Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-229X-22XC-2F2W

Vulnerability from github – Published: 2024-06-07 21:39 – Updated: 2024-06-07 21:39
VLAI
Summary
Zendframework Local file disclosure via XXE injection in Zend_XmlRpc
Details

Zend_XmlRpc is vulnerable to XML eXternal Entity (XXE) Injection attacks. The SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendframework1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.11.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-07T21:39:43Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Zend_XmlRpc is vulnerable to XML eXternal Entity (XXE) Injection attacks. The SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.\n\n",
  "id": "GHSA-229x-22xc-2f2w",
  "modified": "2024-06-07T21:39:43Z",
  "published": "2024-06-07T21:39:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2012-01.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zendframework/zf1"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20210620092354/https://framework.zend.com/security/advisory/ZF2012-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Zendframework Local file disclosure via XXE injection in Zend_XmlRpc"
}

GHSA-22H8-5MMQ-PGX3

Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2025-10-22 00:31
VLAI
Details

Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13608"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-29T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.",
  "id": "GHSA-22h8-5mmq-pgx3",
  "modified": "2025-10-22T00:31:43Z",
  "published": "2022-05-24T16:55:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13608"
    },
    {
      "type": "WEB",
      "url": "https://support.citrix.com/article/CTX251988"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-13608"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-22Q6-HVJ2-JGMW

Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2023-01-30 18:30
VLAI
Details

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150905.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1845"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-17T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150905.",
  "id": "GHSA-22q6-hvj2-jgmw",
  "modified": "2023-01-30T18:30:28Z",
  "published": "2022-05-24T16:48:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1845"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/150905"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10738917"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-22Q6-RW64-5GJJ

Vulnerability from github – Published: 2023-07-05 06:30 – Updated: 2024-04-04 05:23
VLAI
Details

Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35786"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-05T06:15:21Z",
    "severity": "MODERATE"
  },
  "details": "Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files.",
  "id": "GHSA-22q6-rw64-5gjj",
  "modified": "2024-04-04T05:23:13Z",
  "published": "2023-07-05T06:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35786"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-35786.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-232P-99PF-H332

Vulnerability from github – Published: 2022-05-14 03:06 – Updated: 2022-05-14 03:06
VLAI
Details

Umlet version < 14.3 contains a XML External Entity (XXE) vulnerability in File parsing that can result in disclosure of confidential data, denial of service, server side request forgery. This attack appear to be exploitable via Specially crafted UXF file. This vulnerability appears to have been fixed in 14.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000548"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-26T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "Umlet version \u003c 14.3 contains a XML External Entity (XXE) vulnerability in File parsing that can result in disclosure of confidential data, denial of service, server side request forgery. This attack appear to be exploitable via Specially crafted UXF file. This vulnerability appears to have been fixed in 14.3.",
  "id": "GHSA-232p-99pf-h332",
  "modified": "2022-05-14T03:06:13Z",
  "published": "2022-05-14T03:06:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000548"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umlet/umlet/issues/500"
    },
    {
      "type": "WEB",
      "url": "http://0dd.zone/2018/04/23/UMLet-XXE"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2363-CQG2-863C

Vulnerability from github – Published: 2021-07-27 19:02 – Updated: 2025-09-16 15:06
VLAI
Summary
XML External Entity (XXE) Injection in JDOM
Details

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. As a workaround, to avoid external entities being expanded, one can call builder.setExpandEntities(false) and they won't be expanded.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jdom:jdom2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jdom:jdom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-33813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-27T19:02:41Z",
    "nvd_published_at": "2021-06-16T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. As a workaround, to avoid external entities being expanded, one can call `builder.setExpandEntities(false)` and they won\u0027t be expanded.",
  "id": "GHSA-2363-cqg2-863c",
  "modified": "2025-09-16T15:06:10Z",
  "published": "2021-07-27T19:02:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33813"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hunterhacker/jdom/issues/189"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hunterhacker/jdom/pull/188"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hunterhacker/jdom/commit/dd4f3c2fc7893edd914954c73eb577f925a7d361"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWFVYTHGILOQXUA7U3SPOERQXL7OPSZG"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AH46QHE5GIMT6BL6C3GDTOYF27JYILXM"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00026.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rfb7a93e40ebeb1e0068cde0bf3834dcab46bb1ef06d6424db48ed9fd@%3Cdev.tika.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r89b3800cfabb1e773e49425e5d4239c28a659839a2eca6af3431482e@%3Cissues.solr.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r845e987b7cd8efe610284958e997b84583f5a98d3394adc09e3482fe@%3Cissues.solr.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r6db397ae7281ead825338200d1f62d2827585a70797cc9ac0c4bd23f@%3Cissues.solr.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r5674106135bb1a6ef57483f4c63a9c44bca85d0e2a8a05895a8f1d89@%3Cissues.solr.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r21c406c7ed88fe340db7dbae75e58355159e6c324037c7d5547bf40b@%3Cissues.solr.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hunterhacker/jdom/releases/tag/JDOM-2.0.6.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hunterhacker/jdom/releases"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hunterhacker/jdom"
    },
    {
      "type": "WEB",
      "url": "https://alephsecurity.com/vulns/aleph-2021003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML External Entity (XXE) Injection in JDOM"
}

GHSA-23CF-7M42-487J

Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37
VLAI
Details

An XXE attack can occur in Kronos WebTA 5.0.4 when SAML is used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-35604"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-21T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An XXE attack can occur in Kronos WebTA 5.0.4 when SAML is used.",
  "id": "GHSA-23cf-7m42-487j",
  "modified": "2022-05-24T17:37:08Z",
  "published": "2022-05-24T17:37:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35604"
    },
    {
      "type": "WEB",
      "url": "https://www.mindpointgroup.com/blog/webta-xxe-version-5-0-4-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-23F3-RJ2M-G7GQ

Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2024-04-04 02:55
VLAI
Details

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SSRSReport class. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose file contents in the context of SYSTEM. Was ZDI-CAN-10709.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-15418"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-28T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SSRSReport class. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose file contents in the context of SYSTEM. Was ZDI-CAN-10709.",
  "id": "GHSA-23f3-rj2m-g7gq",
  "modified": "2024-04-04T02:55:13Z",
  "published": "2022-05-24T17:24:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15418"
    },
    {
      "type": "WEB",
      "url": "https://www.veeam.com/kb3221"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-821"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-23Q6-8QM4-482Q

Vulnerability from github – Published: 2022-05-14 03:22 – Updated: 2022-05-14 03:22
VLAI
Details

Digital Guardian Management Console 7.1.2.0015 has an XXE issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-20T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Digital Guardian Management Console 7.1.2.0015 has an XXE issue.",
  "id": "GHSA-23q6-8qm4-482q",
  "modified": "2022-05-14T03:22:02Z",
  "published": "2022-05-14T03:22:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10175"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/147261/Digital-Guardian-Management-Console-7.1.2.0015-XXE-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-23V7-F3GM-7PMW

Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31
VLAI
Details

IBM Sterling B2B Integrator Standard Edition 5.2.0 snf 6.0.0.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 156239.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-4043"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-02T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Sterling B2B Integrator Standard Edition 5.2.0 snf 6.0.0.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 156239.",
  "id": "GHSA-23v7-f3gm-7pmw",
  "modified": "2022-05-13T01:31:13Z",
  "published": "2022-05-13T01:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4043"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/156239"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10874238"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107778"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.