Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-W56W-4253-9GGG

Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44
VLAI
Details

/exec in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in its XML parser.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-28110"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-19T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "/exec in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in its XML parser.",
  "id": "GHSA-w56w-4253-9ggg",
  "modified": "2022-05-24T17:44:57Z",
  "published": "2022-05-24T17:44:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28110"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/kukuxumushi/0b7d90a917ac3480066c4cbf7519b40a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-W5J2-H9QX-GW8Q

Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31
VLAI
Details

External Entity Attack vulnerability in the ePO extension in McAfee Common UI (CUI) 2.0.2 allows remote authenticated users to view confidential information via a crafted HTTP request parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-6670"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-07T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "External Entity Attack vulnerability in the ePO extension in McAfee Common UI (CUI) 2.0.2 allows remote authenticated users to view confidential information via a crafted HTTP request parameter.",
  "id": "GHSA-w5j2-h9qx-gw8q",
  "modified": "2022-05-13T01:31:58Z",
  "published": "2022-05-13T01:31:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6670"
    },
    {
      "type": "WEB",
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10236"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W6P8-6MFR-RC8P

Vulnerability from github – Published: 2022-05-14 01:11 – Updated: 2022-05-14 01:11
VLAI
Details

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0791, CVE-2019-0792, CVE-2019-0793, CVE-2019-0795.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-0790"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-09T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka \u0027MS XML Remote Code Execution Vulnerability\u0027. This CVE ID is unique from CVE-2019-0791, CVE-2019-0792, CVE-2019-0793, CVE-2019-0795.",
  "id": "GHSA-w6p8-6mfr-rc8p",
  "modified": "2022-05-14T01:11:02Z",
  "published": "2022-05-14T01:11:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0790"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0790"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107702"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W6X6-JQMR-MMC8

Vulnerability from github – Published: 2022-05-17 02:53 – Updated: 2022-05-17 02:53
VLAI
Details

NetIQ Access Manager 4.1 before 4.1.2 HF 1 and 4.2 before 4.2.2 was parsing incoming SAML requests with external entity resolution enabled, which could lead to local file disclosure via an XML External Entity (XXE) attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5749"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-23T06:59:00Z",
    "severity": "MODERATE"
  },
  "details": "NetIQ Access Manager 4.1 before 4.1.2 HF 1 and 4.2 before 4.2.2 was parsing incoming SAML requests with external entity resolution enabled, which could lead to local file disclosure via an XML External Entity (XXE) attack.",
  "id": "GHSA-w6x6-jqmr-mmc8",
  "modified": "2022-05-17T02:53:42Z",
  "published": "2022-05-17T02:53:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5749"
    },
    {
      "type": "WEB",
      "url": "https://www.novell.com/support/kb/doc.php?id=7017806"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W898-3PH8-5PGM

Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2023-10-26 21:42
VLAI
Summary
Jenkins Self-Organizing Swarm Plug-in Modules Plugin XXE vulnerability via UDP broadcast response
Details

Jenkins Swarm Plugin allows clients to auto-discover Jenkins instances on the same network through a UDP discovery request. Responses to this request are XML documents.

Swarm Plugin does not configure the XML parser in a way that would prevent XML External Entity (XXE) processing. This allows unauthenticated attackers on the same network to have Swarm clients parse a maliciously crafted XML response that uses external entities to read arbitrary files from the Swarm client or denial-of-service attacks.

As of publication of this advisory, there is no fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:swarm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10309"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-26T21:42:04Z",
    "nvd_published_at": "2019-04-30T13:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Swarm Plugin allows clients to auto-discover Jenkins instances on the same network through a UDP discovery request. Responses to this request are XML documents.\n\nSwarm Plugin does not configure the XML parser in a way that would prevent XML External Entity (XXE) processing. This allows unauthenticated attackers on the same network to have Swarm clients parse a maliciously crafted XML response that uses external entities to read arbitrary files from the Swarm client or denial-of-service attacks.\n\nAs of publication of this advisory, there is no fix.",
  "id": "GHSA-w898-3ph8-5pgm",
  "modified": "2023-10-26T21:42:04Z",
  "published": "2022-05-24T16:44:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10309"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1252"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200227073756/http://www.securityfocus.com/bid/108159"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0783"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/04/30/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Self-Organizing Swarm Plug-in Modules Plugin XXE vulnerability via UDP broadcast response"
}

GHSA-W89V-55CW-2PM8

Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2024-04-04 01:31
VLAI
Details

cPanel before 64.0.21 allows demo accounts to execute code via Encoding API calls (SEC-242).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-18438"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-02T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "cPanel before 64.0.21 allows demo accounts to execute code via Encoding API calls (SEC-242).",
  "id": "GHSA-w89v-55cw-2pm8",
  "modified": "2024-04-04T01:31:10Z",
  "published": "2022-05-24T16:52:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18438"
    },
    {
      "type": "WEB",
      "url": "https://documentation.cpanel.net/display/CL/64+Change+Log"
    },
    {
      "type": "WEB",
      "url": "https://news.cpanel.com/cpanel-tsr-2017-0003-full-disclosure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W9J7-PHM3-F97J

Vulnerability from github – Published: 2024-12-13 20:35 – Updated: 2024-12-13 20:35
VLAI
Summary
Ucum-java has an XXE vulnerability in XML parsing
Details

Impact

XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where ucum is being used to within a host where external clients can submit XML.

Patches

Release 1.0.9 of ucum fixes this vulnerability

Workarounds

Ensure that the source xml for instantiating UcumEssenceService is trusted.

References

  • https://cwe.mitre.org/data/definitions/611.html
  • https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.fhir:ucum"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-55887"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-13T20:35:57Z",
    "nvd_published_at": "2024-12-13T16:15:28Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nXML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where ucum is being used to within a host where external clients can submit XML.\n\n### Patches\nRelease 1.0.9 of ucum fixes this vulnerability\n\n### Workarounds\nEnsure that the source xml for instantiating UcumEssenceService is trusted.\n\n### References\n* https://cwe.mitre.org/data/definitions/611.html\n* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j\n",
  "id": "GHSA-w9j7-phm3-f97j",
  "modified": "2024-12-13T20:35:57Z",
  "published": "2024-12-13T20:35:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FHIR/Ucum-java/security/advisories/GHSA-w9j7-phm3-f97j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55887"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FHIR/Ucum-java"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ucum-java has an XXE vulnerability in XML parsing"
}

GHSA-W9P6-VQ7Q-W6Q7

Vulnerability from github – Published: 2023-04-27 00:30 – Updated: 2024-04-04 03:42
VLAI
Details

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-45876"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-26T22:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.\n\n",
  "id": "GHSA-w9p6-vq7q-w6q7",
  "modified": "2024-04-04T03:42:23Z",
  "published": "2023-04-27T00:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45876"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05"
    },
    {
      "type": "WEB",
      "url": "https://www.vbase.net/en/download.php"
    },
    {
      "type": "WEB",
      "url": "https://www.visam.com/kontakt.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WC53-4255-GW3F

Vulnerability from github – Published: 2025-04-04 14:20 – Updated: 2025-04-04 14:20
VLAI
Summary
The XWiki JIRA extension allows data leak through an XXE attack by using a fake JIRA server
Details

Impact

If the JIRA macro is installed, any logged in XWiki user could edit his/her user profile wiki page and use that JIRA macro, specifying a fake JIRA URL that returns an XML specifying a DOCTYPE pointing to a local file on the XWiki server host and displaying that file's content in one of the returned JIRA fields (such as the summary or description for example).

For example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<rss version="0.92">
...
    <item>
      <title>&xxe;</title>
      <link>https://jira.xwiki.org/browse/XE-307</link>
      <project id="10222" key="XE">{RETIRED} XWiki Enterprise</project>
      <description>&xxe;</description>
      <environment/>
...

Patches

The vulnerability has been patched in the JIRA Extension v8.6.5.

Workarounds

No easy workaround except to upgrade (which is easy using the XWiki Extension Manager).

References

  • https://github.com/xwiki-contrib/jira/commit/98a74c2a516b42689c73b13ecd94e9c1998fa9cb and https://github.com/xwiki-contrib/jira/commit/5049e352d16f8356734de70daf1202301f170ee6
  • https://jira.xwiki.org/browse/JIRA-49

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.contrib.jira:jira-macro-default"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2"
            },
            {
              "fixed": "8.5.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-31487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-04T14:20:18Z",
    "nvd_published_at": "2025-04-03T19:15:40Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nIf the JIRA macro is installed, any logged in XWiki user could edit his/her user profile wiki page and use that JIRA macro, specifying a fake JIRA URL that returns an XML specifying a DOCTYPE pointing to a local file on the XWiki server host and displaying that file\u0027s content in one of the returned JIRA fields (such as the summary or description for example).\n\nFor example:\n\n```\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003c!DOCTYPE foo [ \u003c!ENTITY xxe SYSTEM \"file:///etc/passwd\"\u003e ]\u003e\n\u003crss version=\"0.92\"\u003e\n...\n    \u003citem\u003e\n      \u003ctitle\u003e\u0026xxe;\u003c/title\u003e\n      \u003clink\u003ehttps://jira.xwiki.org/browse/XE-307\u003c/link\u003e\n      \u003cproject id=\"10222\" key=\"XE\"\u003e{RETIRED} XWiki Enterprise\u003c/project\u003e\n      \u003cdescription\u003e\u0026xxe;\u003c/description\u003e\n      \u003cenvironment/\u003e\n...\n```\n\n### Patches\nThe vulnerability has been patched in the JIRA Extension v8.6.5.\n\n### Workarounds\nNo easy workaround except to upgrade (which is easy using the XWiki Extension Manager).\n\n### References\n* https://github.com/xwiki-contrib/jira/commit/98a74c2a516b42689c73b13ecd94e9c1998fa9cb and https://github.com/xwiki-contrib/jira/commit/5049e352d16f8356734de70daf1202301f170ee6\n* https://jira.xwiki.org/browse/JIRA-49\n\n### For more information\nIf you have any questions or comments about this advisory:\n*    Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n*    Email us at [Security Mailing List](mailto:security@xwiki.org)",
  "id": "GHSA-wc53-4255-gw3f",
  "modified": "2025-04-04T14:20:18Z",
  "published": "2025-04-04T14:20:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki-contrib/jira/security/advisories/GHSA-wc53-4255-gw3f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31487"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki-contrib/jira/commit/5049e352d16f8356734de70daf1202301f170ee6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki-contrib/jira/commit/98a74c2a516b42689c73b13ecd94e9c1998fa9cb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki-contrib/jira"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/JIRA-49"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "The XWiki JIRA extension allows data leak through an XXE attack by using a fake JIRA server"
}

GHSA-WC5V-H4FQ-4G72

Vulnerability from github – Published: 2022-07-28 00:00 – Updated: 2022-08-06 00:00
VLAI
Details

VISAM VBASE version 11.6.0.6 processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42537"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-27T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "VISAM VBASE version 11.6.0.6 processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.",
  "id": "GHSA-wc5v-h4fq-4g72",
  "modified": "2022-08-06T00:00:49Z",
  "published": "2022-07-28T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42537"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-308-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.