Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-R89J-VHG3-XW33

Vulnerability from github – Published: 2022-05-17 05:13 – Updated: 2024-02-15 21:31
VLAI
Details

The rasterization process in Inkscape before 0.48.4 allows local users to read arbitrary files via an external entity in a SVG file, aka an XML external entity (XXE) injection attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-5656"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-01-18T11:48:00Z",
    "severity": "LOW"
  },
  "details": "The rasterization process in Inkscape before 0.48.4 allows local users to read arbitrary files via an external entity in a SVG file, aka an XML external entity (XXE) injection attack.",
  "id": "GHSA-r89j-vhg3-xw33",
  "modified": "2024-02-15T21:31:24Z",
  "published": "2022-05-17T05:13:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5656"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/inkscape/+bug/1025185"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.net/inkscape/+milestone/0.48.4"
    },
    {
      "type": "WEB",
      "url": "http://bazaar.launchpad.net/~inkscape.dev/inkscape/trunk/revision/11931"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-December/095024.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-January/095380.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-January/095398.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2013-02/msg00041.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2013-02/msg00043.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/12/20/3"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/56965"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1712-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R8J4-96MX-RJCC

Vulnerability from github – Published: 2022-01-21 18:13 – Updated: 2022-02-24 18:37
VLAI
Summary
Improper Restriction of XML External Entity Reference in skylot/jadx
Details

skylot/jadx prior to 1.3.2 is vulnerable to Improper Restriction of XML External Entities when a user is tricked into exporting a malicious APK file (via the -e option) containing a crafted AndroidManifest.xml / strings.xml to gradle, leading to possible local file disclosure.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.github.skylot:jadx-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0219"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-21T16:54:58Z",
    "nvd_published_at": "2022-01-20T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "skylot/jadx prior to 1.3.2 is vulnerable to Improper Restriction of XML External Entities when a user is tricked into exporting a malicious APK file (via the -e option) containing a crafted AndroidManifest.xml / strings.xml to gradle, leading to possible local file disclosure.",
  "id": "GHSA-r8j4-96mx-rjcc",
  "modified": "2022-02-24T18:37:30Z",
  "published": "2022-01-21T18:13:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0219"
    },
    {
      "type": "WEB",
      "url": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/skylot/jadx"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in skylot/jadx"
}

GHSA-R8Q6-PF72-X4JP

Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:33
VLAI
Details

An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault <=10.7 allows remote attackers to read arbitrary files or potentially bypass authentication via a crafted DTD in the SAML authentication system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-7442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-08T21:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault \u003c=10.7 allows remote attackers to read arbitrary files or potentially bypass authentication via a crafted DTD in the SAML authentication system.",
  "id": "GHSA-r8q6-pf72-x4jp",
  "modified": "2024-04-04T00:33:41Z",
  "published": "2022-05-24T16:45:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7442"
    },
    {
      "type": "WEB",
      "url": "https://www.octority.com/2019/05/07/cyberark-enterprise-password-vault-xml-external-entity-xxe-injection"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/152801/CyberArk-Enterprise-Password-Vault-10.7-XML-External-Entity-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R96P-G9M9-MJP9

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

Improper Restriction of XML External Entity Reference in subsystem forIntel(R) Quartus(R) Prime Pro Edition before version 20.3 and Intel(R) Quartus(R) Prime Standard Edition before version 20.2 may allow unauthenticated user to potentially enable information disclosure via network access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24454"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-12T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper Restriction of XML External Entity Reference in subsystem forIntel(R) Quartus(R) Prime Pro Edition before version 20.3 and Intel(R) Quartus(R) Prime Standard Edition before version 20.2 may allow unauthenticated user to potentially enable information disclosure via network access.",
  "id": "GHSA-r96p-g9m9-mjp9",
  "modified": "2022-05-24T17:33:56Z",
  "published": "2022-05-24T17:33:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24454"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00446"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RC57-9R3X-98CQ

Vulnerability from github – Published: 2022-06-17 00:01 – Updated: 2024-07-05 14:26
VLAI
Summary
XML External Entity Reference in drools
Details

drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.59.0.Final"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.drools:drools-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.60.0.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41411"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-17T21:54:41Z",
    "nvd_published_at": "2022-06-16T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "drools \u003c=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.",
  "id": "GHSA-rc57-9r3x-98cq",
  "modified": "2024-07-05T14:26:30Z",
  "published": "2022-06-17T00:01:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41411"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/incubator-kie-drools/pull/3808"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kiegroup/drools"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML External Entity Reference in drools"
}

GHSA-RC7F-GRWH-GQV6

Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2024-04-04 01:23
VLAI
Details

Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-10976"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-26T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files.",
  "id": "GHSA-rc7f-grwh-gqv6",
  "modified": "2024-04-04T01:23:15Z",
  "published": "2022-05-24T16:51:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10976"
    },
    {
      "type": "WEB",
      "url": "https://www.us-cert.gov/ics/advisories/icsa-19-204-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RC9V-H28F-JCMF

Vulnerability from github – Published: 2018-10-17 19:56 – Updated: 2024-03-04 22:58
VLAI
Summary
There is a XML external entity expansion (XXE) vulnerability in Apache Solr config files
Details

This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Users are advised to upgrade to either Solr 6.6.4 or Solr 7.3.1 releases both of which address the vulnerability. Once upgrade is complete, no other steps are required. Those releases only allow external entities and Xincludes that refer to local files / zookeeper resources below the Solr instance directory (using Solr's ResourceLoader); usage of absolute URLs is denied. Keep in mind, that external entities and XInclude are explicitly supported to better structure config files in large installations. Before Solr 6 this was no problem, as config files were not accessible through the APIs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.solr:solr-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.6.0"
            },
            {
              "fixed": "6.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.solr:solr-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-8010"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:54:20Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Users are advised to upgrade to either Solr 6.6.4 or Solr 7.3.1 releases both of which address the vulnerability. Once upgrade is complete, no other steps are required. Those releases only allow external entities and Xincludes that refer to local files / zookeeper resources below the Solr instance directory (using Solr\u0027s ResourceLoader); usage of absolute URLs is denied. Keep in mind, that external entities and XInclude are explicitly supported to better structure config files in large installations. Before Solr 6 this was no problem, as config files were not accessible through the APIs.",
  "id": "GHSA-rc9v-h28f-jcmf",
  "modified": "2024-03-04T22:58:14Z",
  "published": "2018-10-17T19:56:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8010"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/lucene-solr/commit/4ba409e0ff3dc38aad88f7b7ad69a76325272b8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/lucene-solr/commit/6c4e45e28494d4d4d04fb89852d18c86fa3d5f8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/lucene-solr/commit/6d082d5743dee7e08a86b3f2ef03bc025112512"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/lucene-solr/commit/96f079b4b47eaadff65c7aaf0e5bafe68e30ec3"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-rc9v-h28f-jcmf"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/SOLR-12316"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://mail-archives.apache.org/mod_mbox/www-announce/201805.mbox/%3C08a801d3f0f9%24df46d300%249dd47900%24%40apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104239"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "There is a XML external entity expansion (XXE) vulnerability in Apache Solr  config files"
}

GHSA-RCC6-6Q2F-M2CW

Vulnerability from github – Published: 2026-05-08 06:32 – Updated: 2026-05-14 13:05
VLAI
Summary
Alkacon OpenCms allows remote unauthenticated attackers to obtain sensitive information
Details

Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencms:opencms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-42344"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T13:05:13Z",
    "nvd_published_at": "2026-05-08T05:16:09Z",
    "severity": "HIGH"
  },
  "details": "Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.",
  "id": "GHSA-rcc6-6q2f-m2cw",
  "modified": "2026-05-14T13:05:13Z",
  "published": "2026-05-08T06:32:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42344"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectdiscovery/nuclei-templates/issues/8864"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/alkacon/opencms-core"
    },
    {
      "type": "WEB",
      "url": "https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Alkacon OpenCms allows remote unauthenticated attackers to obtain sensitive information"
}

GHSA-RCFJ-PC73-HQV6

Vulnerability from github – Published: 2024-03-18 09:30 – Updated: 2024-08-01 15:31
VLAI
Details

Improper restriction of XML external entity references vulnerability exists in FitNesse all releases, which allows a remote unauthenticated attacker to obtain sensitive information, alter data, or cause a denial-of-service (DoS) condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28039"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-18T09:15:06Z",
    "severity": "MODERATE"
  },
  "details": "Improper restriction of XML external entity references vulnerability exists in FitNesse all releases, which allows a remote unauthenticated attacker to obtain sensitive information, alter data, or cause a denial-of-service (DoS) condition.",
  "id": "GHSA-rcfj-pc73-hqv6",
  "modified": "2024-08-01T15:31:33Z",
  "published": "2024-03-18T09:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28039"
    },
    {
      "type": "WEB",
      "url": "https://github.com/unclebob/fitnesse"
    },
    {
      "type": "WEB",
      "url": "https://github.com/unclebob/fitnesse/blob/master/SECURITY.md"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN94521208"
    },
    {
      "type": "WEB",
      "url": "http://fitnesse.org/FitNesseDownload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RFFC-23Q6-2HQW

Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2024-04-04 02:34
VLAI
Details

Adobe Experience Manager versions 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8082"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-25T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Adobe Experience Manager versions 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure.",
  "id": "GHSA-rffc-23q6-2hqw",
  "modified": "2024-04-04T02:34:59Z",
  "published": "2022-05-24T16:59:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8082"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/experience-manager/apsb19-48.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.