Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-XV2G-H4P5-M8RQ

Vulnerability from github – Published: 2022-05-14 01:15 – Updated: 2022-05-14 01:15
VLAI
Details

Windows System Information Console in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an information disclosure vulnerability improperly parses XML input containing a reference to an external entity, aka "Windows System Information Console Information Disclosure Vulnerability".

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8557"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-11T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Windows System Information Console in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an information disclosure vulnerability improperly parses XML input containing a reference to an external entity, aka \"Windows System Information Console Information Disclosure Vulnerability\".",
  "id": "GHSA-xv2g-h4p5-m8rq",
  "modified": "2022-05-14T01:15:21Z",
  "published": "2022-05-14T01:15:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8557"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8557"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99387"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99398"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038855"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XVHF-Q744-5XM8

Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2023-01-14 05:26
VLAI
Summary
XXE vulnerability in NUnit Plugin
Details

NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

NUnit Plugin 0.26 disables external entity processing for its XML parser.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:nunit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2115"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-14T05:26:14Z",
    "nvd_published_at": "2020-02-12T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.\n\nNUnit Plugin 0.26 disables external entity processing for its XML parser.",
  "id": "GHSA-xvhf-q744-5xm8",
  "modified": "2023-01-14T05:26:14Z",
  "published": "2022-05-24T17:08:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2115"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/nunit-plugin/commit/8f0b6a7b6a927c4b7003fdcd76862a3348b8205a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/nunit-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1752"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in NUnit Plugin"
}

GHSA-XVM2-9XVC-HX7F

Vulnerability from github – Published: 2022-03-02 21:30 – Updated: 2022-03-10 15:48
VLAI
Summary
Improper Restriction of XML External Entity Reference in com.monitorjbl:xlsx-streamer
Details

Impact

Prior to xlsx-streamer 2.1.0, the XML parser that was used did not apply all the necessary settings to prevent XML Entity Expansion issues.

Patches

Upgrade to version 2.1.0.

Workarounds

No known workaround.

References

https://github.com/monitorjbl/excel-streaming-reader/commit/0749c7b9709db078ccdeada16d46a34bc2910c73

For more information

If you have any questions or comments about this advisory: * Open an issue in monitorjbl/excel-streaming-reader

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.monitorjbl:xlsx-streamer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23640"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-02T21:30:54Z",
    "nvd_published_at": "2022-03-02T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nPrior to xlsx-streamer 2.1.0, the XML parser that was used did not apply all the necessary settings to prevent XML Entity Expansion issues.\n\n### Patches\nUpgrade to version 2.1.0.\n\n### Workarounds\nNo known workaround.\n\n### References\nhttps://github.com/monitorjbl/excel-streaming-reader/commit/0749c7b9709db078ccdeada16d46a34bc2910c73\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [monitorjbl/excel-streaming-reader](https://github.com/monitorjbl/excel-streaming-reader)\n\n",
  "id": "GHSA-xvm2-9xvc-hx7f",
  "modified": "2022-03-10T15:48:44Z",
  "published": "2022-03-02T21:30:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/monitorjbl/excel-streaming-reader/security/advisories/GHSA-xvm2-9xvc-hx7f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23640"
    },
    {
      "type": "WEB",
      "url": "https://github.com/monitorjbl/excel-streaming-reader/commit/0749c7b9709db078ccdeada16d46a34bc2910c73"
    },
    {
      "type": "WEB",
      "url": "https://github.com/monitorjbl/excel-streaming-reader"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in com.monitorjbl:xlsx-streamer"
}

GHSA-XVV2-CW9Q-2M9R

Vulnerability from github – Published: 2022-07-20 00:00 – Updated: 2022-07-28 00:00
VLAI
Details

Unit4 ERP through 7.9 allows XXE via ExecuteServerProcessAsynchronously.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-19T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Unit4 ERP through 7.9 allows XXE via ExecuteServerProcessAsynchronously.",
  "id": "GHSA-xvv2-cw9q-2m9r",
  "modified": "2022-07-28T00:00:43Z",
  "published": "2022-07-20T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34001"
    },
    {
      "type": "WEB",
      "url": "https://prisminfosec.com/cve-2022-34001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XVW8-MQG6-CCHX

Vulnerability from github – Published: 2025-03-07 18:31 – Updated: 2025-03-07 18:31
VLAI
Details

IBM Aspera Shares 1.9.9 through 1.10.0 PL7 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0162"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-07T17:15:21Z",
    "severity": "HIGH"
  },
  "details": "IBM Aspera Shares 1.9.9 through 1.10.0 PL7 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.",
  "id": "GHSA-xvw8-mqg6-cchx",
  "modified": "2025-03-07T18:31:06Z",
  "published": "2025-03-07T18:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0162"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7185096"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XW5H-CMH3-8J6J

Vulnerability from github – Published: 2026-06-12 12:31 – Updated: 2026-07-10 12:31
VLAI
Details

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-49875"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-12T10:16:22Z",
    "severity": "CRITICAL"
  },
  "details": "Apache CXF\u0027s EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) \nexternal entity resolution.\u00a0Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.",
  "id": "GHSA-xw5h-cmh3-8j6j",
  "modified": "2026-07-10T12:31:37Z",
  "published": "2026-06-12T12:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49875"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36839"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:37390"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-49875"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488309"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/3kb9w5bg90xcp06fccoz9k3gpsvyy79o"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49875.json"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/11/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XWQQ-PCG2-PPHR

Vulnerability from github – Published: 2026-04-30 09:30 – Updated: 2026-05-18 00:31
VLAI
Details

Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39847"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-30T07:16:36Z",
    "severity": "HIGH"
  },
  "details": "Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.",
  "id": "GHSA-xwqq-pcg2-pphr",
  "modified": "2026-05-18T00:31:35Z",
  "published": "2026-04-30T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39847"
    },
    {
      "type": "WEB",
      "url": "https://4d.com"
    },
    {
      "type": "WEB",
      "url": "https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-002"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2026/May/0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XX66-M4R3-R5VF

Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07
VLAI
Details

An XML External Entity (XXE) issue exists in Kaseya VSA before 9.5.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30201"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-09T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "An XML External Entity (XXE) issue exists in Kaseya VSA before 9.5.6.",
  "id": "GHSA-xx66-m4r3-r5vf",
  "modified": "2022-05-24T19:07:22Z",
  "published": "2022-05-24T19:07:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30201"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/CVE-2021-30201"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/DIVD-2021-00011"
    },
    {
      "type": "WEB",
      "url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XX6G-8FH5-HQ6C

Vulnerability from github – Published: 2024-10-09 09:31 – Updated: 2024-10-09 09:31
VLAI
Details

Dell AppSync Server, version 4.3 through 4.6, contains an XML External Entity Injection vulnerability. An adjacent high privileged attacker could potentially exploit this vulnerability, leading to information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39586"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-09T07:15:09Z",
    "severity": "LOW"
  },
  "details": "Dell AppSync Server, version 4.3 through 4.6, contains an XML External Entity Injection vulnerability. An adjacent high privileged attacker could potentially exploit this vulnerability, leading to information disclosure.",
  "id": "GHSA-xx6g-8fh5-hq6c",
  "modified": "2024-10-09T09:31:35Z",
  "published": "2024-10-09T09:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39586"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000234216/dsa-2024-420-security-update-for-dell-emc-appsync-for-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XX7G-F287-F9FQ

Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2023-10-27 11:34
VLAI
Summary
XXE vulnerability in Jenkins Liquibase Runner Plugin
Details

Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to provide Liquibase changesets evaluated by the plugin to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Jenkins Liquibase Runner Plugin 1.4.7 no longer parses Liquibase changesets.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.4.5"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:liquibase-runner"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2284"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-19T23:52:27Z",
    "nvd_published_at": "2020-09-23T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to provide Liquibase changesets evaluated by the plugin to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nJenkins Liquibase Runner Plugin 1.4.7 no longer parses Liquibase changesets.",
  "id": "GHSA-xx7g-f287-f9fq",
  "modified": "2023-10-27T11:34:49Z",
  "published": "2022-05-24T17:29:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2284"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/liquibase-runner-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2020-09-23/#SECURITY-1887"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/09/23/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in Jenkins Liquibase Runner Plugin"
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.