy:dummy\" http://app-1/bucket?tagging\n ```\n\n4. The content of the targeted file will be returned in the tag value\n\nThe successful exploitation of this vulnerability results in the contents of sensitive files being disclosed through the XML response, demonstrating the ability to read arbitrary files from the server\u0027s filesystem.\n\n## Mitigations\n- Disable XML external entity resolution in the XML parser configuration\n- Implement proper XML parsing security controls such as disabling DTD processing altogether\n- Use a safe parser configuration that doesn\u0027t process external entities or DTDs by default\n- Validate and sanitize all XML input before processing to prevent injection of malicious entities\n\n## Impact\nCritical severity vulnerability allowing unauthenticated attackers to read arbitrary files from the server\u0027s filesystem. This can lead to exposure of sensitive information, configuration files, and system data, potentially enabling further attacks against the system. The impact is heightened by the fact that the vulnerability requires minimal technical knowledge to exploit and can be triggered through standard S3 API operations.",
"id": "GHSA-v232-254c-m6p7",
"modified": "2025-03-10T18:29:27Z",
"published": "2025-03-10T18:29:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Robothy/local-s3/security/advisories/GHSA-v232-254c-m6p7"
},
{
"type": "WEB",
"url": "https://github.com/Robothy/local-s3/commit/d6ed756ceb30c1eb9d4263321ac683d734f8836f"
},
{
"type": "PACKAGE",
"url": "https://github.com/Robothy/local-s3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LocalS3 Project Vulnerable to XML External Entity (XXE) Injection via Bucket Tagging API"
}
GHSA-V2H5-C2MM-JM6R
Vulnerability from github – Published: 2022-05-14 01:37 – Updated: 2022-05-14 01:37S3 Browser before 8.1.5 contains an XML external entity (XXE) vulnerability, allowing remote attackers to read arbitrary files and obtain NTLMv2 hash values by tricking a user into connecting to a malicious server via the S3 protocol.
{
"affected": [],
"aliases": [
"CVE-2018-20298"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-19T17:29:00Z",
"severity": "MODERATE"
},
"details": "S3 Browser before 8.1.5 contains an XML external entity (XXE) vulnerability, allowing remote attackers to read arbitrary files and obtain NTLMv2 hash values by tricking a user into connecting to a malicious server via the S3 protocol.",
"id": "GHSA-v2h5-c2mm-jm6r",
"modified": "2022-05-14T01:37:00Z",
"published": "2022-05-14T01:37:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20298"
},
{
"type": "WEB",
"url": "https://s3browser.com/news.aspx"
},
{
"type": "WEB",
"url": "https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2018-34"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V2HX-P2CQ-5WM5
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47The Microsoft Common Console Document (.msc) in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1 allows an attacker to read arbitrary files via an XML external entity (XXE) declaration, due to the way that the Microsoft Common Console Document (.msc) parses XML input containing a reference to an external entity, aka "Windows Information Disclosure Vulnerability".
{
"affected": [],
"aliases": [
"CVE-2017-8710"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-13T01:29:00Z",
"severity": "MODERATE"
},
"details": "The Microsoft Common Console Document (.msc) in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1 allows an attacker to read arbitrary files via an XML external entity (XXE) declaration, due to the way that the Microsoft Common Console Document (.msc) parses XML input containing a reference to an external entity, aka \"Windows Information Disclosure Vulnerability\".",
"id": "GHSA-v2hx-p2cq-5wm5",
"modified": "2022-05-13T01:47:41Z",
"published": "2022-05-13T01:47:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8710"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8710"
},
{
"type": "WEB",
"url": "https://www.vulnerability-lab.com/get_content.php?id=2094"
},
{
"type": "WEB",
"url": "https://www.youtube.com/watch?v=bIFot3a-58I"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100793"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039325"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V2PP-7V4J-XG4G
Vulnerability from github – Published: 2023-10-27 21:30 – Updated: 2023-11-08 03:30An issue was discovered in VERMEG AgileReporter 21.3. XXE can occur via an XML document to the Analysis component.
{
"affected": [],
"aliases": [
"CVE-2022-34832"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-27T21:15:08Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in VERMEG AgileReporter 21.3. XXE can occur via an XML document to the Analysis component.",
"id": "GHSA-v2pp-7v4j-xg4g",
"modified": "2023-11-08T03:30:31Z",
"published": "2023-10-27T21:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34832"
},
{
"type": "WEB",
"url": "https://crashpark.weebly.com/blog/xxe-in-agilereporter-213-by-vermeg"
},
{
"type": "WEB",
"url": "https://www.vermeg.com/agile-reporter"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V2XM-76PQ-PHCF
Vulnerability from github – Published: 2024-06-21 06:31 – Updated: 2024-06-21 15:06ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.github.classgraph:classgraph"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.8.112"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-47621"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-21T15:06:26Z",
"nvd_published_at": "2024-06-21T06:15:10Z",
"severity": "MODERATE"
},
"details": "ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks.",
"id": "GHSA-v2xm-76pq-phcf",
"modified": "2024-06-21T15:06:26Z",
"published": "2024-06-21T06:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47621"
},
{
"type": "WEB",
"url": "https://github.com/classgraph/classgraph/pull/539"
},
{
"type": "WEB",
"url": "https://github.com/classgraph/classgraph/commit/681362ad6b0b9d9abaffb2e07099ce54d7a41fa3"
},
{
"type": "WEB",
"url": "https://docs.r3.com/en/platform/corda/4.8/enterprise/release-notes-enterprise.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/classgraph/classgraph"
},
{
"type": "WEB",
"url": "https://github.com/classgraph/classgraph/releases/tag/classgraph-4.8.112"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ClassGraph XML External Entity Reference"
}
GHSA-V2XR-WHR4-9P35
Vulnerability from github – Published: 2025-07-21 18:32 – Updated: 2025-07-21 18:32Dell AppSync, version(s) 4.6.0.0, contains an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering.
{
"affected": [],
"aliases": [
"CVE-2025-36603"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-21T17:15:36Z",
"severity": "MODERATE"
},
"details": "Dell AppSync, version(s) 4.6.0.0, contains an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering.",
"id": "GHSA-v2xr-whr4-9p35",
"modified": "2025-07-21T18:32:18Z",
"published": "2025-07-21T18:32:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36603"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000345331/dsa-2025-277-security-update-for-dell-appsync-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-V3PX-6VF7-C58J
Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-05-24 17:49A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-25163"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-29T11:15:00Z",
"severity": "HIGH"
},
"details": "A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.",
"id": "GHSA-v3px-6vf7-c58j",
"modified": "2022-05-24T17:49:05Z",
"published": "2022-05-24T17:49:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25163"
},
{
"type": "WEB",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-010.txt"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V3XC-F323-99X9
Vulnerability from github – Published: 2022-05-17 02:28 – Updated: 2022-05-17 02:28IBM Security Guardium 10.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 124634.
{
"affected": [],
"aliases": [
"CVE-2017-1254"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-05T18:29:00Z",
"severity": "HIGH"
},
"details": "IBM Security Guardium 10.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 124634.",
"id": "GHSA-v3xc-f323-99x9",
"modified": "2022-05-17T02:28:13Z",
"published": "2022-05-17T02:28:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1254"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/124634"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22004463"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99366"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.