CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-RFRV-RC39-GXFP
Vulnerability from github – Published: 2024-03-14 21:30 – Updated: 2024-03-14 21:30IBM Maximo Application Suite 7.6.1.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 284566.
{
"affected": [],
"aliases": [
"CVE-2024-27266"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-14T19:15:50Z",
"severity": "HIGH"
},
"details": "IBM Maximo Application Suite 7.6.1.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 284566.",
"id": "GHSA-rfrv-rc39-gxfp",
"modified": "2024-03-14T21:30:51Z",
"published": "2024-03-14T21:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27266"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/284566"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7141270"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-RFX9-VC4C-6RWM
Vulnerability from github – Published: 2023-09-21 21:31 – Updated: 2024-04-04 07:47An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery.
{
"affected": [],
"aliases": [
"CVE-2023-38343"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-21T21:15:09Z",
"severity": "HIGH"
},
"details": "An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery.",
"id": "GHSA-rfx9-vc4c-6rwm",
"modified": "2024-04-04T07:47:54Z",
"published": "2023-09-21T21:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38343"
},
{
"type": "WEB",
"url": "https://gist.github.com/bhyahoo/4772330b20057a271f77e690bc70f928"
},
{
"type": "WEB",
"url": "https://www.ivanti.com/releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RGCV-XPJ5-8X8F
Vulnerability from github – Published: 2024-05-15 18:30 – Updated: 2024-05-15 18:30An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity Processing.
{
"affected": [],
"aliases": [
"CVE-2024-4357"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-15T17:15:15Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity Processing.",
"id": "GHSA-rgcv-xpj5-8x8f",
"modified": "2024-05-15T18:30:35Z",
"published": "2024-05-15T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4357"
},
{
"type": "WEB",
"url": "https://docs.telerik.com/report-server/knowledge-base/xxe-vulnerability-cve-2024-4357"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RH2H-JQXG-H9F7
Vulnerability from github – Published: 2023-04-20 15:30 – Updated: 2024-04-04 03:36An issue found in Ego Studio SuperClean v.1.1.9 and v.1.1.5 allows an attacker to gain privileges cause a denial of service via the update_info field of the default.xml file.
{
"affected": [],
"aliases": [
"CVE-2023-27652"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-20T14:15:08Z",
"severity": "MODERATE"
},
"details": "An issue found in Ego Studio SuperClean v.1.1.9 and v.1.1.5 allows an attacker to gain privileges cause a denial of service via the update_info field of the _default_.xml file.",
"id": "GHSA-rh2h-jqxg-h9f7",
"modified": "2024-04-04T03:36:57Z",
"published": "2023-04-20T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27652"
},
{
"type": "WEB",
"url": "https://apkpure.com/cn/super-clean-phone-cleaner/com.egostudio.clean/download"
},
{
"type": "WEB",
"url": "https://github.com/LianKee/SODA/blob/main/CVEs/CVE-2023-27652/CVE%20detail.md"
},
{
"type": "WEB",
"url": "http://www.egostudiogroup.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RH3M-PR36-XH2F
Vulnerability from github – Published: 2023-01-07 21:30 – Updated: 2023-01-12 23:43A vulnerability classified as problematic was found in kelvinmo simplexrd up to 3.1.0. This vulnerability affects unknown code of the file simplexrd/simplexrd.class.php. The manipulation leads to xml external entity reference. Upgrading to version 3.1.1 is able to address this issue. The name of the patch is 4c9f2e028523ed705b555eca2c18c64e71f1a35d. It is recommended to upgrade the affected component. VDB-217630 is the identifier assigned to this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "kelvinmo/simplexrd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-10029"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-12T23:43:29Z",
"nvd_published_at": "2023-01-07T20:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability classified as problematic was found in kelvinmo simplexrd up to 3.1.0. This vulnerability affects unknown code of the file `simplexrd/simplexrd.class.php`. The manipulation leads to xml external entity reference. Upgrading to version 3.1.1 is able to address this issue. The name of the patch is 4c9f2e028523ed705b555eca2c18c64e71f1a35d. It is recommended to upgrade the affected component. VDB-217630 is the identifier assigned to this vulnerability.",
"id": "GHSA-rh3m-pr36-xh2f",
"modified": "2023-01-12T23:43:29Z",
"published": "2023-01-07T21:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-10029"
},
{
"type": "WEB",
"url": "https://github.com/kelvinmo/simplexrd/commit/4c9f2e028523ed705b555eca2c18c64e71f1a35d"
},
{
"type": "PACKAGE",
"url": "https://github.com/kelvinmo/simplexrd"
},
{
"type": "WEB",
"url": "https://github.com/kelvinmo/simplexrd/releases/tag/v3.1.1"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.217630"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.217630"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "kelvinmo simplexrd vulnerable to Improper Restriction of XML External Entity Reference"
}
GHSA-RH54-7QQ9-X5V8
Vulnerability from github – Published: 2024-09-16 15:32 – Updated: 2026-06-03 15:30Improper Restriction of XML External Entity Reference vulnerability in SFS Consulting ww.Winsure allows XML Injection.This issue affects ww.Winsure: before 4.6.2.
{
"affected": [],
"aliases": [
"CVE-2024-7098"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-16T15:15:17Z",
"severity": "CRITICAL"
},
"details": "Improper Restriction of XML External Entity Reference vulnerability in SFS Consulting ww.Winsure allows XML Injection.This issue affects ww.Winsure: before 4.6.2.",
"id": "GHSA-rh54-7qq9-x5v8",
"modified": "2026-06-03T15:30:34Z",
"published": "2024-09-16T15:32:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7098"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-1475"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-24-1475"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RHF7-MR7Q-7P9F
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2024-04-04 01:23An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. With a valid administrator account, the "Move / Import / Export Users" screen has an Import Users option. This option accepts a ZIP archive containing a users.xml file that can trigger XXE.
{
"affected": [],
"aliases": [
"CVE-2019-10264"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-26T21:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. With a valid administrator account, the \"Move / Import / Export Users\" screen has an Import Users option. This option accepts a ZIP archive containing a users.xml file that can trigger XXE.",
"id": "GHSA-rhf7-mr7q-7p9f",
"modified": "2024-04-04T01:23:07Z",
"published": "2022-05-24T16:51:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10264"
},
{
"type": "WEB",
"url": "https://www.wbsec.nl/ahsay"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RHG3-7WM6-R85W
Vulnerability from github – Published: 2026-07-10 15:31 – Updated: 2026-07-10 15:31Dell Unisphere for PowerMax, version(s) 10.3.0.5 and prior contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.
{
"affected": [],
"aliases": [
"CVE-2026-54470"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-10T13:16:20Z",
"severity": "MODERATE"
},
"details": "Dell Unisphere for PowerMax, version(s) 10.3.0.5 and prior contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.",
"id": "GHSA-rhg3-7wm6-r85w",
"modified": "2026-07-10T15:31:39Z",
"published": "2026-07-10T15:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54470"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000483543/dsa-2026-272-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtualappliance-dell-unisphere-360-dell-solutionsenabler-and-dell-solutionsenabler-virtualappliance-security-update-for-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RHH7-FXCJ-GR67
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 00:59In BubbleUPnP 0.9 update 30, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running BubbleUPnP, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack the cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.
{
"affected": [],
"aliases": [
"CVE-2018-15506"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-19T17:15:00Z",
"severity": "CRITICAL"
},
"details": "In BubbleUPnP 0.9 update 30, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running BubbleUPnP, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack the cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.",
"id": "GHSA-rhh7-fxcj-gr67",
"modified": "2024-04-04T00:59:44Z",
"published": "2022-05-24T16:48:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15506"
},
{
"type": "WEB",
"url": "https://www.bubblesoftapps.com/bubbleupnpserver2/docs/changelog.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RHJH-RPHP-W26X
Vulnerability from github – Published: 2022-05-17 03:35 – Updated: 2022-05-17 03:35IBM FileNet Workplace 4.0.2 before 4.0.2.14 LA012 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
{
"affected": [],
"aliases": [
"CVE-2016-3055"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-12-01T11:59:00Z",
"severity": "HIGH"
},
"details": "IBM FileNet Workplace 4.0.2 before 4.0.2.14 LA012 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"id": "GHSA-rhjh-rphp-w26x",
"modified": "2022-05-17T03:35:35Z",
"published": "2022-05-17T03:35:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3055"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21987128"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/92411"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.