Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-2J3M-GWXG-45RX

Vulnerability from github – Published: 2023-01-30 09:30 – Updated: 2025-03-27 21:30
VLAI
Details

Improper restriction of XML external entity reference (XXE) vulnerability exists in OMRON CX-Motion Pro 1.4.6.013 and earlier. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Motion Pro is installed may be disclosed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-30T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper restriction of XML external entity reference (XXE) vulnerability exists in OMRON CX-Motion Pro 1.4.6.013 and earlier. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Motion Pro is installed may be disclosed.",
  "id": "GHSA-2j3m-gwxg-45rx",
  "modified": "2025-03-27T21:30:37Z",
  "published": "2023-01-30T09:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22322"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU94200979"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2J45-PJ39-84JW

Vulnerability from github – Published: 2022-05-14 01:36 – Updated: 2022-05-14 01:36
VLAI
Details

XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15362"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-07T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0",
  "id": "GHSA-2j45-pj39-84jw",
  "modified": "2022-05-14T01:36:20Z",
  "published": "2022-05-14T01:36:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15362"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/07/klcert-18-025-general-electric-proficy-gds-xml-external-entity-xxe"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-340-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106133"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2JC4-R94C-RP7H

Vulnerability from github – Published: 2023-08-21 09:30 – Updated: 2025-02-13 19:10
VLAI
Summary
Apache Ivy External Entity Reference vulnerability
Details

Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.

When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.

This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.

Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.

Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide".

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.ivy:ivy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-46751"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-91"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-21T20:39:45Z",
    "nvd_published_at": "2023-08-21T07:15:33Z",
    "severity": "HIGH"
  },
  "details": "Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.\n\nWhen Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.\n\nThis can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.\n\nStarting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.\n\nUsers of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about \"JAXP Properties for External Access restrictions\" inside Oracle\u0027s \"Java API for XML Processing (JAXP) Security Guide\".",
  "id": "GHSA-2jc4-r94c-rp7h",
  "modified": "2025-02-13T19:10:25Z",
  "published": "2023-08-21T09:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46751"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/ant-ivy/commit/2be17bc18b0e1d4123007d579e43ba1a4b6fab3d"
    },
    {
      "type": "WEB",
      "url": "https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477"
    },
    {
      "type": "WEB",
      "url": "https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/ant-ivy"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/09/06/9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Ivy External Entity Reference vulnerability"
}

GHSA-2JQJ-5QV2-XVCG

Vulnerability from github – Published: 2025-04-10 12:25 – Updated: 2025-04-10 12:26
VLAI
Summary
ezsystems/ezplatform-richtext allows access to external entities in XML
Details

Impact

This security advisory resolves a vulnerability in the RichText field type. By entering a maliciously crafted input into the RichText XML, an attacker could perform an attack using XML external entity (XXE) injection, which might be able to read files on the server. To exploit this vulnerability the attacker would need to already have edit permission to content with RichText fields, which typically means Editor role or higher. The fix removes unsafe elements from XML code, while preserving safe elements.

If you have a stored XXE attack in your content drafts, the fix prevents it from extracting data both during editing and preview. However, if such an attack has already been published and the result is stored in the content, it is unfortunately not possible to detect and remove it by automatic means.

Credits

This vulnerability was discovered and reported to Ibexa by Dennis Henke, Thorsten Niephaus, Marat Aytuganov, and Stephan Sekula of Compass Security Deutschland GmbH. We thank them for reporting it responsibly to us.

Patches

  • See "Patched versions"
  • https://github.com/ezsystems/ezplatform-richtext/commit/5ba2a82cc3aa6235ecfe87278e20c1451d9df913

Workarounds

  • Exploitation requires edit access to RichText content. If you can trust your editors, and you don't grant edit permission to any externals, you are not at risk in practice.

References

  • https://developers.ibexa.co/security-advisories/ibexa-sa-2025-002-xxe-vulnerability-in-richtext
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "ezsystems/ezplatform-richtext"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0-beta1"
            },
            {
              "fixed": "2.3.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-10T12:25:09Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nThis security advisory resolves a vulnerability in the RichText field type. By entering a maliciously crafted input into the RichText XML, an attacker could perform an attack using XML external entity (XXE) injection, which might be able to read files on the server. To exploit this vulnerability the attacker would need to already have edit permission to content with RichText fields, which typically means Editor role or higher. The fix removes unsafe elements from XML code, while preserving safe elements.\n\nIf you have a stored XXE attack in your content drafts, the fix prevents it from extracting data both during editing and preview. However, if such an attack has already been published and the result is stored in the content, it is unfortunately not possible to detect and remove it by automatic means.\n\n### Credits\nThis vulnerability was discovered and reported to Ibexa by Dennis Henke, Thorsten Niephaus, Marat Aytuganov, and Stephan Sekula of [Compass Security Deutschland GmbH](https://www.compass-security.com/en/). We thank them for reporting it responsibly to us.\n\n### Patches\n- See \"Patched versions\"\n- https://github.com/ezsystems/ezplatform-richtext/commit/5ba2a82cc3aa6235ecfe87278e20c1451d9df913\n\n### Workarounds\n- Exploitation requires edit access to RichText content. If you can trust your editors, and you don\u0027t grant edit permission to any externals, you are not at risk in practice.\n\n### References\n- https://developers.ibexa.co/security-advisories/ibexa-sa-2025-002-xxe-vulnerability-in-richtext",
  "id": "GHSA-2jqj-5qv2-xvcg",
  "modified": "2025-04-10T12:26:44Z",
  "published": "2025-04-10T12:25:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ezsystems/ezplatform-richtext/security/advisories/GHSA-2jqj-5qv2-xvcg"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ezsystems/ezplatform-richtext/commit/5ba2a82cc3aa6235ecfe87278e20c1451d9df913"
    },
    {
      "type": "WEB",
      "url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2025-002-xxe-vulnerability-in-richtext"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ezsystems/ezplatform-richtext"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ezsystems/ezplatform-richtext allows access to external entities in XML"
}

GHSA-2JRP-R5X4-HG4W

Vulnerability from github – Published: 2022-05-14 01:11 – Updated: 2022-05-14 01:11
VLAI
Details

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-0756"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-09T02:29:00Z",
    "severity": "HIGH"
  },
  "details": "A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka \u0027MS XML Remote Code Execution Vulnerability\u0027.",
  "id": "GHSA-2jrp-r5x4-hg4w",
  "modified": "2022-05-14T01:11:04Z",
  "published": "2022-05-14T01:11:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0756"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0756"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2JX2-CGJ2-48WC

Vulnerability from github – Published: 2025-05-23 00:30 – Updated: 2025-05-23 00:30
VLAI
Details

Lantronix Device installer is vulnerable to XML external entity (XXE) attacks in configuration files read from the network device. An attacker could obtain credentials, access these network devices, and modify their configurations. An attacker may also gain access to the host running the Device Installer software or the password hash of the user running the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4338"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-22T23:15:19Z",
    "severity": "MODERATE"
  },
  "details": "Lantronix Device installer is vulnerable to XML external entity (XXE) attacks in configuration files read from the network device. An attacker could obtain credentials, access these network devices, and modify their configurations. An attacker may also gain access to the host running the Device Installer software or the password hash of the user running the application.",
  "id": "GHSA-2jx2-cgj2-48wc",
  "modified": "2025-05-23T00:30:19Z",
  "published": "2025-05-23T00:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4338"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-01"
    },
    {
      "type": "WEB",
      "url": "https://www.lantronix.com/products/lantronix-provisioning-manager"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2JX3-P89P-3F69

Vulnerability from github – Published: 2022-12-21 18:30 – Updated: 2022-12-21 18:30
VLAI
Details

An authenticated user can perform XML eXternal Entity injection in Management Console in Symantec Identity Manager 14.4

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-25628"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-16T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "An authenticated user can perform XML eXternal Entity injection in Management Console in Symantec Identity Manager 14.4",
  "id": "GHSA-2jx3-p89p-3f69",
  "modified": "2022-12-21T18:30:24Z",
  "published": "2022-12-21T18:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25628"
    },
    {
      "type": "WEB",
      "url": "https://support.broadcom.com/external/content/SecurityAdvisories/0/21136"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2JX8-V4HV-GX3H

Vulnerability from github – Published: 2021-06-28 16:45 – Updated: 2021-10-05 17:29
VLAI
Summary
XXE vulnerability in Launch import
Details
Release Date Affected Projects Affected Versions Access Vector Security Risk
Monday, May 4, 2020 service-api Every version, starting from 3.1.0 Remote Medium

Impact

Starting from version 3.1.0 we introduced a new feature of JUnit XML launch import. Unfortunately XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file that uses external entities for extraction of secrets from Report Portal service-api module or server-side request forgery.

Report Portal versions 4.3.12+ and 5.1.1+ disables external entity resolution for theirs XML parser.

We advise our users install the latest releases we built specifically to address this issue.

Patches

Fixed with https://github.com/reportportal/service-api/pull/1201

Binary Download

https://bintray.com/epam/reportportal/service-api/5.1.1 https://bintray.com/epam/reportportal/service-api/4.3.12

Docker Container Download

  • RP v4: docker pull reportportal/service-api:4.3.12
  • RP v5: docker pull reportportal/service-api:5.1.1

Acknowledgement

The issue was reported to Report Portal Team by an external security researcher. Our Team thanks Julien M. for reporting the issue.

For more information

If you have any questions or comments about this advisory email us: support@reportportal.io

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.epam.reportportal:service-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "4.3.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.epam.reportportal:service-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-12642"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-28T16:45:26Z",
    "nvd_published_at": "2020-05-04T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "| Release Date | Affected Projects | Affected Versions | Access Vector| Security Risk |\n|--------------|-------------------|-------------------|---------------|---------------|\n| Monday, May 4, 2020| [service-api](https://github.com/reportportal/service-api) | Every version, starting from 3.1.0 | Remote | Medium |\n\n### Impact\nStarting from version 3.1.0 we introduced a new feature of JUnit XML launch import. Unfortunately XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file that uses external entities for extraction of secrets from Report Portal service-api module or server-side request forgery.\n\nReport Portal versions 4.3.12+ and 5.1.1+ disables external entity resolution for theirs XML parser.\n\nWe advise our users install the latest releases we built specifically to address this issue.\n\n### Patches\nFixed with https://github.com/reportportal/service-api/pull/1201\n\n### Binary Download\nhttps://bintray.com/epam/reportportal/service-api/5.1.1\nhttps://bintray.com/epam/reportportal/service-api/4.3.12\n\n### Docker Container Download\n* RP v4: `docker pull reportportal/service-api:4.3.12`\n* RP v5: `docker pull reportportal/service-api:5.1.1`\n\n### Acknowledgement\nThe issue was reported to Report Portal Team by an external security researcher.\nOur Team thanks Julien M. for reporting the issue.\n\n### For more information\nIf you have any questions or comments about this advisory email us: [support@reportportal.io](mailto:support@reportportal.io)",
  "id": "GHSA-2jx8-v4hv-gx3h",
  "modified": "2021-10-05T17:29:41Z",
  "published": "2021-06-28T16:45:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/reportportal/reportportal/security/advisories/GHSA-2jx8-v4hv-gx3h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12642"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reportportal/service-api/pull/1201"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reportportal/service-api/commit/da4a012abdcc69f02f4255d81466f1f473b7f418"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/reportportal/reportportal"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in Launch import"
}

GHSA-2M3G-74X3-7W8X

Vulnerability from github – Published: 2025-12-10 00:30 – Updated: 2025-12-10 00:30
VLAI
Details

ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. A high privileged attacker could exploit this vulnerability to access sensitive files and data on the server. Exploitation of this issue requires user interaction and scope is changed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-61823"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-10T00:16:10Z",
    "severity": "MODERATE"
  },
  "details": "ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could lead to arbitrary file system read. A high privileged attacker could exploit this vulnerability to access sensitive files and data on the server. Exploitation of this issue requires user interaction and scope is changed.",
  "id": "GHSA-2m3g-74x3-7w8x",
  "modified": "2025-12-10T00:30:23Z",
  "published": "2025-12-10T00:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61823"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2MP8-QVQM-3XWQ

Vulnerability from github – Published: 2018-10-17 00:04 – Updated: 2023-09-26 11:23
VLAI
Summary
Restlet Framework Ja-rs extension is vulnerable to XXE when using SimpleXMLProvider
Details

Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.restlet.jse:org.restlet.ext.jaxrs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-14868"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:52:36Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.",
  "id": "GHSA-2mp8-qvqm-3xwq",
  "modified": "2023-09-26T11:23:36Z",
  "published": "2018-10-17T00:04:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14868"
    },
    {
      "type": "WEB",
      "url": "https://github.com/restlet/restlet-framework-java/issues/1286"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-2mp8-qvqm-3xwq"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/restlet/restlet-framework-java"
    },
    {
      "type": "WEB",
      "url": "https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements"
    },
    {
      "type": "WEB",
      "url": "https://lgtm.com/blog/restlet_CVE-2017-14868"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Restlet Framework Ja-rs extension is vulnerable to XXE when using SimpleXMLProvider"
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.