CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-XP65-54G6-4JPJ
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32IBM Security Identity Manager 6.0.0 Virtual Appliance is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 155265.
{
"affected": [],
"aliases": [
"CVE-2018-2019"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-18T16:29:00Z",
"severity": "HIGH"
},
"details": "IBM Security Identity Manager 6.0.0 Virtual Appliance is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 155265.",
"id": "GHSA-xp65-54g6-4jpj",
"modified": "2022-05-13T01:32:23Z",
"published": "2022-05-13T01:32:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2019"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/155265"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10794615"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106657"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XP8P-9RQ5-4WGV
Vulnerability from github – Published: 2022-05-17 03:16 – Updated: 2023-08-03 21:53The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendframework"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.4.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendframework"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendframework1"
},
"ranges": [
{
"events": [
{
"introduced": "1.12.0"
},
{
"fixed": "1.12.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendxml"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendframework"
},
"ranges": [
{
"events": [
{
"introduced": "1.12.0"
},
{
"fixed": "1.12.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-5161"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-03T21:53:46Z",
"nvd_published_at": "2015-08-25T17:59:00Z",
"severity": "MODERATE"
},
"details": "The `Zend_Xml_Security::scan` in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.",
"id": "GHSA-xp8p-9rq5-4wgv",
"modified": "2023-08-03T21:53:46Z",
"published": "2022-05-17T03:16:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5161"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zf1/issues/393"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/ZendXml/commit/79f478fa2af85ce1fc18ac132dee5aa714c3b532"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zf1/commit/ff7edddf1410b44b5ead857c02698aad9f748d1b"
},
{
"type": "WEB",
"url": "https://framework.zend.com/security/advisory/ZF2015-06"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-5161.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2015-5161.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendxml/CVE-2015-5161.yaml"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200228055156/http://www.securityfocus.com/bid/76177"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/37765"
},
{
"type": "WEB",
"url": "http://framework.zend.com/security/advisory/ZF2015-06"
},
{
"type": "WEB",
"url": "http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164409.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165147.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165173.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/133068/Zend-Framework-2.4.2-1.12.13-XXE-Injection.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2015/Aug/46"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2015/dsa-3340"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/76177"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "ZendXml and Zend Framework contain XXE and XEE Vulnerabilities"
}
GHSA-XPH3-7HR2-G2JM
Vulnerability from github – Published: 2025-02-06 21:32 – Updated: 2025-02-06 21:32IBM EntireX 11.1 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
{
"affected": [],
"aliases": [
"CVE-2024-54171"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-06T21:15:21Z",
"severity": "HIGH"
},
"details": "IBM EntireX 11.1 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.",
"id": "GHSA-xph3-7hr2-g2jm",
"modified": "2025-02-06T21:32:10Z",
"published": "2025-02-06T21:32:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54171"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7182693"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XPW4-HQM8-RJ97
Vulnerability from github – Published: 2022-05-13 01:30 – Updated: 2025-04-20 03:50XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data.
{
"affected": [],
"aliases": [
"CVE-2014-3630"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-29T22:29:00Z",
"severity": "CRITICAL"
},
"details": "XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data.",
"id": "GHSA-xpw4-hqm8-rj97",
"modified": "2025-04-20T03:50:40Z",
"published": "2022-05-13T01:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3630"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!msg/play-framework/7uNX_ImTW08/AogWSjsTAyQJ"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/play-framework/WdbFvemsFDQ"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#%21msg/play-framework/7uNX_ImTW08/AogWSjsTAyQJ"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#%21topic/play-framework/WdbFvemsFDQ"
},
{
"type": "WEB",
"url": "https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf"
},
{
"type": "WEB",
"url": "https://playframework.com/security/vulnerability/CVE-2014-3630-XmlExternalEntity"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XQ23-VW7C-WG89
Vulnerability from github – Published: 2022-05-17 03:03 – Updated: 2022-05-17 03:03XML external entity vulnerability in PRTG Network Monitor before 16.2.23.3077/3078 allows remote authenticated users to read arbitrary files by creating a new HTTP XML/REST Value sensor that accesses a crafted XML file.
{
"affected": [],
"aliases": [
"CVE-2015-7743"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-01-23T21:59:00Z",
"severity": "MODERATE"
},
"details": "XML external entity vulnerability in PRTG Network Monitor before 16.2.23.3077/3078 allows remote authenticated users to read arbitrary files by creating a new HTTP XML/REST Value sensor that accesses a crafted XML file.",
"id": "GHSA-xq23-vw7c-wg89",
"modified": "2022-05-17T03:03:04Z",
"published": "2022-05-17T03:03:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7743"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/137255/Paessler-PRTG-Network-Monitor-14.4.12.3282-XXE-Injection.html"
},
{
"type": "WEB",
"url": "https://www.paessler.com/prtg/history/stable#16.2.23.3077"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XQ2Q-8HXC-7JR2
Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-12-20 22:38Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for the Valgrind plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:valgrind"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.28"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2245"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-20T22:38:25Z",
"nvd_published_at": "2020-09-01T14:15:00Z",
"severity": "HIGH"
},
"details": "Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows a user able to control the input files for the Valgrind plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.",
"id": "GHSA-xq2q-8hxc-7jr2",
"modified": "2022-12-20T22:38:25Z",
"published": "2022-05-24T17:27:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2245"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/valgrind-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1829"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/09/01/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins Valgrind Plugin"
}
GHSA-XQ76-5H8Q-6J3H
Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-12-06 21:30WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection.
{
"affected": [],
"aliases": [
"CVE-2020-24379"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-09T19:15:00Z",
"severity": "MODERATE"
},
"details": "WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection.",
"id": "GHSA-xq76-5h8q-6j3h",
"modified": "2022-12-06T21:30:44Z",
"published": "2022-05-24T17:27:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24379"
},
{
"type": "WEB",
"url": "https://github.com/erlyaws/yaws/commits/master"
},
{
"type": "WEB",
"url": "https://github.com/vulnbe/poc-yaws-dav-xxe"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00022.html"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/159106/Yaws-2.0.7-XML-Injection-Command-Injection.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4569-1"
},
{
"type": "WEB",
"url": "https://vuln.be/post/yaws-xxe-and-shell-injections"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4773"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XQCP-X2J9-XJ7C
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10XML external entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect CloudHub, GovCloud, Runtime Fabric, Pivotal Cloud Foundry, Private Cloud Edition, and on-premise customers.
{
"affected": [],
"aliases": [
"CVE-2021-1630"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-05T21:15:00Z",
"severity": "HIGH"
},
"details": "XML external entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect CloudHub, GovCloud, Runtime Fabric, Pivotal Cloud Foundry, Private Cloud Edition, and on-premise customers.",
"id": "GHSA-xqcp-x2j9-xj7c",
"modified": "2022-05-24T19:10:08Z",
"published": "2022-05-24T19:10:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1630"
},
{
"type": "WEB",
"url": "https://help.salesforce.com/articleView?id=000362693\u0026type=1\u0026mode=1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XRH2-C3RM-35JR
Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2022-11-22 18:45HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.hornetq.rest:hornetq-rest"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.0.Beta1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-3599"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-22T18:45:47Z",
"nvd_published_at": "2019-11-12T14:15:00Z",
"severity": "MODERATE"
},
"details": "HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy.",
"id": "GHSA-xrh2-c3rm-35jr",
"modified": "2022-11-22T18:45:47Z",
"published": "2022-05-24T22:01:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3599"
},
{
"type": "WEB",
"url": "https://github.com/hornetq/hornetq/commit/b3a63576371828d5f8e64ba7ccbcecb1da8111d2"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2014-3599"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3599"
},
{
"type": "PACKAGE",
"url": "https://github.com/hornetq/hornetq"
},
{
"type": "WEB",
"url": "https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3599.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "HornetQ REST vulnerable to Improper Restriction of XML External Entity Reference"
}
GHSA-XRHW-GPGR-R7CM
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05IBM Financial Transaction Manager 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 192956.
{
"affected": [],
"aliases": [
"CVE-2020-5003"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-11T15:15:00Z",
"severity": "CRITICAL"
},
"details": "IBM Financial Transaction Manager 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 192956.",
"id": "GHSA-xrhw-gpgr-r7cm",
"modified": "2022-05-24T19:05:11Z",
"published": "2022-05-24T19:05:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5003"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192956"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6462861"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.