Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1692 vulnerabilities reference this CWE, most recent first.

GHSA-PJ74-PF28-5QJW

Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2025-10-22 00:31
VLAI
Details

mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9670"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-29T22:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability.",
  "id": "GHSA-pj74-pf28-5qjw",
  "modified": "2025-10-22T00:31:41Z",
  "published": "2022-05-24T16:46:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9670"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.zimbra.com/show_bug.cgi?id=109129"
    },
    {
      "type": "WEB",
      "url": "https://isc.sans.edu/forums/diary/CVE20199670+Zimbra+Collaboration+Suite+XXE+vulnerability/27570"
    },
    {
      "type": "WEB",
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9670"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/46693"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html"
    },
    {
      "type": "WEB",
      "url": "http://www.rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PJCH-4G28-FXX7

Vulnerability from github – Published: 2022-05-07 00:00 – Updated: 2022-05-24 20:58
VLAI
Summary
External Entity Reference in TwelveMonkeys ImageIO
Details

The package com.twelvemonkeys.imageio:imageio-metadata before version 3.7.1 is vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.twelvemonkeys.imageio:imageio-metadata"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23792"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-24T20:58:43Z",
    "nvd_published_at": "2022-05-06T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The package com.twelvemonkeys.imageio:imageio-metadata before version 3.7.1 is vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.",
  "id": "GHSA-pjch-4g28-fxx7",
  "modified": "2022-05-24T20:58:43Z",
  "published": "2022-05-07T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23792"
    },
    {
      "type": "WEB",
      "url": "https://github.com/haraldk/TwelveMonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/haraldk/TwelveMonkeys"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-2316763"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "External Entity Reference in TwelveMonkeys ImageIO"
}

GHSA-PJMC-XJQ4-H7JM

Vulnerability from github – Published: 2022-05-17 02:47 – Updated: 2022-05-17 02:47
VLAI
Details

WatchGuard Fireware v11.12.1 and earlier mishandles requests referring to an XML External Entity (XXE), in the XML-RPC agent. This causes the Firebox wgagent process to crash. This process crash ends all authenticated sessions to the Firebox, including management connections, and prevents new authenticated sessions until the process has recovered. The Firebox may also experience an overall degradation in performance while the wgagent process recovers. An attacker could continuously send XML-RPC requests that contain references to external entities to perform a limited Denial of Service (DoS) attack against an affected Firebox.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8056"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-22T22:59:00Z",
    "severity": "MODERATE"
  },
  "details": "WatchGuard Fireware v11.12.1 and earlier mishandles requests referring to an XML External Entity (XXE), in the XML-RPC agent. This causes the Firebox wgagent process to crash. This process crash ends all authenticated sessions to the Firebox, including management connections, and prevents new authenticated sessions until the process has recovered. The Firebox may also experience an overall degradation in performance while the wgagent process recovers. An attacker could continuously send XML-RPC requests that contain references to external entities to perform a limited Denial of Service (DoS) attack against an affected Firebox.",
  "id": "GHSA-pjmc-xjq4-h7jm",
  "modified": "2022-05-17T02:47:51Z",
  "published": "2022-05-17T02:47:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8056"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/142177/watchguardfbxtm-xxeinject.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.sidertia.com/Home/Community/Blog/2017/04/17/Fixed-the-Fireware-Vulnerabilities-discovered-by-Sidertia"
    },
    {
      "type": "WEB",
      "url": "https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_12_2/index.html"
    },
    {
      "type": "WEB",
      "url": "http://watchguardsupport.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000KlBSAU"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PJP4-RRP6-VQR7

Vulnerability from github – Published: 2022-05-17 03:35 – Updated: 2022-05-17 03:35
VLAI
Details

IBM AppScan Source 8.7 through 9.0.3.3 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-3033"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-12-01T11:59:00Z",
    "severity": "HIGH"
  },
  "details": "IBM AppScan Source 8.7 through 9.0.3.3 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
  "id": "GHSA-pjp4-rrp6-vqr7",
  "modified": "2022-05-17T03:35:31Z",
  "published": "2022-05-17T03:35:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3033"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21987326"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/92388"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PMQQ-7WFV-JFFF

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2023-09-26 11:39
VLAI
Summary
Apache POI's XLSX2CSV Example XML External Entity (XXE) Vulnerability
Details

The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.13"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.poi:poi-examples"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-5000"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T19:53:05Z",
    "nvd_published_at": "2016-08-05T14:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
  "id": "GHSA-pmqq-7wfv-jfff",
  "modified": "2023-09-26T11:39:10Z",
  "published": "2022-05-13T01:14:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5000"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/list.html?user@poi.apache.org"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21996759"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache POI\u0027s XLSX2CSV Example XML External Entity (XXE) Vulnerability"
}

GHSA-PP2F-3WRG-GX2G

Vulnerability from github – Published: 2022-05-14 03:47 – Updated: 2022-05-14 03:47
VLAI
Details

IBM Sterling B2B Integrator 5.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 123663.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1192"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-10T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Sterling B2B Integrator 5.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 123663.",
  "id": "GHSA-pp2f-3wrg-gx2g",
  "modified": "2022-05-14T03:47:11Z",
  "published": "2022-05-14T03:47:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1192"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/123663"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22004267"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102864"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP98-436H-9QGG

Vulnerability from github – Published: 2023-04-26 21:30 – Updated: 2024-04-04 03:42
VLAI
Details

HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28008"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-26T20:15:10Z",
    "severity": "HIGH"
  },
  "details": "HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.\n",
  "id": "GHSA-pp98-436h-9qgg",
  "modified": "2024-04-04T03:42:17Z",
  "published": "2023-04-26T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28008"
    },
    {
      "type": "WEB",
      "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0104371"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PPV9-V43C-XQPP

Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2023-10-27 16:08
VLAI
Summary
XXE vulnerability in Jenkins pom2config Plugin
Details

Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:pom2config"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-43576"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-15T16:42:36Z",
    "nvd_published_at": "2021-11-12T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nAs of publication of this advisory, there is no fix.",
  "id": "GHSA-ppv9-v43c-xqpp",
  "modified": "2023-10-27T16:08:37Z",
  "published": "2022-05-24T19:20:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43576"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/pom2config-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2021-11-12/#SECURITY-2415"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1314"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/11/12/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in Jenkins pom2config Plugin"
}

GHSA-PQG2-Q88Q-5H4P

Vulnerability from github – Published: 2022-04-30 00:02 – Updated: 2025-10-22 00:31
VLAI
Details

BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-9563"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-11-23T02:59:00Z",
    "severity": "MODERATE"
  },
  "details": "BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.",
  "id": "GHSA-pqg2-q88q-5h4p",
  "modified": "2025-10-22T00:31:17Z",
  "published": "2022-04-30T00:02:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9563"
    },
    {
      "type": "WEB",
      "url": "https://erpscan.io/advisories/erpscan-16-034-sap-netweaver-java-xxe-vulnerability-bc-bmt-bpm-dsk-component"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/2296909"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-9563"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/92419"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PR38-7Q66-HQQH

Vulnerability from github – Published: 2023-02-09 21:30 – Updated: 2025-03-24 21:30
VLAI
Details

Mojoportal v2.7 was discovered to contain an authenticated XML external entity (XXE) injection vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-24323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-09T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Mojoportal v2.7 was discovered to contain an authenticated XML external entity (XXE) injection vulnerability.",
  "id": "GHSA-pr38-7q66-hqqh",
  "modified": "2025-03-24T21:30:27Z",
  "published": "2023-02-09T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24323"
    },
    {
      "type": "WEB",
      "url": "https://github.com/blakduk/Advisories/blob/main/Mojoportal/README.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/i7MEDIA/mojoportal"
    },
    {
      "type": "WEB",
      "url": "https://www.mojoportal.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.