Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-V4RR-65X6-G69F

Vulnerability from github – Published: 2022-03-30 00:00 – Updated: 2022-05-03 20:56
VLAI
Summary
XXE vulnerability in Jenkins Flaky Test Handler Plugin
Details

Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:flaky-test-handler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-28140"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-03T20:56:05Z",
    "nvd_published_at": "2022-03-29T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.",
  "id": "GHSA-v4rr-65x6-g69f",
  "modified": "2022-05-03T20:56:05Z",
  "published": "2022-03-30T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28140"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/flaky-test-handler-plugin/commit/c4ab38fef3658a02315a00288b934bdd9981b3a4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/flaky-test-handler-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-1896"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/03/29/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in Jenkins Flaky Test Handler Plugin"
}

GHSA-V4WV-V525-P5GQ

Vulnerability from github – Published: 2022-12-29 09:30 – Updated: 2023-01-06 18:30
VLAI
Details

A vulnerability classified as problematic was found in ONC code-validator-api up to 1.0.30. This vulnerability affects the function vocabularyValidationConfigurations of the file src/main/java/org/sitenv/vocabularies/configuration/CodeValidatorApiConfiguration.java of the component XML Handler. The manipulation leads to xml external entity reference. Upgrading to version 1.0.31 is able to address this issue. The name of the patch is fbd8ea121755a2d3d116b13f235bc8b61d8449af. It is recommended to upgrade the affected component. VDB-217018 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-4295"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-29T09:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability classified as problematic was found in ONC code-validator-api up to 1.0.30. This vulnerability affects the function vocabularyValidationConfigurations of the file src/main/java/org/sitenv/vocabularies/configuration/CodeValidatorApiConfiguration.java of the component XML Handler. The manipulation leads to xml external entity reference. Upgrading to version 1.0.31 is able to address this issue. The name of the patch is fbd8ea121755a2d3d116b13f235bc8b61d8449af. It is recommended to upgrade the affected component. VDB-217018 is the identifier assigned to this vulnerability.",
  "id": "GHSA-v4wv-v525-p5gq",
  "modified": "2023-01-06T18:30:20Z",
  "published": "2022-12-29T09:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4295"
    },
    {
      "type": "WEB",
      "url": "https://github.com/onc-healthit/code-validator-api/pull/97"
    },
    {
      "type": "WEB",
      "url": "https://github.com/onc-healthit/code-validator-api/commit/fbd8ea121755a2d3d116b13f235bc8b61d8449af"
    },
    {
      "type": "WEB",
      "url": "https://github.com/onc-healthit/code-validator-api/releases/tag/1.0.31"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.217018"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.217018"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5CV-FP89-8WPM

Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:02
VLAI
Details

BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Blind Injection, related to pingback.axd and BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-10718"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-21T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Blind Injection, related to pingback.axd and BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs.",
  "id": "GHSA-v5cv-fp89-8wpm",
  "modified": "2024-04-04T01:02:32Z",
  "published": "2022-05-24T16:48:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10718"
    },
    {
      "type": "WEB",
      "url": "https://www.securitymetrics.com/blog/blogenginenet-xml-external-entity-attacks"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/153364/BlogEngine.NET-3.3.6-3.3.7-XML-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V62G-JWJ9-RFVX

Vulnerability from github – Published: 2024-07-24 09:30 – Updated: 2024-09-10 18:50
VLAI
Summary
XML External Entity Reference (XXE) in the XML Format Plugin in Apache Drill
Details

XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any file on a remote file system or execute commands via a malicious XML file. Users are recommended to upgrade to version 1.21.2, which fixes this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.drill.exec:drill-java-exec"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.19.0"
            },
            {
              "fixed": "1.21.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-48362"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-24T16:02:33Z",
    "nvd_published_at": "2024-07-24T08:15:02Z",
    "severity": "HIGH"
  },
  "details": "XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any file on a remote file system or execute commands via a malicious XML file. Users are recommended to upgrade to version 1.21.2, which fixes this issue.",
  "id": "GHSA-v62g-jwj9-rfvx",
  "modified": "2024-09-10T18:50:27Z",
  "published": "2024-07-24T09:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48362"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/drill/commit/0e88b7a5101d24c561a2a3efb12d7a3b3f7933f3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/drill"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/DRILL-8461"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/9tt0q4bdjwgw0dz0l9knqxjnpb5y6zsl"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/07/24/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "XML External Entity Reference (XXE) in the XML Format Plugin in Apache Drill"
}

GHSA-V65R-3M4G-37FX

Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2024-04-04 02:39
VLAI
Details

An XML external entity (XXE) vulnerability in CommandCenterWebServices/.*?wsdl in Raritan CommandCenter Secure Gateway before 8.0.0 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-18T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An XML external entity (XXE) vulnerability in CommandCenterWebServices/.*?wsdl in Raritan CommandCenter Secure Gateway before 8.0.0 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.",
  "id": "GHSA-v65r-3m4g-37fx",
  "modified": "2024-04-04T02:39:56Z",
  "published": "2022-05-24T17:01:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20687"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/155359/Raritan-CommandCenter-Secure-Gateway-XML-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2019/Nov/11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V6F7-438V-79F3

Vulnerability from github – Published: 2022-05-17 02:56 – Updated: 2022-05-17 02:56
VLAI
Details

IBM QRadar 7.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 1999537.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-9724"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-07T17:59:00Z",
    "severity": "HIGH"
  },
  "details": "IBM QRadar 7.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 1999537.",
  "id": "GHSA-v6f7-438v-79f3",
  "modified": "2022-05-17T02:56:18Z",
  "published": "2022-05-17T02:56:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9724"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg21999537"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V6M8-2842-FM7Q

Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2024-04-04 01:44
VLAI
Details

The XML-RPC subsystem in Zenoss 2.5.3 allows XXE attacks that lead to unauthenticated information disclosure via port 9988.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-14258"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-21T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "The XML-RPC subsystem in Zenoss 2.5.3 allows XXE attacks that lead to unauthenticated information disclosure via port 9988.",
  "id": "GHSA-v6m8-2842-fm7q",
  "modified": "2024-04-04T01:44:46Z",
  "published": "2022-05-24T16:54:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14258"
    },
    {
      "type": "WEB",
      "url": "https://www.coalfire.com/The-Coalfire-Blog"
    },
    {
      "type": "WEB",
      "url": "https://www.coalfire.com/The-Coalfire-Blog/August-2019/Getting-more-from-a-compliance-test"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V6PQ-9WMC-R634

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17
VLAI
Details

An XML External Entity (XXE) vulnerability was discovered in /api/notify.php in S-CMS 3.0 which allows attackers to read arbitrary files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-19954"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-14T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "An XML External Entity (XXE) vulnerability was discovered in /api/notify.php in S-CMS 3.0 which allows attackers to read arbitrary files.",
  "id": "GHSA-v6pq-9wmc-r634",
  "modified": "2022-05-24T19:17:36Z",
  "published": "2022-05-24T19:17:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-19954"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zhuxianjin/vuln_repo/blob/master/S-CMS%20v3.0%20XXE%20Arbitrary%20File%20Read%20Vulnerability.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V6X7-G9XG-9FM7

Vulnerability from github – Published: 2022-05-14 03:36 – Updated: 2022-05-14 03:36
VLAI
Details

XML External Entity (XXE) vulnerability in Micro Focus Project and Portfolio Management Center, version 9.32. This vulnerability can be exploited to allow XML External Entity (XXE)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-6489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-22T22:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "XML External Entity (XXE) vulnerability in Micro Focus Project and Portfolio Management Center, version 9.32. This vulnerability can be exploited to allow XML External Entity (XXE)",
  "id": "GHSA-v6x7-g9xg-9fm7",
  "modified": "2022-05-14T03:36:42Z",
  "published": "2022-05-14T03:36:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6489"
    },
    {
      "type": "WEB",
      "url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03014426"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V6XX-62QW-537Q

Vulnerability from github – Published: 2025-09-23 00:32 – Updated: 2025-09-23 00:32
VLAI
Details

A security flaw has been discovered in Jinher OA 2.0. This affects an unknown part of the file /c6/Jhsoft.Web.module/ToolBar/GetWordFileName.aspx/?text=GetUrl&style=add of the component XML Handler. Performing manipulation results in xml external entity reference. The attack may be initiated remotely. The exploit has been released to the public and may be exploited.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10816"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-22T22:15:41Z",
    "severity": "MODERATE"
  },
  "details": "A security flaw has been discovered in Jinher OA 2.0. This affects an unknown part of the file /c6/Jhsoft.Web.module/ToolBar/GetWordFileName.aspx/?text=GetUrl\u0026style=add of the component XML Handler. Performing manipulation results in xml external entity reference. The attack may be initiated remotely. The exploit has been released to the public and may be exploited.",
  "id": "GHSA-v6xx-62qw-537q",
  "modified": "2025-09-23T00:32:02Z",
  "published": "2025-09-23T00:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10816"
    },
    {
      "type": "WEB",
      "url": "https://github.com/1296299554/CVE/issues/1"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.325174"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.325174"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.654466"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.