CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1693 vulnerabilities reference this CWE, most recent first.
GHSA-2QC8-R663-V864
Vulnerability from github – Published: 2023-08-11 18:31 – Updated: 2023-08-18 19:22XXE injection in /rtc/post/ endpoint in OpenNMS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to XML external entity (XXE) injection, which can be used for instance to force Horizon to make arbitrary HTTP requests to internal and external services. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.opennms.core:org.opennms.core.xml"
},
"ranges": [
{
"events": [
{
"introduced": "31.0.8"
},
{
"fixed": "32.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-0871"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-11T23:04:51Z",
"nvd_published_at": "2023-08-11T17:15:08Z",
"severity": "HIGH"
},
"details": "XXE injection in `/rtc/post/ endpoint` in OpenNMS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms\u00a0is vulnerable to XML external entity (XXE) injection, which can be used for instance to force Horizon to make arbitrary HTTP requests to internal and external services.\u00a0The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization\u0027s private networks and should not be directly accessible from the Internet.\n",
"id": "GHSA-2qc8-r663-v864",
"modified": "2023-08-18T19:22:58Z",
"published": "2023-08-11T18:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0871"
},
{
"type": "WEB",
"url": "https://github.com/OpenNMS/opennms/pull/6355"
},
{
"type": "WEB",
"url": "https://github.com/OpenNMS/opennms/commit/5a3b0b62e0c612c9e2aa2c91c847abec71d767d5"
},
{
"type": "WEB",
"url": "https://docs.opennms.com/horizon/32/releasenotes/changelog.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenNMS/opennms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenNMS Horizon XXE Injection Vulnerability"
}
GHSA-2QJ3-RH4C-5VH4
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:17A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2019-1060"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-10T14:15:00Z",
"severity": "HIGH"
},
"details": "A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka \u0027MS XML Remote Code Execution Vulnerability\u0027.",
"id": "GHSA-2qj3-rh4c-5vh4",
"modified": "2024-04-04T02:17:47Z",
"published": "2022-05-24T16:58:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1060"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1060"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2QJ5-WJFC-3W96
Vulnerability from github – Published: 2022-05-17 02:57 – Updated: 2022-05-17 02:57IBM Rhapsody DM 4.0, 5.0 and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 1997798.
{
"affected": [],
"aliases": [
"CVE-2016-8974"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-23T16:59:00Z",
"severity": "HIGH"
},
"details": "IBM Rhapsody DM 4.0, 5.0 and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 1997798.",
"id": "GHSA-2qj5-wjfc-3w96",
"modified": "2022-05-17T02:57:05Z",
"published": "2022-05-17T02:57:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8974"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg21997798"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2QP9-4PH2-CJ5Q
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:19Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Successful exploitation could lead to Arbitrary read access to the file system in the context of the current user.
{
"affected": [],
"aliases": [
"CVE-2019-7847"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-18T22:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability. Successful exploitation could lead to Arbitrary read access to the file system in the context of the current user.",
"id": "GHSA-2qp9-4ph2-cj5q",
"modified": "2024-04-04T01:19:24Z",
"published": "2022-05-24T16:50:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7847"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/campaign/apsb19-28.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2QPC-H4MF-GVRR
Vulnerability from github – Published: 2022-05-14 03:38 – Updated: 2022-05-14 03:38IBM Financial Transaction Manager for ACH Services for Multi-Platform (IBM Control Center 6.0 and 6.1, IBM Financial Transaction Manager 3.0.2, 3.0.3, 3.0.4, and 3.1.0, IBM Transformation Extender Advanced 9.0) is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 135859.
{
"affected": [],
"aliases": [
"CVE-2017-1758"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-21T21:29:00Z",
"severity": "HIGH"
},
"details": "IBM Financial Transaction Manager for ACH Services for Multi-Platform (IBM Control Center 6.0 and 6.1, IBM Financial Transaction Manager 3.0.2, 3.0.3, 3.0.4, and 3.1.0, IBM Transformation Extender Advanced 9.0) is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 135859.",
"id": "GHSA-2qpc-h4mf-gvrr",
"modified": "2022-05-14T03:38:59Z",
"published": "2022-05-14T03:38:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1758"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/135859"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22012828"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22013375"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22013432"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103130"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-2RF2-P79X-79WJ
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service.
{
"affected": [],
"aliases": [
"CVE-2021-27931"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-03T20:15:00Z",
"severity": "CRITICAL"
},
"details": "LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service.",
"id": "GHSA-2rf2-p79x-79wj",
"modified": "2022-05-24T17:43:36Z",
"published": "2022-05-24T17:43:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27931"
},
{
"type": "WEB",
"url": "https://github.com/sl4cky/LumisXP-XXE---POC/blob/main/poc.txt"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2RH4-XGMQ-63JP
Vulnerability from github – Published: 2022-05-24 17:15 – Updated: 2022-12-16 23:00Parasoft Findings Plugin implements a static analysis parser for various Parasoft products and integrates with Warnings Plugin (10.4.1 and earlier) and Warnings NG Plugin (10.4.2 and newer).
Parasoft Findings Plugin 10.4.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows a user able to control the input files for the Parasoft Findings parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Parasoft Findings Plugin 10.4.4 disables external entity resolution for its XML parser.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.4.3"
},
"package": {
"ecosystem": "Maven",
"name": "com.parasoft:parasoft-findings"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.4.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2178"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-16T23:00:23Z",
"nvd_published_at": "2020-04-16T19:15:00Z",
"severity": "HIGH"
},
"details": "Parasoft Findings Plugin implements a static analysis parser for various Parasoft products and integrates with [Warnings Plugin](https://plugins.jenkins.io/warnings) (10.4.1 and earlier) and [Warnings NG Plugin](https://plugins.jenkins.io/warnings-ng) (10.4.2 and newer).\n\nParasoft Findings Plugin 10.4.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows a user able to control the input files for the Parasoft Findings parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nParasoft Findings Plugin 10.4.4 disables external entity resolution for its XML parser.",
"id": "GHSA-2rh4-xgmq-63jp",
"modified": "2022-12-16T23:00:23Z",
"published": "2022-05-24T17:15:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2178"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/parasoft-findings-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-04-16/#SECURITY-1753"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/04/16/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins Parasoft Findings Plugin"
}
GHSA-2RMM-87V7-34RJ
Vulnerability from github – Published: 2022-03-06 00:00 – Updated: 2022-03-15 21:34An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Any23 2.7.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.any23:apache-any23"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25312"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-07T20:09:23Z",
"nvd_published_at": "2022-03-05T00:15:00Z",
"severity": "CRITICAL"
},
"details": "An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions \u003c 2.7. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application\u0027s processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Any23 2.7.",
"id": "GHSA-2rmm-87v7-34rj",
"modified": "2022-03-15T21:34:09Z",
"published": "2022-03-06T00:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25312"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/any23"
},
{
"type": "WEB",
"url": "https://github.com/apache/any23/blob/any23-2.7/RELEASE-NOTES.md"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/y6cm5n3ksohsrhzqknqhzy7p3mtkyk23"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/03/04/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference in Any23"
}
GHSA-2RR5-8Q37-2W7H
Vulnerability from github – Published: 2021-09-27 20:12 – Updated: 2021-09-28 18:46Severity
The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.0) for JRuby users. (This security advisory does not apply to CRuby users.)
Impact
In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default.
Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected:
- Nokogiri::XML::SAX::Parser
- Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser
- Nokogiri::XML::SAX::PushParser
- Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser
Mitigation
JRuby users should upgrade to Nokogiri v1.12.5 or later. There are no workarounds available for v1.12.4 or earlier.
CRuby users are not affected.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.12.4"
},
"package": {
"ecosystem": "RubyGems",
"name": "nokogiri"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41098"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-27T19:20:23Z",
"nvd_published_at": "2021-09-27T20:15:00Z",
"severity": "HIGH"
},
"details": "### Severity\n\nThe Nokogiri maintainers have evaluated this as [**High Severity** 7.5 (CVSS3.0)](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C/MAV:N/MAC:L) for JRuby users. (This security advisory does not apply to CRuby users.)\n\n\n### Impact\n\nIn Nokogiri v1.12.4 and earlier, **on JRuby only**, the SAX parser resolves external entities by default.\n\nUsers of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected:\n\n- Nokogiri::XML::SAX::Parser\n- Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser\n- Nokogiri::XML::SAX::PushParser\n- Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser\n\n\n### Mitigation\n\nJRuby users should upgrade to Nokogiri v1.12.5 or later. There are no workarounds available for v1.12.4 or earlier.\n\nCRuby users are not affected.",
"id": "GHSA-2rr5-8q37-2w7h",
"modified": "2021-09-28T18:46:02Z",
"published": "2021-09-27T20:12:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41098"
},
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/commit/5bf729ff3cc84709ee3c3248c981584088bf9f6d"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-41098.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/sparklemotion/nokogiri"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby"
}
GHSA-2VCM-447J-6J4J
Vulnerability from github – Published: 2025-04-28 21:30 – Updated: 2025-11-05 00:31GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files.
{
"affected": [],
"aliases": [
"CVE-2025-34490"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-28T19:15:47Z",
"severity": "MODERATE"
},
"details": "GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files.",
"id": "GHSA-2vcm-447j-6j4j",
"modified": "2025-11-05T00:31:18Z",
"published": "2025-04-28T21:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34490"
},
{
"type": "WEB",
"url": "https://frycos.github.io/vulns4free/2025/04/28/mailessentials.html"
},
{
"type": "WEB",
"url": "https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releases"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/gfi-mailessentials-xxe-arbitrary-file-read"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.