CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-33HF-CC48-QXC6
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to conduct XML External Entity (XXE) attacks and obtain the information stored in the product via unspecified vectors. This issue occurs only when using Mozilla Firefox.
{
"affected": [],
"aliases": [
"CVE-2021-20801"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-13T09:15:00Z",
"severity": "MODERATE"
},
"details": "Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to conduct XML External Entity (XXE) attacks and obtain the information stored in the product via unspecified vectors. This issue occurs only when using Mozilla Firefox.",
"id": "GHSA-33hf-cc48-qxc6",
"modified": "2022-05-24T19:17:26Z",
"published": "2022-05-24T19:17:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20801"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN52694228/index.html"
},
{
"type": "WEB",
"url": "https://kb.cybozu.support/article/37423"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-33JW-2JPQ-625X
Vulnerability from github – Published: 2024-09-10 18:30 – Updated: 2024-09-11 00:30Loftware Spectrum before 4.6 HF14 allows authenticated XXE attacks.
{
"affected": [],
"aliases": [
"CVE-2023-37233"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T16:15:18Z",
"severity": "HIGH"
},
"details": "Loftware Spectrum before 4.6 HF14 allows authenticated XXE attacks.",
"id": "GHSA-33jw-2jpq-625x",
"modified": "2024-09-11T00:30:51Z",
"published": "2024-09-10T18:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37233"
},
{
"type": "WEB",
"url": "https://code-white.com"
},
{
"type": "WEB",
"url": "https://code-white.com/public-vulnerability-list"
},
{
"type": "WEB",
"url": "https://docs.loftware.com/spectrum-releasenotes/Content/Hotfix/4.6_HF14.htm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-33R3-58HJ-PWMX
Vulnerability from github – Published: 2024-07-18 18:31 – Updated: 2026-06-03 15:30Improper Restriction of XML External Entity Reference vulnerability in PruvaSoft Informatics Apinizer Management Console allows Data Serialization External Entities Blowup.This issue affects Apinizer Management Console: before 2024.05.1.
{
"affected": [],
"aliases": [
"CVE-2024-5625"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-18T18:15:05Z",
"severity": "MODERATE"
},
"details": "Improper Restriction of XML External Entity Reference vulnerability in PruvaSoft Informatics Apinizer Management Console allows Data Serialization External Entities Blowup.This issue affects Apinizer Management Console: before 2024.05.1.",
"id": "GHSA-33r3-58hj-pwmx",
"modified": "2026-06-03T15:30:33Z",
"published": "2024-07-18T18:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5625"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-1010"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-24-1010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3446-6MGW-F79P
Vulnerability from github – Published: 2026-05-05 21:35 – Updated: 2026-05-05 21:35Dear Grav Security Team,
A security vulnerability was discovered in Grav CMS that allows authenticated attackers to read arbitrary files from the server through XML External Entity (XXE) injection.
Vulnerability Summary
| Field | Details |
|---|---|
| Vulnerability Type | XML External Entity (XXE) Injection |
| Severity | High (CVSS 7.5) |
| Affected Versions | Grav CMS <= 1.7.x |
| Affected Component | SVG file upload/processing |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| Authentication Required | Yes (Admin panel access) |
Technical Details
Root Cause
The application uses simplexml_load_string() to process uploaded SVG files without disabling external entity loading. This allows attackers to inject XXE payloads that are processed by the XML parser.
Vulnerable Code Pattern
// Current (Vulnerable):
$svg = simplexml_load_string($content);
// No LIBXML_NOENT flag or entity loader protection
Attack Vector 1. Attacker authenticates to Grav admin panel 2. Uploads malicious SVG file via Pages → Media or File Manager plugin 3. Server parses SVG and processes XXE entities 4. Arbitrary file contents are exfiltrated
Impact
An authenticated attacker can:
- Read sensitive files:
/etc/passwd- System user informationuser/accounts/*.yaml- Admin credentials and 2FA secretsuser/config/system.yaml- System configuration-
.envfiles - Environment secrets and API keys -
Perform SSRF - Access internal services via external entity URLs
-
Potential DoS - Billion laughs attack via recursive entity expansion
Proof of Concept
Malicious SVG Payload
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<svg xmlns="http://www.w3.org/2000/svg" width="100" height="100">
<text x="10" y="50">&xxe;</text>
</svg>
Steps to Reproduce 1. Login to Grav CMS admin panel 2. Navigate to Pages → select any page → Media tab 3. Upload the malicious SVG file 4. Observe file contents in response/error or stored output
Recommended Fix
Option 1: Add XXE Protection Flags
libxml_use_internal_errors(true);
$svg = simplexml_load_string($content, 'SimpleXMLElement', LIBXML_NOENT | LIBXML_DTDLOAD);
Option 2: Use SVG Sanitizer Library (Recommended)
use enshrined\svgSanitize\Sanitizer;
$sanitizer = new Sanitizer();
$sanitizer->removeRemoteReferences(true);
$cleanSVG = $sanitizer->sanitize($content);
The enshrined/svg-sanitize library properly strips XXE payloads and other malicious SVG content.
Request
- Please acknowledge receipt of this report within 5 business days
- Please provide an estimated timeline for a security patch
- I am happy to assist with testing the fix
- I request a CVE be assigned for this vulnerability
- If you have a security advisory process, please include me in the credits
Turki Almatrafi.
Maintainer note — fix applied (2026-04-24)
Fixed across two repos:
-
Grav core on the
2.0branch (commit5a12f9be8, ships in 2.0.0-beta.2) —VectorImageMedium::__construct(the code path that reads width/height from an uploaded SVG) now strips<!DOCTYPE>and<!ENTITY>declarations before parsing, and callssimplexml_load_stringwithLIBXML_NONET | LIBXML_NOERROR | LIBXML_NOWARNING. On PHP < 8 it also callslibxml_disable_entity_loader(true)for the duration of the parse. -
rhukster/dom-sanitizer (commit
02d08ec) — the library Grav ships as its SVG sanitizer.loadDocumentnow applies the same DOCTYPE/ENTITY strip and passesLIBXML_NONETtoloadXML/loadHTML.
With both layers in place, the PoC:
<!DOCTYPE svg [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<svg xmlns="http://www.w3.org/2000/svg" width="100" height="100">
<text x="10" y="50">&xxe;</text>
</svg>
no longer expands &xxe;, and the parser cannot make outbound filesystem or network requests for external entities/DTDs. Billion-laughs-style entity expansion is also neutralized because the declarations are stripped before libxml ever sees them.
Files:
- system/src/Grav/Common/Page/Medium/VectorImageMedium.php.
- tests/unit/Grav/Common/Security/SvgXxeSecurityTest.php — XXE neutralization + billion-laughs + plain-SVG regression.
- dom-sanitizer: src/DOMSanitizer.php + two new XXE tests in its own suite.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "getgrav/grav"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0-beta.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T21:35:53Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Dear Grav Security Team,\n\nA security vulnerability was discovered in Grav CMS that allows authenticated attackers to read arbitrary files from the server through XML External Entity (XXE) injection.\n\n Vulnerability Summary\n\n| Field | Details |\n|-------|---------|\n| Vulnerability Type | XML External Entity (XXE) Injection |\n| Severity | High (CVSS 7.5) |\n| Affected Versions | Grav CMS \u003c= 1.7.x |\n| Affected Component | SVG file upload/processing |\n| CWE | CWE-611: Improper Restriction of XML External Entity Reference |\n| Authentication Required | Yes (Admin panel access) |\n\nTechnical Details\n\n Root Cause\nThe application uses `simplexml_load_string()` to process uploaded SVG files without disabling external entity loading. This allows attackers to inject XXE payloads that are processed by the XML parser.\n\n Vulnerable Code Pattern\n```php\n// Current (Vulnerable):\n$svg = simplexml_load_string($content);\n\n// No LIBXML_NOENT flag or entity loader protection\n```\n\n Attack Vector\n1. Attacker authenticates to Grav admin panel\n2. Uploads malicious SVG file via Pages \u2192 Media or File Manager plugin\n3. Server parses SVG and processes XXE entities\n4. Arbitrary file contents are exfiltrated\n\n Impact\n\nAn authenticated attacker can:\n\n1. Read sensitive files:\n - `/etc/passwd` - System user information\n - `user/accounts/*.yaml` - Admin credentials and 2FA secrets\n - `user/config/system.yaml` - System configuration\n - `.env` files - Environment secrets and API keys\n\n2. Perform SSRF - Access internal services via external entity URLs\n\n3. Potential DoS - Billion laughs attack via recursive entity expansion\n\nProof of Concept\n\n Malicious SVG Payload\n```xml\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003c!DOCTYPE svg [\n \u003c!ENTITY xxe SYSTEM \"file:///etc/passwd\"\u003e\n]\u003e\n\u003csvg xmlns=\"http://www.w3.org/2000/svg\" width=\"100\" height=\"100\"\u003e\n \u003ctext x=\"10\" y=\"50\"\u003e\u0026xxe;\u003c/text\u003e\n\u003c/svg\u003e\n```\n\n Steps to Reproduce\n1. Login to Grav CMS admin panel\n2. Navigate to Pages \u2192 select any page \u2192 Media tab\n3. Upload the malicious SVG file\n4. Observe file contents in response/error or stored output\n\n Recommended Fix\n\n Option 1: Add XXE Protection Flags\n```php\nlibxml_use_internal_errors(true);\n$svg = simplexml_load_string($content, \u0027SimpleXMLElement\u0027, LIBXML_NOENT | LIBXML_DTDLOAD);\n```\n\n Option 2: Use SVG Sanitizer Library (Recommended)\n```php\nuse enshrined\\svgSanitize\\Sanitizer;\n\n$sanitizer = new Sanitizer();\n$sanitizer-\u003eremoveRemoteReferences(true);\n$cleanSVG = $sanitizer-\u003esanitize($content);\n```\n\nThe `enshrined/svg-sanitize` library properly strips XXE payloads and other malicious SVG content.\n\n Request\n\n1. Please acknowledge receipt of this report within 5 business days\n2. Please provide an estimated timeline for a security patch\n3. I am happy to assist with testing the fix\n4. I request a CVE be assigned for this vulnerability\n5. If you have a security advisory process, please include me in the credits\n\nTurki Almatrafi.\n\n\n\n---\n\n## Maintainer note \u2014 fix applied (2026-04-24)\n\nFixed across two repos:\n\n1. **Grav core on the `2.0` branch** (commit [`5a12f9be8`](https://github.com/getgrav/grav/commit/5a12f9be8), ships in **2.0.0-beta.2**) \u2014 `VectorImageMedium::__construct` (the code path that reads width/height from an uploaded SVG) now strips `\u003c!DOCTYPE\u003e` and `\u003c!ENTITY\u003e` declarations before parsing, and calls `simplexml_load_string` with `LIBXML_NONET | LIBXML_NOERROR | LIBXML_NOWARNING`. On PHP \u003c 8 it also calls `libxml_disable_entity_loader(true)` for the duration of the parse.\n\n2. **rhukster/dom-sanitizer** (commit [`02d08ec`](https://github.com/rhukster/dom-sanitizer/commit/02d08ec)) \u2014 the library Grav ships as its SVG sanitizer. `loadDocument` now applies the same DOCTYPE/ENTITY strip and passes `LIBXML_NONET` to `loadXML`/`loadHTML`.\n\nWith both layers in place, the PoC:\n\n```xml\n\u003c!DOCTYPE svg [\n \u003c!ENTITY xxe SYSTEM \"file:///etc/passwd\"\u003e\n]\u003e\n\u003csvg xmlns=\"http://www.w3.org/2000/svg\" width=\"100\" height=\"100\"\u003e\n \u003ctext x=\"10\" y=\"50\"\u003e\u0026xxe;\u003c/text\u003e\n\u003c/svg\u003e\n```\n\nno longer expands `\u0026xxe;`, and the parser cannot make outbound filesystem or network requests for external entities/DTDs. Billion-laughs-style entity expansion is also neutralized because the declarations are stripped before libxml ever sees them.\n\n**Files:**\n- [`system/src/Grav/Common/Page/Medium/VectorImageMedium.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Page/Medium/VectorImageMedium.php).\n- [`tests/unit/Grav/Common/Security/SvgXxeSecurityTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/SvgXxeSecurityTest.php) \u2014 XXE neutralization + billion-laughs + plain-SVG regression.\n- dom-sanitizer: [`src/DOMSanitizer.php`](https://github.com/rhukster/dom-sanitizer/blob/main/src/DOMSanitizer.php) + two new XXE tests in its own suite.",
"id": "GHSA-3446-6mgw-f79p",
"modified": "2026-05-05T21:35:53Z",
"published": "2026-05-05T21:35:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-3446-6mgw-f79p"
},
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663"
},
{
"type": "PACKAGE",
"url": "https://github.com/getgrav/grav"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Grav is Vulnerable to XXE via SVG Upload "
}
GHSA-3457-WMR8-RFXC
Vulnerability from github – Published: 2023-03-22 00:30 – Updated: 2023-03-23 18:30Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.
{
"affected": [],
"aliases": [
"CVE-2022-43512"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-21T23:15:00Z",
"severity": "MODERATE"
},
"details": "Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.",
"id": "GHSA-3457-wmr8-rfxc",
"modified": "2023-03-23T18:30:19Z",
"published": "2023-03-22T00:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43512"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-346G-JRX9-JGF4
Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2022-12-06 21:31An XML external entities (XXE) vulnerability in Jenkins 360 FireLine Plugin allows attackers with Overall/Read access to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.
Note: Jenkins has suspended distribution of this plugin.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins.plugin:fireline"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10466"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-06T21:31:41Z",
"nvd_published_at": "2019-10-23T13:15:00Z",
"severity": "HIGH"
},
"details": "An XML external entities (XXE) vulnerability in Jenkins 360 FireLine Plugin allows attackers with Overall/Read access to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.\n\n## Note: Jenkins has suspended distribution of this plugin.",
"id": "GHSA-346g-jrx9-jgf4",
"modified": "2022-12-06T21:31:41Z",
"published": "2022-05-24T16:59:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10466"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/fireline-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-10-23/#SECURITY-822"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/10/23/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Jenkins 360 FireLine Plugin vulnerable to XML External Entity Reference"
}
GHSA-347G-9RP4-26RW
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:00An issue was discovered in Tufin SecureTrack 18.1 with TufinOS 2.16 build 1179(Final). The Audit Report module is affected by a blind XXE vulnerability when a new Best Practices Report is saved using a special payload inside the xml input field. The XXE vulnerability is blind since the response doesn't directly display a requested file, but rather returns it inside the name data field when the report is saved. An attacker is able to view restricted operating system files. This issue affects all types of users: administrators or normal users.
{
"affected": [],
"aliases": [
"CVE-2018-18406"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-19T16:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Tufin SecureTrack 18.1 with TufinOS 2.16 build 1179(Final). The Audit Report module is affected by a blind XXE vulnerability when a new Best Practices Report is saved using a special payload inside the xml input field. The XXE vulnerability is blind since the response doesn\u0027t directly display a requested file, but rather returns it inside the name data field when the report is saved. An attacker is able to view restricted operating system files. This issue affects all types of users: administrators or normal users.",
"id": "GHSA-347g-9rp4-26rw",
"modified": "2024-04-04T01:00:27Z",
"published": "2022-05-24T16:48:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18406"
},
{
"type": "WEB",
"url": "https://forum.tufin.com/support/kc/latest"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45808"
},
{
"type": "WEB",
"url": "https://www.tufin.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-34J5-C4CV-MMG5
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2023-10-27 14:41Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Job/Configure permission or otherwise able to control the contents of an URL to an XML document being examined for changes to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the polling Jenkins controller or agent, server-side request forgery, or denial-of-service attacks.
UJenkins RLTrigger Plugin 0.49 disables external entity resolution for its XML parser.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.48"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:urltrigger"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.49"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21659"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-15T17:33:55Z",
"nvd_published_at": "2021-05-25T17:15:00Z",
"severity": "HIGH"
},
"details": "Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers with Job/Configure permission or otherwise able to control the contents of an URL to an XML document being examined for changes to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the polling Jenkins controller or agent, server-side request forgery, or denial-of-service attacks.\n\nUJenkins RLTrigger Plugin 0.49 disables external entity resolution for its XML parser.",
"id": "GHSA-34j5-c4cv-mmg5",
"modified": "2023-10-27T14:41:43Z",
"published": "2022-05-24T19:03:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21659"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/urltrigger-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2021-05-25/#SECURITY-2341"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/05/25/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins URLTrigger Plugin"
}
GHSA-34WJ-P5JM-2P96
Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2024-10-25 21:18python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted document.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.5"
},
"package": {
"ecosystem": "PyPI",
"name": "python-docx"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-5851"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-06T19:44:36Z",
"nvd_published_at": "2016-12-21T22:59:00Z",
"severity": "HIGH"
},
"details": "python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted document.",
"id": "GHSA-34wj-p5jm-2p96",
"modified": "2024-10-25T21:18:53Z",
"published": "2022-05-13T01:06:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5851"
},
{
"type": "WEB",
"url": "https://github.com/python-openxml/python-docx/commit/61b40b161b64173ab8e362aec1fd197948431beb"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-34wj-p5jm-2p96"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/python-docx/PYSEC-2016-21.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/python-openxml/python-docx"
},
{
"type": "WEB",
"url": "https://github.com/python-openxml/python-docx/blob/v0.8.6/HISTORY.rst"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FFMOH7ZPOPQWNJGUZOS5LXX4MGNRXXT"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XU2WSYRNB7CLBBFCGSX34XHACTA2SWDZ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FFMOH7ZPOPQWNJGUZOS5LXX4MGNRXXT"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XU2WSYRNB7CLBBFCGSX34XHACTA2SWDZ"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20170214030949/http://www.securityfocus.com/bid/91485"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/06/28/7"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/06/28/8"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/91485"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Improper Restriction of XML External Entity Reference in python-docx"
}
GHSA-353P-C73G-8FWC
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compromise as to integrity.
{
"affected": [],
"aliases": [
"CVE-2021-27635"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-09T14:15:00Z",
"severity": "MODERATE"
},
"details": "SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation, this vulnerability enables attacker to fully compromise confidentiality by allowing them to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compromise as to integrity.",
"id": "GHSA-353p-c73g-8fwc",
"modified": "2022-05-24T19:04:37Z",
"published": "2022-05-24T19:04:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27635"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3053066"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/164592/SAP-JAVA-NetWeaver-System-Connections-XML-Injection.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Oct/28"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.