Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-GQ6V-PRPP-39JV

Vulnerability from github – Published: 2022-05-17 02:14 – Updated: 2022-05-17 02:14
VLAI
Details

XML External Entity (XXE) vulnerability in IBM Sterling B2B Integrator 5.1 and 5.2 and IBM Sterling File Gateway 2.1 and 2.2 allows remote attackers to read arbitrary files via a crafted XML data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-0194"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-02T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "XML External Entity (XXE) vulnerability in IBM Sterling B2B Integrator 5.1 and 5.2 and IBM Sterling File Gateway 2.1 and 2.2 allows remote attackers to read arbitrary files via a crafted XML data.",
  "id": "GHSA-gq6v-prpp-39jv",
  "modified": "2022-05-17T02:14:02Z",
  "published": "2022-05-17T02:14:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0194"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IT06733"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21699482"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/73401"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GQGV-2GP3-QQP3

Vulnerability from github – Published: 2022-05-14 03:00 – Updated: 2023-07-25 00:03
VLAI
Summary
WeChat Pay Java SDK allows XXE
Details

WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a merchant notification URL.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.github.wxpay:wxpay-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-13439"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-25T00:03:32Z",
    "nvd_published_at": "2018-07-08T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a merchant notification URL.",
  "id": "GHSA-gqgv-2gp3-qqp3",
  "modified": "2023-07-25T00:03:32Z",
  "published": "2022-05-14T03:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13439"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mixzxu/wxpay-sdk"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/148390/WeChat-Pay-SDK-XXE-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WeChat Pay Java SDK allows XXE"
}

GHSA-GR3C-Q7XF-47VH

Vulnerability from github – Published: 2024-11-08 18:49 – Updated: 2024-11-12 19:23
VLAI
Summary
XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`
Details

Summary

XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML.

Details

This is related to https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf, in which its fix ( https://github.com/hapifhir/org.hl7.fhir.core/issues/1571, https://github.com/hapifhir/org.hl7.fhir.core/pull/1717) was incomplete.

References

https://cwe.mitre.org/data/definitions/611.html https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4b"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.utilities"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52007"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-08T18:49:15Z",
    "nvd_published_at": "2024-11-08T23:15:04Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nXSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( \u003c!DOCTYPE foo [\u003c!ENTITY example SYSTEM \"/etc/passwd\"\u003e ]\u003e could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML.\n\n### Details\nThis is related to https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf, in which its fix ( https://github.com/hapifhir/org.hl7.fhir.core/issues/1571, https://github.com/hapifhir/org.hl7.fhir.core/pull/1717) was incomplete. \n\n### References\nhttps://cwe.mitre.org/data/definitions/611.html\nhttps://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j",
  "id": "GHSA-gr3c-q7xf-47vh",
  "modified": "2024-11-12T19:23:17Z",
  "published": "2024-11-08T18:49:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-gr3c-q7xf-47vh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52007"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hapifhir/org.hl7.fhir.core/issues/1571"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hapifhir/org.hl7.fhir.core/pull/1717"
    },
    {
      "type": "WEB",
      "url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j"
    },
    {
      "type": "WEB",
      "url": "https://cwe.mitre.org/data/definitions/611.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hapifhir/org.hl7.fhir.core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`"
}

GHSA-GRWW-C6M5-QQ98

Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-05-24 17:49
VLAI
Details

A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25164"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-28T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.",
  "id": "GHSA-grww-c6m5-qq98",
  "modified": "2022-05-24T17:49:05Z",
  "published": "2022-05-24T17:49:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25164"
    },
    {
      "type": "WEB",
      "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-010.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-GV5F-2GXW-3XR9

Vulnerability from github – Published: 2023-12-19 15:30 – Updated: 2023-12-19 15:30
VLAI
Details

An XXE (XML External Entity) vulnerability has been detected in 52North WPS affecting versions prior to 4.0.0-beta.11. This vulnerability allows the use of external entities in its WebProcessingService servlet for an attacker to retrieve files by making HTTP requests to the internal network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-19T15:15:09Z",
    "severity": "HIGH"
  },
  "details": "An XXE (XML External Entity) vulnerability has been detected in 52North WPS affecting versions prior to 4.0.0-beta.11. This vulnerability allows the use of external entities in its WebProcessingService servlet for an attacker to retrieve files by making HTTP requests to the internal network.",
  "id": "GHSA-gv5f-2gxw-3xr9",
  "modified": "2023-12-19T15:30:30Z",
  "published": "2023-12-19T15:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6280"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/xml-external-entity-reference-52north-wps"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GVJJ-R993-7FV3

Vulnerability from github – Published: 2022-09-02 00:01 – Updated: 2022-09-08 00:00
VLAI
Details

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 233571.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-36773"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-01T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 233571.",
  "id": "GHSA-gvjj-r993-7fv3",
  "modified": "2022-09-08T00:00:33Z",
  "published": "2022-09-02T00:01:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36773"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/233571"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20221014-0005"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6615285"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GW3G-MV3W-862X

Vulnerability from github – Published: 2022-05-14 01:37 – Updated: 2022-05-14 01:37
VLAI
Details

BI Web Services in SAS Web Infrastructure Platform before 9.4M6 allows XXE.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20733"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-17T01:29:00Z",
    "severity": "HIGH"
  },
  "details": "BI Web Services in SAS Web Infrastructure Platform before 9.4M6 allows XXE.",
  "id": "GHSA-gw3g-mv3w-862x",
  "modified": "2022-05-14T01:37:22Z",
  "published": "2022-05-14T01:37:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20733"
    },
    {
      "type": "WEB",
      "url": "http://support.sas.com/kb/62/987.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GX4F-976G-7G6V

Vulnerability from github – Published: 2023-03-08 17:19 – Updated: 2023-03-08 17:19
VLAI
Summary
XWiki Platform vulnerable to data leak via Improper Restriction of XML External Entity Reference
Details

Impact

Any user with edit rights on a document can trigger a XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host.

Example to reproduce: * Create a forget XAR file and inside it, have the following package.xml content: ```xml

]>

&xxe; &xxe; Helper pages for creating and listing Class/Template/Sheets XWiki.Admin ... `` * Upload it onto a wiki page (e.g.XXE) as an attachment (e.g.test.xar). * Call the page usinghttp://localhost:8080/xwiki/bin/view/Main/XXE?sheet=XWiki.AdminImportSheet&file=test.xar`

You'll then notice that the displayed UI contains the content of the /etc/passwd file.

Patches

The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1.

Workarounds

You'd need to get XWiki Platform sources and apply the changes from https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434 to the XarPackage java class and then copy the modified version to your WEB-INF/classes directory (or rebuild the xwiki-platform-xar-model maven module and replace the one found in WEB-INF/lib/).

References

  • https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434
  • https://jira.xwiki.org/browse/XWIKI-20320

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-xar-model"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1-milestone-3"
            },
            {
              "fixed": "13.10.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-xar-model"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0"
            },
            {
              "fixed": "14.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-xar-model"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.5"
            },
            {
              "fixed": "14.10-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-27480"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-08T17:19:30Z",
    "nvd_published_at": "2023-03-07T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAny user with edit rights on a document can trigger a XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host.\n\nExample to reproduce:\n* Create a forget XAR file and inside it, have the following `package.xml` content:\n  ```xml\n  \u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n  \u003c!DOCTYPE foo [ \u003c!ENTITY xxe SYSTEM \"file:///etc/passwd\"\u003e ]\u003e\n\n  \u003cpackage\u003e\n  \u003cinfos\u003e\n  \u003cname\u003e\u0026xxe;\u003c/name\u003e\n  \u003cdescription\u003e \u0026xxe; Helper pages for creating and listing Class/Template/Sheets\u003c/description\u003e\n  \u003clicence\u003e\u003c/licence\u003e\n  \u003cauthor\u003eXWiki.Admin\u003c/author\u003e\n  ...\n  ```\n* Upload it onto a wiki page (e.g. `XXE`) as an attachment (e.g. `test.xar`).\n* Call the page using `http://localhost:8080/xwiki/bin/view/Main/XXE?sheet=XWiki.AdminImportSheet\u0026file=test.xar`\n\nYou\u0027ll then notice that the displayed UI contains the content of the `/etc/passwd` file.\n\n### Patches\nThe vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1.\n\n### Workarounds\nYou\u0027d need to get XWiki Platform sources and apply the changes from https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434 to the `XarPackage` java class and then copy the modified version to your `WEB-INF/classes` directory (or rebuild the `xwiki-platform-xar-model` maven module and replace the one found in `WEB-INF/lib/`).\n\n### References\n* https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434\n* https://jira.xwiki.org/browse/XWIKI-20320\n\n### For more information\nIf you have any questions or comments about this advisory:\n*    Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n*    Email us at [Security Mailing List](mailto:security@xwiki.org)\n",
  "id": "GHSA-gx4f-976g-7g6v",
  "modified": "2023-03-08T17:19:30Z",
  "published": "2023-03-08T17:19:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gx4f-976g-7g6v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27480"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-20320"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki Platform vulnerable to data leak via Improper Restriction of XML External Entity Reference"
}

GHSA-GXGF-5573-5Q84

Vulnerability from github – Published: 2022-05-13 01:12 – Updated: 2022-05-13 01:12
VLAI
Details

SolarWinds SFTP/SCP server through 2018-09-10 is vulnerable to XXE via a world readable and writable configuration file that allows an attacker to exfiltrate data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16792"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-05T22:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "SolarWinds SFTP/SCP server through 2018-09-10 is vulnerable to XXE via a world readable and writable configuration file that allows an attacker to exfiltrate data.",
  "id": "GHSA-gxgf-5573-5q84",
  "modified": "2022-05-13T01:12:18Z",
  "published": "2022-05-13T01:12:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16792"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2018/Dec/0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GXP6-8FP7-592P

Vulnerability from github – Published: 2022-05-14 01:42 – Updated: 2022-05-14 01:42
VLAI
Details

XR3Player version <= V3.124 contains a XML External Entity (XXE) vulnerability in Playlist parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000830"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-20T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "XR3Player version \u003c= V3.124 contains a XML External Entity (XXE) vulnerability in Playlist parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.",
  "id": "GHSA-gxp6-8fp7-592p",
  "modified": "2022-05-14T01:42:24Z",
  "published": "2022-05-14T01:42:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000830"
    },
    {
      "type": "WEB",
      "url": "https://github.com/goxr3plus/XR3Player/issues/9"
    },
    {
      "type": "WEB",
      "url": "https://0dd.zone/2018/10/28/xr3player-XXE"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.