Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-XF3V-QXXV-424V

Vulnerability from github – Published: 2022-05-14 03:54 – Updated: 2022-05-14 03:54
VLAI
Details

IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125150.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1289"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-22T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125150.",
  "id": "GHSA-xf3v-qxxv-424v",
  "modified": "2022-05-14T03:54:57Z",
  "published": "2022-05-14T03:54:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1289"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1220"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1221"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1222"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3453"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=swg22002169"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98401"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XFCJ-2F35-8GFW

Vulnerability from github – Published: 2023-06-26 21:31 – Updated: 2024-04-04 05:10
VLAI
Details

An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA's Common Information Model (CIM) server that could result in read-only access to specific files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3113"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-26T20:15:10Z",
    "severity": "HIGH"
  },
  "details": "An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA\u0027s Common Information Model (CIM) server that could result in read-only access to specific files.",
  "id": "GHSA-xfcj-2f35-8gfw",
  "modified": "2024-04-04T05:10:55Z",
  "published": "2023-06-26T21:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3113"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/us/en/product_security/LEN-98715"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XG22-X8FQ-6946

Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:14
VLAI
Details

Intersystems Cache 2017.2.2.865.0 allows XXE.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-17152"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-11T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Intersystems Cache 2017.2.2.865.0 allows XXE.",
  "id": "GHSA-xg22-x8fq-6946",
  "modified": "2024-04-04T01:14:46Z",
  "published": "2022-05-24T16:50:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17152"
    },
    {
      "type": "WEB",
      "url": "https://know.bishopfox.com/advisories/intersystems-cache-2017-2-2-865-0-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XG3G-PPRG-2WQW

Vulnerability from github – Published: 2022-05-13 01:45 – Updated: 2025-04-20 03:36
VLAI
Details

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.0 Base Score 6.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-3548"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-24T19:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily \"exploitable\" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.0 Base Score 6.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L).",
  "id": "GHSA-xg3g-pprg-2wqw",
  "modified": "2025-04-20T03:36:45Z",
  "published": "2022-05-13T01:45:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3548"
    },
    {
      "type": "WEB",
      "url": "https://erpscan.io/advisories/erpscan-17-020-xxe-via-doctype-peoplesoft"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/41925"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97880"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038301"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XG7C-263C-79VP

Vulnerability from github – Published: 2022-09-25 00:00 – Updated: 2022-09-28 00:00
VLAI
Details

IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 230017.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34348"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-23T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 230017.",
  "id": "GHSA-xg7c-263c-79vp",
  "modified": "2022-09-28T00:00:21Z",
  "published": "2022-09-25T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34348"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/230017"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6695927"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XGMV-256H-6689

Vulnerability from github – Published: 2025-09-08 12:30 – Updated: 2025-09-08 12:30
VLAI
Details

A vulnerability was found in Jinher OA up to 1.2. This impacts an unknown function of the file /c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx/?Type=add of the component XML Handler. The manipulation results in xml external entity reference. The attack can be executed remotely. The exploit has been made public and could be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10092"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-08T12:15:31Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Jinher OA up to 1.2. This impacts an unknown function of the file /c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx/?Type=add of the component XML Handler. The manipulation results in xml external entity reference. The attack can be executed remotely. The exploit has been made public and could be used.",
  "id": "GHSA-xgmv-256h-6689",
  "modified": "2025-09-08T12:30:33Z",
  "published": "2025-09-08T12:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10092"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Cstarplus/CVE/issues/3"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.323047"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.323047"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.644868"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XH56-3XP6-P447

Vulnerability from github – Published: 2022-05-14 02:19 – Updated: 2022-05-14 02:19
VLAI
Details

IntelliJ IDEA XML parser was found vulnerable to XML External Entity attack, an attacker can exploit the vulnerability by implementing malicious code on both Androidmanifest.xml.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8316"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-03T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "IntelliJ IDEA XML parser was found vulnerable to XML External Entity attack, an attacker can exploit the vulnerability by implementing malicious code on both Androidmanifest.xml.",
  "id": "GHSA-xh56-3xp6-p447",
  "modified": "2022-05-14T02:19:44Z",
  "published": "2022-05-14T02:19:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8316"
    },
    {
      "type": "WEB",
      "url": "https://research.checkpoint.com/parsedroid-targeting-android-development-research-community"
    },
    {
      "type": "WEB",
      "url": "https://youtrack.jetbrains.com/issue/IDEA-175381"
    },
    {
      "type": "WEB",
      "url": "http://git.jetbrains.org/?p=idea/adt-tools-base.git;a=commit;h=a778b2b88515513654e002cd51cbe8eb8226e96b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XH7C-PF93-3V3R

Vulnerability from github – Published: 2024-07-18 18:31 – Updated: 2024-07-18 18:31
VLAI
Details

IBM Engineering Requirements Management DOORS Web Access 9.7.2.8 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 273335.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-50304"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-18T16:15:06Z",
    "severity": "HIGH"
  },
  "details": "IBM Engineering Requirements Management DOORS Web Access 9.7.2.8 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.  IBM X-Force ID:  273335.",
  "id": "GHSA-xh7c-pf93-3v3r",
  "modified": "2024-07-18T18:31:42Z",
  "published": "2024-07-18T18:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50304"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/273335"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7160471"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XMFF-C8V2-FHFP

Vulnerability from github – Published: 2023-05-18 03:30 – Updated: 2023-05-18 03:30
VLAI
Details

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side request forgery (SSRF) attack through an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. For more information about these vulnerabilities, see the Details section of this advisory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20173"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-18T03:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side request forgery (SSRF) attack through an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. For more information about these vulnerabilities, see the Details section of this advisory.",
  "id": "GHSA-xmff-c8v2-fhfp",
  "modified": "2023-05-18T03:30:21Z",
  "published": "2023-05-18T03:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20173"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxe-inj-696OZTCm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XMVG-W4F9-99R7

Vulnerability from github – Published: 2018-12-20 22:02 – Updated: 2022-09-14 22:23
VLAI
Summary
XML External Entity (XXE) vulnerability in bw-calendar-engine
Details

bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bedework.caleng:bw-calendar-engine"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000836"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:03:50Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "bw-calendar-engine version \u003c= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server.",
  "id": "GHSA-xmvg-w4f9-99r7",
  "modified": "2022-09-14T22:23:07Z",
  "published": "2018-12-20T22:02:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000836"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Bedework/bw-calendar-engine/issues/3"
    },
    {
      "type": "WEB",
      "url": "https://0dd.zone/2018/10/28/bw-calendar-engine-XXE-MitM"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Bedework/bw-calendar-engine"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-xmvg-w4f9-99r7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML External Entity (XXE) vulnerability in bw-calendar-engine"
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.