Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-5P52-J8PW-J7X5

Vulnerability from github – Published: 2018-12-19 19:24 – Updated: 2024-05-15 06:56
VLAI
Summary
Improper Restriction of XML External Entity Reference in bedework:bw-webdav
Details

Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bedework:bw-webdav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.1"
            },
            {
              "fixed": "4.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-20000"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:16:51Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java.",
  "id": "GHSA-5p52-j8pw-j7x5",
  "modified": "2024-05-15T06:56:33Z",
  "published": "2018-12-19T19:24:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20000"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Bedework/bw-webdav/pull/1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Bedework/bw-webdav"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Bedework/bw-webdav/compare/bw-webdav-4.0.2...bw-webdav-4.0.3"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-5p52-j8pw-j7x5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in bedework:bw-webdav"
}

GHSA-5P7J-5G9R-9WJX

Vulnerability from github – Published: 2026-07-14 21:32 – Updated: 2026-07-14 21:32
VLAI
Details

Adobe Experience Manager is affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could exploit this vulnerability to read sensitive files, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-48359"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T20:17:08Z",
    "severity": "CRITICAL"
  },
  "details": "Adobe Experience Manager is affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could exploit this vulnerability to read sensitive files, potentially gaining elevated access or control over the victim\u0027s account or session. Exploitation of this issue does not require user interaction. Scope is changed.",
  "id": "GHSA-5p7j-5g9r-9wjx",
  "modified": "2026-07-14T21:32:20Z",
  "published": "2026-07-14T21:32:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48359"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5PGH-9CW4-W53H

Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2024-04-04 01:39
VLAI
Details

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-1057"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-14T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka \u0027MS XML Remote Code Execution Vulnerability\u0027.",
  "id": "GHSA-5pgh-9cw4-w53h",
  "modified": "2024-04-04T01:39:07Z",
  "published": "2022-05-24T16:53:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1057"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1057"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5PV4-G6J5-P5RV

Vulnerability from github – Published: 2022-05-14 03:33 – Updated: 2022-05-14 03:33
VLAI
Details

An XML external entity injection (XXE) vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an authenticated user to expose a normally protected configuration script.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-6225"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-15T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An XML external entity injection (XXE) vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an authenticated user to expose a normally protected configuration script.",
  "id": "GHSA-5pv4-g6j5-p5rv",
  "modified": "2022-05-14T03:33:42Z",
  "published": "2022-05-14T03:33:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6225"
    },
    {
      "type": "WEB",
      "url": "https://success.trendmicro.com/solution/1119349"
    },
    {
      "type": "WEB",
      "url": "https://www.coresecurity.com/advisories/trend-micro-email-encryption-gateway-multiple-vulnerabilities"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44166"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5PXW-MXGG-M48C

Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-07-08 00:00
VLAI
Details

SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Any SysAid environment that uses the Okta SSO integration might be vulnerable. An unauthenticated attacker could exploit the XXE vulnerability by sending a malformed POST request to the identity provider endpoint. An attacker can extract the identity provider endpoint by decoding the SAMLRequest parameter's value and searching for the AssertionConsumerServiceURL parameter's value. It often allows an attacker to view files on the application server filesystem and interact with any back-end or external systems that the application can access. In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23170"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-24T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Any SysAid environment that uses the Okta SSO integration might be vulnerable. An unauthenticated attacker could exploit the XXE vulnerability by sending a malformed POST request to the identity provider endpoint. An attacker can extract the identity provider endpoint by decoding the SAMLRequest parameter\u0027s value and searching for the AssertionConsumerServiceURL parameter\u0027s value. It often allows an attacker to view files on the application server filesystem and interact with any back-end or external systems that the application can access. In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.",
  "id": "GHSA-5pxw-mxgg-m48c",
  "modified": "2022-07-08T00:00:46Z",
  "published": "2022-06-25T00:00:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23170"
    },
    {
      "type": "WEB",
      "url": "https://www.gov.il/en/departments/faq/cve_advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5RQW-G4V8-6VXC

Vulnerability from github – Published: 2022-05-14 03:41 – Updated: 2022-05-14 03:41
VLAI
Details

Under certain conditions SAP Internet Graphics Server (IGS) 7.20, 7.20EXT, 7.45, 7.49, 7.53, fails to validate XML External Entity appropriately causing the SAP Internet Graphics Server (IGS) to become unavailable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-2393"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-14T12:29:00Z",
    "severity": "HIGH"
  },
  "details": "Under certain conditions SAP Internet Graphics Server (IGS) 7.20, 7.20EXT, 7.45, 7.49, 7.53, fails to validate XML External Entity appropriately causing the SAP Internet Graphics Server (IGS) to become unavailable.",
  "id": "GHSA-5rqw-g4v8-6vxc",
  "modified": "2022-05-14T03:41:07Z",
  "published": "2022-05-14T03:41:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2393"
    },
    {
      "type": "WEB",
      "url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/2525222"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5V3W-GV84-5CV3

Vulnerability from github – Published: 2022-05-17 02:46 – Updated: 2022-05-17 02:46
VLAI
Details

IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 119515.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-9691"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-05T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 119515.",
  "id": "GHSA-5v3w-gv84-5cv3",
  "modified": "2022-05-17T02:46:02Z",
  "published": "2022-05-17T02:46:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9691"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg21998014"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98338"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5V43-55M5-QR8F

Vulnerability from github – Published: 2022-05-17 03:06 – Updated: 2025-03-31 13:40
VLAI
Summary
getID3 is vulnerable to XML External Entity (XXE)
Details

getID3() before 1.9.9, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "james-heinrich/getid3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-2053"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-23T22:47:38Z",
    "nvd_published_at": "2014-06-04T14:55:00Z",
    "severity": "HIGH"
  },
  "details": "getID3() before 1.9.9, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.",
  "id": "GHSA-5v43-55m5-qr8f",
  "modified": "2025-03-31T13:40:17Z",
  "published": "2022-05-17T03:06:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2053"
    },
    {
      "type": "WEB",
      "url": "https://github.com/JamesHeinrich/getID3/commit/afbdaa044a9a0a9dff2f800bd670e231b3ec99b2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/james-heinrich/getid3/CVE-2014-2053.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/JamesHeinrich/getID3"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/news/2014/08/wordpress-3-9-2"
    },
    {
      "type": "WEB",
      "url": "http://getid3.sourceforge.net/source/changelog.txt"
    },
    {
      "type": "WEB",
      "url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/58002"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2014/dsa-3001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "getID3 is vulnerable to XML External Entity (XXE)"
}

GHSA-5V8C-888F-WWXG

Vulnerability from github – Published: 2025-10-06 18:31 – Updated: 2025-10-06 18:31
VLAI
Details

A security flaw has been discovered in Jinher OA up to 2.0. This affects an unknown function of the file /c6/Jhsoft.Web.module/eformaspx/WebDesign.aspx/?type=SystemUserInfo&style=1. Performing manipulation results in xml external entity reference. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11341"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-06T17:16:04Z",
    "severity": "MODERATE"
  },
  "details": "A security flaw has been discovered in Jinher OA up to 2.0. This affects an unknown function of the file /c6/Jhsoft.Web.module/eformaspx/WebDesign.aspx/?type=SystemUserInfo\u0026style=1. Performing manipulation results in xml external entity reference. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.",
  "id": "GHSA-5v8c-888f-wwxg",
  "modified": "2025-10-06T18:31:06Z",
  "published": "2025-10-06T18:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11341"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rookie1006/CVE/issues/2"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.327226"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.327226"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.664613"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5W88-3V56-G4XC

Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2022-12-06 21:30
VLAI
Details

IBM Daeja ViewONE Professional, Standard & Virtual 5.0.5 and 5.0.6 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 163620.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-4456"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-30T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Daeja ViewONE Professional, Standard \u0026 Virtual 5.0.5 and 5.0.6 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 163620.",
  "id": "GHSA-5w88-3v56-g4xc",
  "modified": "2022-12-06T21:30:44Z",
  "published": "2022-05-24T16:51:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4456"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/163620"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10959177"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.