Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-5H3X-3X9G-9C2M

Vulnerability from github – Published: 2024-10-16 18:31 – Updated: 2024-10-21 15:32
VLAI
Details

Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.This issue affects OpenText Application Automation Tools: 24.1.0 and below.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4189"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-16T17:15:17Z",
    "severity": "MODERATE"
  },
  "details": "Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.This issue affects OpenText Application Automation Tools: 24.1.0 and below.",
  "id": "GHSA-5h3x-3x9g-9c2m",
  "modified": "2024-10-21T15:32:26Z",
  "published": "2024-10-16T18:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4189"
    },
    {
      "type": "WEB",
      "url": "https://portal.microfocus.com/s/article/KM000033547?language=en_US"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:D/RE:L/U:Green",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5H9G-8XCV-QJQ9

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-06-21 20:11
VLAI
Summary
Improper Restriction of XML External Entity Reference in Stanford CoreNLP
Details

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.3.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "edu.stanford.nlp:stanford-corenlp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3878"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-21T20:11:43Z",
    "nvd_published_at": "2021-10-15T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference",
  "id": "GHSA-5h9g-8xcv-qjq9",
  "modified": "2022-06-21T20:11:43Z",
  "published": "2022-05-24T19:17:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3878"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/stanfordnlp/CoreNLP"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/a11c889b-ccff-4fea-9e29-963a23a63dd2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in Stanford CoreNLP"
}

GHSA-5HG8-R9VQ-GJQP

Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2022-07-01 11:57
VLAI
Summary
Improper Restriction of XML External Entity Reference in Apache FOP
Details

In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.xmlgraphics:fop"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-5661"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-01T11:57:29Z",
    "nvd_published_at": "2017-04-18T14:59:00Z",
    "severity": "HIGH"
  },
  "details": "In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.",
  "id": "GHSA-5hg8-r9vq-gjqp",
  "modified": "2022-07-01T11:57:29Z",
  "published": "2022-05-13T01:07:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5661"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/tns-2021-14"
    },
    {
      "type": "WEB",
      "url": "https://xmlgraphics.apache.org/security.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3864"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97947"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in Apache FOP"
}

GHSA-5HQF-7QHR-WQC3

Vulnerability from github – Published: 2025-03-21 21:31 – Updated: 2025-03-21 21:31
VLAI
Details

Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.This issue affects all versions of JPlatform 10 before 10.0.8 (SP8).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-25036"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-21T20:15:15Z",
    "severity": "MODERATE"
  },
  "details": "Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.This issue affects all versions of JPlatform 10 before 10.0.8 (SP8).",
  "id": "GHSA-5hqf-7qhr-wqc3",
  "modified": "2025-03-21T21:31:39Z",
  "published": "2025-03-21T21:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25036"
    },
    {
      "type": "WEB",
      "url": "https://community.jalios.com/jcms/jc1_893720/en/security-alert-2025-02-19"
    },
    {
      "type": "WEB",
      "url": "https://issues.jalios.com/browse/JCMS-11250"
    },
    {
      "type": "WEB",
      "url": "https://vulncheck.com/advisories/jalios-jplatform-xxe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5J2H-5MQ2-6HQM

Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30
VLAI
Details

LG Simple Editor copyContent XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the implementation of the copyContent command. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-20005.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-40506"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T03:15:25Z",
    "severity": "HIGH"
  },
  "details": "LG Simple Editor copyContent XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the copyContent command. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-20005.",
  "id": "GHSA-5j2h-5mq2-6hqm",
  "modified": "2024-05-03T03:30:59Z",
  "published": "2024-05-03T03:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40506"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1210"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5M48-VR54-VMH3

Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2025-06-19 17:08
VLAI
Summary
jersey: XXE via parameter entities
Details

jersey: XXE via parameter entities not disabled by the jersey SAX parser

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.sun.jersey:jersey-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-3643"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-19T17:08:27Z",
    "nvd_published_at": "2019-12-15T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "jersey: XXE via parameter entities not disabled by the jersey SAX parser",
  "id": "GHSA-5m48-vr54-vmh3",
  "modified": "2025-06-19T17:08:27Z",
  "published": "2022-05-17T19:57:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3643"
    },
    {
      "type": "WEB",
      "url": "https://github.com/javaee/jersey-1.x/commit/49f1e5a6ac608ccb51939205e4739f328f2223e6"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/cve-2014-3643"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3643"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/javaee/jersey-1.x"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.sourceclear.com/vulnerability-database/security/xml-external-entity-xxe/java/sid-22175"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "jersey: XXE via parameter entities"
}

GHSA-5M93-GW9J-97FF

Vulnerability from github – Published: 2022-12-19 00:30 – Updated: 2022-12-22 21:30
VLAI
Details

A vulnerability was found in 3D City Database OGC Web Feature Service up to 5.2.1. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to xml external entity reference. Upgrading to version 5.3.0 is able to address this issue. The name of the patch is 246f4e2a97ad81491c00a7ed72ce5e7c7f75050a. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216215.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4607"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-18T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability was found in 3D City Database OGC Web Feature Service up to 5.2.1. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to xml external entity reference. Upgrading to version 5.3.0 is able to address this issue. The name of the patch is 246f4e2a97ad81491c00a7ed72ce5e7c7f75050a. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216215.",
  "id": "GHSA-5m93-gw9j-97ff",
  "modified": "2022-12-22T21:30:31Z",
  "published": "2022-12-19T00:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4607"
    },
    {
      "type": "WEB",
      "url": "https://github.com/3dcitydb/web-feature-service/pull/12"
    },
    {
      "type": "WEB",
      "url": "https://github.com/3dcitydb/web-feature-service/commit/246f4e2a97ad81491c00a7ed72ce5e7c7f75050a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/3dcitydb/web-feature-service/releases/tag/v5.2.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/3dcitydb/web-feature-service/releases/tag/v5.3.0"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.216215"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5MQH-P682-WF6C

Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2022-03-17 00:01
VLAI
Details

Signiant - Manager+Agents XML External Entity (XXE) - Extract internal files of the affected machine An attacker can read all the system files, the product is running with root on Linux systems and nt/authority on windows systems, which allows him to access and extract any file on the systems, such as passwd, shadow, hosts and so on. By gaining access to these files, attackers can steal sensitive information from the victims machine.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22795"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-10T17:45:00Z",
    "severity": "CRITICAL"
  },
  "details": "Signiant - Manager+Agents XML External Entity (XXE) - Extract internal files of the affected machine An attacker can read all the system files, the product is running with root on Linux systems and nt/authority on windows systems, which allows him to access and extract any file on the systems, such as passwd, shadow, hosts and so on. By gaining access to these files, attackers can steal sensitive information from the victims machine.",
  "id": "GHSA-5mqh-p682-wf6c",
  "modified": "2022-03-17T00:01:30Z",
  "published": "2022-03-11T00:02:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22795"
    },
    {
      "type": "WEB",
      "url": "https://www.gov.il/en/departments/faq/cve_advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5MVV-G3G9-G2PC

Vulnerability from github – Published: 2022-05-13 01:28 – Updated: 2022-05-13 01:28
VLAI
Details

There is an XML External Entity (XXE) Processing Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10653"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-23T17:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "There is an XML External Entity (XXE) Processing Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.",
  "id": "GHSA-5mvv-g3g9-g2pc",
  "modified": "2022-05-13T01:28:46Z",
  "published": "2022-05-13T01:28:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10653"
    },
    {
      "type": "WEB",
      "url": "https://support.citrix.com/article/CTX234879"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/156037/Citrix-XenMobile-Server-10.8-XML-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5MWF-GCW7-JRPC

Vulnerability from github – Published: 2022-05-14 01:52 – Updated: 2022-05-14 01:52
VLAI
Details

An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-19 Unauthenticated XXE in /management/UdpHttpService issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-18659"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-26T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-19 Unauthenticated XXE in /management/UdpHttpService issue.",
  "id": "GHSA-5mwf-gcw7-jrpc",
  "modified": "2022-05-14T01:52:51Z",
  "published": "2022-05-14T01:52:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18659"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/152033"
    },
    {
      "type": "WEB",
      "url": "https://support.arcserve.com/s/article/360001392563?language=en_US"
    },
    {
      "type": "WEB",
      "url": "https://support.arcserve.com/s/article/Security-vulnerabilities-with-Arcserve-UDP-and-fixes-for-them?language=en_US"
    },
    {
      "type": "WEB",
      "url": "https://www.digitaldefense.com/blog/zero-day-alerts/arcserve-disclosure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.