CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-59F8-2GF3-79Q3
Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2024-04-04 01:35An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTTP, and outbound DNS).
{
"affected": [],
"aliases": [
"CVE-2019-13176"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-08T14:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTTP, and outbound DNS).",
"id": "GHSA-59f8-2gf3-79q3",
"modified": "2024-04-04T01:35:23Z",
"published": "2022-05-24T16:52:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13176"
},
{
"type": "WEB",
"url": "https://www.logicallysecure.com/blog/3cx-phone-system-web-console-affected-by-xxe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-59QF-VRM9-Q977
Vulnerability from github – Published: 2025-11-17 18:30 – Updated: 2025-11-17 21:31PDFPatcher thru 1.1.3.4663 executable's XML bookmark import functionality does not restrict XML external entity (XXE) references. The application uses .NET's XmlDocument class without disabling external entity resolution, enabling attackers to: Read arbitrary files from the victim's filesystem, exfiltrate sensitive data via out-of-band (OOB) HTTP requests, perform SSRF attacks against internal network resources, or cause a denial of service via entity expansion attacks.
{
"affected": [],
"aliases": [
"CVE-2025-63917"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-17T17:15:51Z",
"severity": "HIGH"
},
"details": "PDFPatcher thru 1.1.3.4663 executable\u0027s XML bookmark import functionality does not restrict XML external entity (XXE) references. The application uses .NET\u0027s XmlDocument class without disabling external entity resolution, enabling attackers to: Read arbitrary files from the victim\u0027s filesystem, exfiltrate sensitive data via out-of-band (OOB) HTTP requests, perform SSRF attacks against internal network resources, or cause a denial of service via entity expansion attacks.",
"id": "GHSA-59qf-vrm9-q977",
"modified": "2025-11-17T21:31:24Z",
"published": "2025-11-17T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63917"
},
{
"type": "WEB",
"url": "https://github.com/cydtseng/Vulnerability-Research/blob/main/pdfpatcher/XXE-Importers.md"
},
{
"type": "WEB",
"url": "https://github.com/wmjordan/PDFPatcher"
},
{
"type": "WEB",
"url": "https://www.cnblogs.com/pdfpatcher"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-59R4-VR3M-3RRH
Vulnerability from github – Published: 2022-05-14 03:01 – Updated: 2022-05-14 03:01ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity.
{
"affected": [],
"aliases": [
"CVE-2018-1000616"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-09T20:29:00Z",
"severity": "CRITICAL"
},
"details": "ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\\drivers\\utilities\\src\\main\\java\\org\\onosproject\\drivers\\utilities\\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity.",
"id": "GHSA-59r4-vr3m-3rrh",
"modified": "2022-05-14T03:01:32Z",
"published": "2022-05-14T03:01:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000616"
},
{
"type": "WEB",
"url": "https://gerrit.onosproject.org/#/c/18894"
},
{
"type": "WEB",
"url": "http://gms.cl0udz.com/Openconfig_xxe.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5C28-8WW8-7QF3
Vulnerability from github – Published: 2023-07-06 21:14 – Updated: 2024-04-04 05:43A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to the software by a local user.
{
"affected": [],
"aliases": [
"CVE-2023-2161"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-16T05:15:09Z",
"severity": "MODERATE"
},
"details": "\nA CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that\ncould cause unauthorized read access to the file system when a malicious configuration file is\nloaded on to the software by a local user.\u00a0",
"id": "GHSA-5c28-8ww8-7qf3",
"modified": "2024-04-04T05:43:21Z",
"published": "2023-07-06T21:14:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2161"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-129-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-129-01.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5C5Q-XJ8P-HRG3
Vulnerability from github – Published: 2023-03-24 18:30 – Updated: 2025-05-30 18:30An issue was discovered in Independentsoft JWord before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file.
{
"affected": [],
"aliases": [
"CVE-2023-28152"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-24T16:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Independentsoft JWord before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file.",
"id": "GHSA-5c5q-xj8p-hrg3",
"modified": "2025-05-30T18:30:46Z",
"published": "2023-03-24T18:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28152"
},
{
"type": "WEB",
"url": "https://cds.thalesgroup.com/en/tcs-cert/CVE-2023-28152"
},
{
"type": "WEB",
"url": "https://excellium-services.com/cert-xlm-advisory/CVE-2023-28152"
},
{
"type": "WEB",
"url": "https://www.independentsoft.de/jword/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5CJW-7JCV-34JX
Vulnerability from github – Published: 2022-05-14 01:36 – Updated: 2022-05-14 01:36The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the parsing of atlassian plugin xml files in an uploaded JAR.
{
"affected": [],
"aliases": [
"CVE-2018-20233"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-18T21:29:00Z",
"severity": "MODERATE"
},
"details": "The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the parsing of atlassian plugin xml files in an uploaded JAR.",
"id": "GHSA-5cjw-7jcv-34jx",
"modified": "2022-05-14T01:36:14Z",
"published": "2022-05-14T01:36:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20233"
},
{
"type": "WEB",
"url": "https://ecosystem.atlassian.net/browse/UPM-5964"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106661"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5CR4-4CRM-RRP5
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07Panasonic FPWIN Pro, all Versions 7.5.1.1 and prior, allows an attacker to craft a project file specifying a URI that causes the XML parser to access the URI and embed the contents, which may allow the attacker to disclose information that is accessible in the context of the user executing software.
{
"affected": [],
"aliases": [
"CVE-2021-32972"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-09T11:15:00Z",
"severity": "MODERATE"
},
"details": "Panasonic FPWIN Pro, all Versions 7.5.1.1 and prior, allows an attacker to craft a project file specifying a URI that causes the XML parser to access the URI and embed the contents, which may allow the attacker to disclose information that is accessible in the context of the user executing software.",
"id": "GHSA-5cr4-4crm-rrp5",
"modified": "2022-05-24T19:07:22Z",
"published": "2022-05-24T19:07:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32972"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-180-03"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5FJ4-9H5F-W6XG
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 147630.
{
"affected": [],
"aliases": [
"CVE-2018-1727"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-15T20:29:00Z",
"severity": "CRITICAL"
},
"details": "IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 147630.",
"id": "GHSA-5fj4-9h5f-w6xg",
"modified": "2022-05-13T01:32:55Z",
"published": "2022-05-13T01:32:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1727"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/147630"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10718887"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5G9G-W9X5-3RFC
Vulnerability from github – Published: 2022-05-14 01:21 – Updated: 2022-05-14 01:21SLD Registration of ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Fixed in versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT,KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49,KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. 7.73 KERNEL from 7.21 to 7.22, 7.45, 7.49, 7.53, 7.73, 7.75.
{
"affected": [],
"aliases": [
"CVE-2019-0265"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-15T18:29:00Z",
"severity": "MODERATE"
},
"details": "SLD Registration of ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Fixed in versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT,KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49,KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. 7.73 KERNEL from 7.21 to 7.22, 7.45, 7.49, 7.53, 7.73, 7.75.",
"id": "GHSA-5g9g-w9x5-3rfc",
"modified": "2022-05-14T01:21:26Z",
"published": "2022-05-14T01:21:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0265"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2729710"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106972"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107364"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5GWH-R76W-934H
Vulnerability from github – Published: 2024-01-09 09:30 – Updated: 2024-01-09 19:26Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.11"
},
"package": {
"ecosystem": "Maven",
"name": "com.qualys.plugins:qualys-was"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-6149"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-09T19:26:01Z",
"nvd_published_at": "2024-01-09T09:15:42Z",
"severity": "MODERATE"
},
"details": "Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data",
"id": "GHSA-5gwh-r76w-934h",
"modified": "2024-01-09T19:26:01Z",
"published": "2024-01-09T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6149"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/qualys-was-plugin/commit/b4eeb34747fa1b934abbdf686102f6495fdb02ee"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/qualys-was-plugin"
},
{
"type": "WEB",
"url": "https://www.qualys.com/security-advisories"
},
{
"type": "WEB",
"url": "https://www.qualys.com/security-advisories/cve-2023-6149"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Qualys Jenkins Plugin for WAS XML External Entity vulnerability"
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.