CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-XF3V-QXXV-424V
Vulnerability from github – Published: 2022-05-14 03:54 – Updated: 2022-05-14 03:54IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125150.
{
"affected": [],
"aliases": [
"CVE-2017-1289"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-22T20:29:00Z",
"severity": "HIGH"
},
"details": "IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125150.",
"id": "GHSA-xf3v-qxxv-424v",
"modified": "2022-05-14T03:54:57Z",
"published": "2022-05-14T03:54:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1289"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1220"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1221"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1222"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3453"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=swg22002169"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98401"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XFCJ-2F35-8GFW
Vulnerability from github – Published: 2023-06-26 21:31 – Updated: 2024-04-04 05:10An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA's Common Information Model (CIM) server that could result in read-only access to specific files.
{
"affected": [],
"aliases": [
"CVE-2023-3113"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-26T20:15:10Z",
"severity": "HIGH"
},
"details": "An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA\u0027s Common Information Model (CIM) server that could result in read-only access to specific files.",
"id": "GHSA-xfcj-2f35-8gfw",
"modified": "2024-04-04T05:10:55Z",
"published": "2023-06-26T21:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3113"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/us/en/product_security/LEN-98715"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XG22-X8FQ-6946
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:14Intersystems Cache 2017.2.2.865.0 allows XXE.
{
"affected": [],
"aliases": [
"CVE-2018-17152"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-11T19:15:00Z",
"severity": "MODERATE"
},
"details": "Intersystems Cache 2017.2.2.865.0 allows XXE.",
"id": "GHSA-xg22-x8fq-6946",
"modified": "2024-04-04T01:14:46Z",
"published": "2022-05-24T16:50:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17152"
},
{
"type": "WEB",
"url": "https://know.bishopfox.com/advisories/intersystems-cache-2017-2-2-865-0-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XG3G-PPRG-2WQW
Vulnerability from github – Published: 2022-05-13 01:45 – Updated: 2025-04-20 03:36Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.0 Base Score 6.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L).
{
"affected": [],
"aliases": [
"CVE-2017-3548"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-24T19:59:00Z",
"severity": "MODERATE"
},
"details": "Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily \"exploitable\" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.0 Base Score 6.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L).",
"id": "GHSA-xg3g-pprg-2wqw",
"modified": "2025-04-20T03:36:45Z",
"published": "2022-05-13T01:45:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3548"
},
{
"type": "WEB",
"url": "https://erpscan.io/advisories/erpscan-17-020-xxe-via-doctype-peoplesoft"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/41925"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97880"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038301"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XG7C-263C-79VP
Vulnerability from github – Published: 2022-09-25 00:00 – Updated: 2022-09-28 00:00IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 230017.
{
"affected": [],
"aliases": [
"CVE-2022-34348"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-23T18:15:00Z",
"severity": "HIGH"
},
"details": "IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 230017.",
"id": "GHSA-xg7c-263c-79vp",
"modified": "2022-09-28T00:00:21Z",
"published": "2022-09-25T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34348"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/230017"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6695927"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XGMV-256H-6689
Vulnerability from github – Published: 2025-09-08 12:30 – Updated: 2025-09-08 12:30A vulnerability was found in Jinher OA up to 1.2. This impacts an unknown function of the file /c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx/?Type=add of the component XML Handler. The manipulation results in xml external entity reference. The attack can be executed remotely. The exploit has been made public and could be used.
{
"affected": [],
"aliases": [
"CVE-2025-10092"
],
"database_specific": {
"cwe_ids": [
"CWE-610",
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-08T12:15:31Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Jinher OA up to 1.2. This impacts an unknown function of the file /c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx/?Type=add of the component XML Handler. The manipulation results in xml external entity reference. The attack can be executed remotely. The exploit has been made public and could be used.",
"id": "GHSA-xgmv-256h-6689",
"modified": "2025-09-08T12:30:33Z",
"published": "2025-09-08T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10092"
},
{
"type": "WEB",
"url": "https://github.com/Cstarplus/CVE/issues/3"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.323047"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.323047"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.644868"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XH56-3XP6-P447
Vulnerability from github – Published: 2022-05-14 02:19 – Updated: 2022-05-14 02:19IntelliJ IDEA XML parser was found vulnerable to XML External Entity attack, an attacker can exploit the vulnerability by implementing malicious code on both Androidmanifest.xml.
{
"affected": [],
"aliases": [
"CVE-2017-8316"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-03T15:29:00Z",
"severity": "HIGH"
},
"details": "IntelliJ IDEA XML parser was found vulnerable to XML External Entity attack, an attacker can exploit the vulnerability by implementing malicious code on both Androidmanifest.xml.",
"id": "GHSA-xh56-3xp6-p447",
"modified": "2022-05-14T02:19:44Z",
"published": "2022-05-14T02:19:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8316"
},
{
"type": "WEB",
"url": "https://research.checkpoint.com/parsedroid-targeting-android-development-research-community"
},
{
"type": "WEB",
"url": "https://youtrack.jetbrains.com/issue/IDEA-175381"
},
{
"type": "WEB",
"url": "http://git.jetbrains.org/?p=idea/adt-tools-base.git;a=commit;h=a778b2b88515513654e002cd51cbe8eb8226e96b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XH7C-PF93-3V3R
Vulnerability from github – Published: 2024-07-18 18:31 – Updated: 2024-07-18 18:31IBM Engineering Requirements Management DOORS Web Access 9.7.2.8 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 273335.
{
"affected": [],
"aliases": [
"CVE-2023-50304"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-18T16:15:06Z",
"severity": "HIGH"
},
"details": "IBM Engineering Requirements Management DOORS Web Access 9.7.2.8 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 273335.",
"id": "GHSA-xh7c-pf93-3v3r",
"modified": "2024-07-18T18:31:42Z",
"published": "2024-07-18T18:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50304"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/273335"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7160471"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XMFF-C8V2-FHFP
Vulnerability from github – Published: 2023-05-18 03:30 – Updated: 2023-05-18 03:30Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side request forgery (SSRF) attack through an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. For more information about these vulnerabilities, see the Details section of this advisory.
{
"affected": [],
"aliases": [
"CVE-2023-20173"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-18T03:15:10Z",
"severity": "MODERATE"
},
"details": "Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side request forgery (SSRF) attack through an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. For more information about these vulnerabilities, see the Details section of this advisory.",
"id": "GHSA-xmff-c8v2-fhfp",
"modified": "2023-05-18T03:30:21Z",
"published": "2023-05-18T03:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20173"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxe-inj-696OZTCm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XMVG-W4F9-99R7
Vulnerability from github – Published: 2018-12-20 22:02 – Updated: 2022-09-14 22:23bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.bedework.caleng:bw-calendar-engine"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.12.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000836"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T22:03:50Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "bw-calendar-engine version \u003c= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server.",
"id": "GHSA-xmvg-w4f9-99r7",
"modified": "2022-09-14T22:23:07Z",
"published": "2018-12-20T22:02:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000836"
},
{
"type": "WEB",
"url": "https://github.com/Bedework/bw-calendar-engine/issues/3"
},
{
"type": "WEB",
"url": "https://0dd.zone/2018/10/28/bw-calendar-engine-XXE-MitM"
},
{
"type": "PACKAGE",
"url": "https://github.com/Bedework/bw-calendar-engine"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-xmvg-w4f9-99r7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity (XXE) vulnerability in bw-calendar-engine"
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.