Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-2466-4485-4PXJ

Vulnerability from github – Published: 2025-03-10 18:29 – Updated: 2025-03-10 18:29
VLAI
Summary
LocalS3 Project Bucket Operations Vulnerable to XML External Entity (XXE) Injection
Details

Description

The LocalS3 project contains an XML External Entity (XXE) Injection vulnerability in its bucket operations that process XML data. Specifically, the vulnerability exists in the bucket ACL and bucket tagging operations. The application processes XML input without properly disabling external entity resolution, allowing an attacker to read arbitrary files from the server's filesystem.

The vulnerability occurs because the XML parser used by the application processes DOCTYPE declarations and allows external entity references. When processing bucket ACL or tagging operations, the application includes the content of external entities in its response, effectively exposing sensitive files from the server.

This type of vulnerability can be exploited to read sensitive files, perform server-side request forgery (SSRF), or potentially achieve denial of service through various XXE attack vectors.

Steps to Reproduce

  1. Create a test bucket using PUT request to http://[server]/[bucket-name]

    curl -X PUT "http://app/xxe-test-bucket2" ```

  2. Send a PUT request to http://[server]/[bucket-name]?acl with the following XXE payload: ``` curl -X PUT "http://app/xxe-test-bucket2?acl" \ -H "Content-Type: application/xml" \ -d '

]> &xxe; test test test FULL_CONTROL ' ```

  1. Send a GET request to http://[server]/[bucket-name]?acl to retrieve the bucket ACL

    curl "http://app/xxe-test-bucket2?acl"

After performing these steps, the content of the target file (/flag.txt in this case) will be included in the response within the ID field of the Owner element.

Mitigations

  • Configure the XML parser to disable external entity resolution by setting XMLConstants.FEATURE_SECURE_PROCESSING to true
  • Disable DOCTYPE declarations in the XML parser configuration
  • Implement XML input validation and sanitization before processing
  • Consider using JSON instead of XML for these operations if XML parsing is not strictly necessary

Impact

The vulnerability requires no authentication and can be exploited by any user who can make HTTP requests to the server. It allows reading arbitrary files from the server's filesystem, which could expose sensitive configuration files, credentials, or other confidential information. The vulnerability can also be used to perform SSRF attacks against internal systems.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.github.robothy:local-s3-rest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-10T18:29:05Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Description\n\nThe LocalS3 project contains an XML External Entity (XXE) Injection vulnerability in its bucket operations that process XML data. Specifically, the vulnerability exists in the bucket ACL and bucket tagging operations. The application processes XML input without properly disabling external entity resolution, allowing an attacker to read arbitrary files from the server\u0027s filesystem.\n\nThe vulnerability occurs because the XML parser used by the application processes DOCTYPE declarations and allows external entity references. When processing bucket ACL or tagging operations, the application includes the content of external entities in its response, effectively exposing sensitive files from the server.\n\nThis type of vulnerability can be exploited to read sensitive files, perform server-side request forgery (SSRF), or potentially achieve denial of service through various XXE attack vectors.\n\n## Steps to Reproduce\n\n1. Create a test bucket using PUT request to http://[server]/[bucket-name]\n\n    ```\n    curl -X PUT \"http://app/xxe-test-bucket2\"```\n    ```\n\n2. Send a PUT request to http://[server]/[bucket-name]?acl with the following XXE payload:\n   ```\n   curl -X PUT \"http://app/xxe-test-bucket2?acl\" \\\n   -H \"Content-Type: application/xml\" \\\n   -d \u0027\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n   \u003c!DOCTYPE AccessControlPolicy [\n       \u003c!ENTITY xxe SYSTEM \"file:///etc/hostname\" \u003e\n   ]\u003e\n   \u003cAccessControlPolicy\u003e\n       \u003cOwner\u003e\n           \u003cID\u003e\u0026xxe;\u003c/ID\u003e\n           \u003cDisplayName\u003etest\u003c/DisplayName\u003e\n       \u003c/Owner\u003e\n       \u003cAccessControlList\u003e\n           \u003cGrant\u003e\n               \u003cGrantee xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"CanonicalUser\"\u003e\n                   \u003cID\u003etest\u003c/ID\u003e\n                   \u003cDisplayName\u003etest\u003c/DisplayName\u003e\n               \u003c/Grantee\u003e\n               \u003cPermission\u003eFULL_CONTROL\u003c/Permission\u003e\n           \u003c/Grant\u003e\n       \u003c/AccessControlList\u003e\n   \u003c/AccessControlPolicy\u003e\u0027\n   ```\n\n3. Send a GET request to `http://[server]/[bucket-name]?acl` to retrieve the bucket ACL\n\n    ```\n    curl \"http://app/xxe-test-bucket2?acl\"\n    ```\n\nAfter performing these steps, the content of the target file (/flag.txt in this case) will be included in the response within the ID field of the Owner element.\n\n## Mitigations\n\n- Configure the XML parser to disable external entity resolution by setting XMLConstants.FEATURE_SECURE_PROCESSING to true\n- Disable DOCTYPE declarations in the XML parser configuration\n- Implement XML input validation and sanitization before processing\n- Consider using JSON instead of XML for these operations if XML parsing is not strictly necessary\n\n## Impact\n\nThe vulnerability requires no authentication and can be exploited by any user who can make HTTP requests to the server. It allows reading arbitrary files from the server\u0027s filesystem, which could expose sensitive configuration files, credentials, or other confidential information. The vulnerability can also be used to perform SSRF attacks against internal systems.",
  "id": "GHSA-2466-4485-4pxj",
  "modified": "2025-03-10T18:29:05Z",
  "published": "2025-03-10T18:29:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Robothy/local-s3/security/advisories/GHSA-2466-4485-4pxj"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Robothy/local-s3/commit/d6ed756ceb30c1eb9d4263321ac683d734f8836f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Robothy/local-s3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "LocalS3 Project Bucket Operations Vulnerable to XML External Entity (XXE) Injection"
}

GHSA-24HM-WM2H-H8W7

Vulnerability from github – Published: 2025-11-28 06:32 – Updated: 2026-01-29 03:30
VLAI
Summary
Peppol-py is vulnerable to XXE attacks due to Saxon configuration
Details

Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "peppol_py"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66371"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-01T23:57:53Z",
    "nvd_published_at": "2025-11-28T04:16:01Z",
    "severity": "MODERATE"
  },
  "details": "Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host.",
  "id": "GHSA-24hm-wm2h-h8w7",
  "modified": "2026-01-29T03:30:58Z",
  "published": "2025-11-28T06:32:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66371"
    },
    {
      "type": "WEB",
      "url": "https://github.com/iterasdev/peppol-py/pull/16"
    },
    {
      "type": "WEB",
      "url": "https://github.com/iterasdev/peppol-py/commit/349a4bff8adb6205ea411bac8d7a06da0477abd7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/iterasdev/peppol-py"
    },
    {
      "type": "WEB",
      "url": "https://github.com/iterasdev/peppol-py/releases/tag/1.1.1"
    },
    {
      "type": "WEB",
      "url": "https://invoice.secvuln.info"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Peppol-py is vulnerable to XXE attacks due to Saxon configuration"
}

GHSA-24R8-JMFH-R268

Vulnerability from github – Published: 2023-02-01 00:30 – Updated: 2025-03-27 15:30
VLAI
Details

Netcad KEOS 1.0 is vulnerable to XML External Entity (XXE) resulting in SSRF with XXE (remote).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47873"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-31T23:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Netcad KEOS 1.0 is vulnerable to XML External Entity (XXE) resulting in SSRF with XXE (remote).",
  "id": "GHSA-24r8-jmfh-r268",
  "modified": "2025-03-27T15:30:37Z",
  "published": "2023-02-01T00:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47873"
    },
    {
      "type": "WEB",
      "url": "https://fordefence.com/cve-2022-47873-keos-software-xx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-24RG-9RHW-M9GH

Vulnerability from github – Published: 2022-05-14 01:11 – Updated: 2022-05-14 01:11
VLAI
Details

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0790, CVE-2019-0792, CVE-2019-0793, CVE-2019-0795.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-0791"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-09T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka \u0027MS XML Remote Code Execution Vulnerability\u0027. This CVE ID is unique from CVE-2019-0790, CVE-2019-0792, CVE-2019-0793, CVE-2019-0795.",
  "id": "GHSA-24rg-9rhw-m9gh",
  "modified": "2022-05-14T01:11:01Z",
  "published": "2022-05-14T01:11:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0791"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0791"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107726"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-24WF-7VF2-PV59

Vulnerability from github – Published: 2021-06-28 16:38 – Updated: 2021-06-25 13:06
VLAI
Summary
XXE vulnerability on Launch import with externally-defined DTD file
Details

Impact

Starting from version 3.1.0 we introduced a new feature of JUnit XML launch import. Unfortunately XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file which imports external Document Type Definition (DTD) file with external entities for extraction of secrets from Report Portal service-api module or server-side request forgery.

Patches

Fixed with: https://github.com/reportportal/service-api/pull/1392

Binaries

docker pull reportportal/service-api:5.4.0 https://github.com/reportportal/service-api/packages/846871?version=5.4.0

For more information

If you have any questions or comments about this advisory email us: support@reportportal.io

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.epam.reportportal:service-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "5.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29620"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-25T13:06:33Z",
    "nvd_published_at": "2021-06-23T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nStarting from version 3.1.0 we introduced a new feature of JUnit XML launch import. Unfortunately XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file which imports external Document Type Definition (DTD) file with external entities for extraction of secrets from Report Portal service-api module or server-side request forgery.\n\n### Patches\nFixed with: https://github.com/reportportal/service-api/pull/1392\n\n### Binaries\n`docker pull reportportal/service-api:5.4.0`\nhttps://github.com/reportportal/service-api/packages/846871?version=5.4.0\n\n### For more information\nIf you have any questions or comments about this advisory email us: [support@reportportal.io](mailto:support@reportportal.io)\n",
  "id": "GHSA-24wf-7vf2-pv59",
  "modified": "2021-06-25T13:06:33Z",
  "published": "2021-06-28T16:38:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/reportportal/reportportal/security/advisories/GHSA-24wf-7vf2-pv59"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29620"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reportportal/service-api/pull/1392"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reportportal/service-api/commit/a73e0dfb4eda844c37139df1f9847013d55f084e"
    },
    {
      "type": "WEB",
      "url": "https://mvnrepository.com/artifact/com.epam.reportportal/service-api"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability on Launch import with externally-defined DTD file"
}

GHSA-253C-2JPF-7JP9

Vulnerability from github – Published: 2023-04-11 03:31 – Updated: 2023-04-15 00:30
VLAI
Details

Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28340"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-11T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.",
  "id": "GHSA-253c-2jpf-7jp9",
  "modified": "2023-04-15T00:30:37Z",
  "published": "2023-04-11T03:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28340"
    },
    {
      "type": "WEB",
      "url": "https://manageengine.com"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2023-28340.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-256F-5WHX-5J84

Vulnerability from github – Published: 2025-08-27 00:31 – Updated: 2025-08-27 00:31
VLAI
Details

Agiloft Release 28 contains an XML External Entities vulnerability in any table that allows 'import/export', allowing an authenticated attacker to import the template file and perform path traversal on the local system files. Users should upgrade to Agiloft Release 31.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-35112"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-26T23:15:35Z",
    "severity": "LOW"
  },
  "details": "Agiloft Release 28 contains an XML External Entities vulnerability in any table that allows \u0027import/export\u0027, allowing an authenticated attacker to import the template file and perform path traversal on the local system files. Users should upgrade to Agiloft Release 31.",
  "id": "GHSA-256f-5whx-5j84",
  "modified": "2025-08-27T00:31:16Z",
  "published": "2025-08-27T00:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35112"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-239-01.json"
    },
    {
      "type": "WEB",
      "url": "https://wiki.agiloft.com/display/HELP/What%27s+New%3A+CVE+Resolution"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-35112"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2589-88HX-72GF

Vulnerability from github – Published: 2026-05-26 21:31 – Updated: 2026-05-26 21:31
VLAI
Details

IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3603"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-26T19:16:27Z",
    "severity": "HIGH"
  },
  "details": "IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.",
  "id": "GHSA-2589-88hx-72gf",
  "modified": "2026-05-26T21:31:58Z",
  "published": "2026-05-26T21:31:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3603"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7274078"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-258X-99J8-QCX3

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15
VLAI
Details

IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 204775.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-29831"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-21T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 204775.",
  "id": "GHSA-258x-99j8-qcx3",
  "modified": "2022-05-24T19:15:24Z",
  "published": "2022-05-24T19:15:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29831"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/204775"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6490905"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-25M5-5HWM-RP7R

Vulnerability from github – Published: 2023-04-05 18:30 – Updated: 2023-04-11 21:31
VLAI
Details

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information, conduct a server-side request forgery (SSRF) attack through an affected device, or negatively impact the responsiveness of the web-based management interface itself. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of confidential information. A successful exploit could also cause the web application to perform arbitrary HTTP requests on behalf of the attacker or consume memory resources to reduce the availability of the web-based management interface. To successfully exploit this vulnerability, an attacker would need valid Super Admin or Policy Admin credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-05T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information, conduct a server-side request forgery (SSRF) attack through an affected device, or negatively impact the responsiveness of the web-based management interface itself. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of confidential information. A successful exploit could also cause the web application to perform arbitrary HTTP requests on behalf of the attacker or consume memory resources to reduce the availability of the web-based management interface. To successfully exploit this vulnerability, an attacker would need valid Super Admin or Policy Admin credentials.",
  "id": "GHSA-25m5-5hwm-rp7r",
  "modified": "2023-04-11T21:31:08Z",
  "published": "2023-04-05T18:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20030"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxe-inj-GecEHY58"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.