Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-RFRV-RC39-GXFP

Vulnerability from github – Published: 2024-03-14 21:30 – Updated: 2024-03-14 21:30
VLAI
Details

IBM Maximo Application Suite 7.6.1.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 284566.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27266"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-14T19:15:50Z",
    "severity": "HIGH"
  },
  "details": "IBM Maximo Application Suite 7.6.1.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.  IBM X-Force ID:  284566.",
  "id": "GHSA-rfrv-rc39-gxfp",
  "modified": "2024-03-14T21:30:51Z",
  "published": "2024-03-14T21:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27266"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/284566"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7141270"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RFX9-VC4C-6RWM

Vulnerability from github – Published: 2023-09-21 21:31 – Updated: 2024-04-04 07:47
VLAI
Details

An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38343"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-21T21:15:09Z",
    "severity": "HIGH"
  },
  "details": "An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery.",
  "id": "GHSA-rfx9-vc4c-6rwm",
  "modified": "2024-04-04T07:47:54Z",
  "published": "2023-09-21T21:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38343"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/bhyahoo/4772330b20057a271f77e690bc70f928"
    },
    {
      "type": "WEB",
      "url": "https://www.ivanti.com/releases"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RGCV-XPJ5-8X8F

Vulnerability from github – Published: 2024-05-15 18:30 – Updated: 2024-05-15 18:30
VLAI
Details

An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity Processing.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4357"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-15T17:15:15Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity Processing.",
  "id": "GHSA-rgcv-xpj5-8x8f",
  "modified": "2024-05-15T18:30:35Z",
  "published": "2024-05-15T18:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4357"
    },
    {
      "type": "WEB",
      "url": "https://docs.telerik.com/report-server/knowledge-base/xxe-vulnerability-cve-2024-4357"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RH2H-JQXG-H9F7

Vulnerability from github – Published: 2023-04-20 15:30 – Updated: 2024-04-04 03:36
VLAI
Details

An issue found in Ego Studio SuperClean v.1.1.9 and v.1.1.5 allows an attacker to gain privileges cause a denial of service via the update_info field of the default.xml file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27652"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-20T14:15:08Z",
    "severity": "MODERATE"
  },
  "details": "An issue found in Ego Studio SuperClean v.1.1.9 and v.1.1.5 allows an attacker to gain privileges cause a denial of service via the update_info field of the _default_.xml file.",
  "id": "GHSA-rh2h-jqxg-h9f7",
  "modified": "2024-04-04T03:36:57Z",
  "published": "2023-04-20T15:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27652"
    },
    {
      "type": "WEB",
      "url": "https://apkpure.com/cn/super-clean-phone-cleaner/com.egostudio.clean/download"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LianKee/SODA/blob/main/CVEs/CVE-2023-27652/CVE%20detail.md"
    },
    {
      "type": "WEB",
      "url": "http://www.egostudiogroup.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RH3M-PR36-XH2F

Vulnerability from github – Published: 2023-01-07 21:30 – Updated: 2023-01-12 23:43
VLAI
Summary
kelvinmo simplexrd vulnerable to Improper Restriction of XML External Entity Reference
Details

A vulnerability classified as problematic was found in kelvinmo simplexrd up to 3.1.0. This vulnerability affects unknown code of the file simplexrd/simplexrd.class.php. The manipulation leads to xml external entity reference. Upgrading to version 3.1.1 is able to address this issue. The name of the patch is 4c9f2e028523ed705b555eca2c18c64e71f1a35d. It is recommended to upgrade the affected component. VDB-217630 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "kelvinmo/simplexrd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-10029"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-12T23:43:29Z",
    "nvd_published_at": "2023-01-07T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability classified as problematic was found in kelvinmo simplexrd up to 3.1.0. This vulnerability affects unknown code of the file `simplexrd/simplexrd.class.php`. The manipulation leads to xml external entity reference. Upgrading to version 3.1.1 is able to address this issue. The name of the patch is 4c9f2e028523ed705b555eca2c18c64e71f1a35d. It is recommended to upgrade the affected component. VDB-217630 is the identifier assigned to this vulnerability.",
  "id": "GHSA-rh3m-pr36-xh2f",
  "modified": "2023-01-12T23:43:29Z",
  "published": "2023-01-07T21:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-10029"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kelvinmo/simplexrd/commit/4c9f2e028523ed705b555eca2c18c64e71f1a35d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kelvinmo/simplexrd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kelvinmo/simplexrd/releases/tag/v3.1.1"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.217630"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.217630"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "kelvinmo simplexrd vulnerable to Improper Restriction of XML External Entity Reference"
}

GHSA-RH54-7QQ9-X5V8

Vulnerability from github – Published: 2024-09-16 15:32 – Updated: 2026-06-03 15:30
VLAI
Details

Improper Restriction of XML External Entity Reference vulnerability in SFS Consulting ww.Winsure allows XML Injection.This issue affects ww.Winsure: before 4.6.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7098"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-16T15:15:17Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Restriction of XML External Entity Reference vulnerability in SFS Consulting ww.Winsure allows XML Injection.This issue affects ww.Winsure: before 4.6.2.",
  "id": "GHSA-rh54-7qq9-x5v8",
  "modified": "2026-06-03T15:30:34Z",
  "published": "2024-09-16T15:32:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7098"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-1475"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-24-1475"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RHF7-MR7Q-7P9F

Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2024-04-04 01:23
VLAI
Details

An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. With a valid administrator account, the "Move / Import / Export Users" screen has an Import Users option. This option accepts a ZIP archive containing a users.xml file that can trigger XXE.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-10264"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-26T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. With a valid administrator account, the \"Move / Import / Export Users\" screen has an Import Users option. This option accepts a ZIP archive containing a users.xml file that can trigger XXE.",
  "id": "GHSA-rhf7-mr7q-7p9f",
  "modified": "2024-04-04T01:23:07Z",
  "published": "2022-05-24T16:51:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10264"
    },
    {
      "type": "WEB",
      "url": "https://www.wbsec.nl/ahsay"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RHG3-7WM6-R85W

Vulnerability from github – Published: 2026-07-10 15:31 – Updated: 2026-07-10 15:31
VLAI
Details

Dell Unisphere for PowerMax, version(s) 10.3.0.5 and prior contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-54470"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-10T13:16:20Z",
    "severity": "MODERATE"
  },
  "details": "Dell Unisphere for PowerMax, version(s) 10.3.0.5 and prior contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.",
  "id": "GHSA-rhg3-7wm6-r85w",
  "modified": "2026-07-10T15:31:39Z",
  "published": "2026-07-10T15:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54470"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000483543/dsa-2026-272-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtualappliance-dell-unisphere-360-dell-solutionsenabler-and-dell-solutionsenabler-virtualappliance-security-update-for-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RHH7-FXCJ-GR67

Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 00:59
VLAI
Details

In BubbleUPnP 0.9 update 30, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running BubbleUPnP, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack the cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15506"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-19T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In BubbleUPnP 0.9 update 30, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running BubbleUPnP, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack the cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.",
  "id": "GHSA-rhh7-fxcj-gr67",
  "modified": "2024-04-04T00:59:44Z",
  "published": "2022-05-24T16:48:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15506"
    },
    {
      "type": "WEB",
      "url": "https://www.bubblesoftapps.com/bubbleupnpserver2/docs/changelog.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RHJH-RPHP-W26X

Vulnerability from github – Published: 2022-05-17 03:35 – Updated: 2022-05-17 03:35
VLAI
Details

IBM FileNet Workplace 4.0.2 before 4.0.2.14 LA012 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-3055"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-12-01T11:59:00Z",
    "severity": "HIGH"
  },
  "details": "IBM FileNet Workplace 4.0.2 before 4.0.2.14 LA012 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
  "id": "GHSA-rhjh-rphp-w26x",
  "modified": "2022-05-17T03:35:35Z",
  "published": "2022-05-17T03:35:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3055"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21987128"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/92411"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.