Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-HJF3-R7GW-9RWG

Vulnerability from github – Published: 2018-07-24 20:00 – Updated: 2024-09-20 17:15
VLAI
Summary
feedparser denial of service vulnerability
Details

Universal Feed Parser (aka feedparser or python-feedparser) before 5.1.2 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML ENTITY declaration in a non-ASCII encoded document.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "feedparser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2012-2921"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:40:30Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Universal Feed Parser (aka feedparser or python-feedparser) before 5.1.2 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML ENTITY declaration in a non-ASCII encoded document.",
  "id": "GHSA-hjf3-r7gw-9rwg",
  "modified": "2024-09-20T17:15:41Z",
  "published": "2018-07-24T20:00:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2921"
    },
    {
      "type": "WEB",
      "url": "https://code.google.com/p/feedparser/source/browse/trunk/NEWS?spec=svn706\u0026r=706"
    },
    {
      "type": "WEB",
      "url": "https://code.google.com/p/feedparser/source/detail?r=703\u0026path=/trunk/feedparser/feedparser.py"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-hjf3-r7gw-9rwg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kurtmckee/feedparser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/feedparser/PYSEC-2012-14.yaml"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20120604210617/http://www.securityfocus.com/bid/53654"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20150523060531/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:118/?name=MDVSA-2013:118"
    },
    {
      "type": "WEB",
      "url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0157"
    },
    {
      "type": "WEB",
      "url": "http://freecode.com/projects/feedparser/releases/344371"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "feedparser denial of service vulnerability"
}

GHSA-HM3G-XJP2-HW8Q

Vulnerability from github – Published: 2022-05-14 03:47 – Updated: 2022-05-14 03:47
VLAI
Details

IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 133540.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-09T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 133540.",
  "id": "GHSA-hm3g-xjp2-hw8q",
  "modified": "2022-05-14T03:47:37Z",
  "published": "2022-05-14T03:47:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1666"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/133560"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22011970"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102434"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HM59-JVM9-5VJ7

Vulnerability from github – Published: 2025-07-08 21:30 – Updated: 2025-07-08 21:30
VLAI
Details

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information or bypass security measures. Exploitation of this issue does not require user interaction and scope is changed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49544"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-08T21:15:27Z",
    "severity": "MODERATE"
  },
  "details": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information or bypass security measures. Exploitation of this issue does not require user interaction and scope is changed.",
  "id": "GHSA-hm59-jvm9-5vj7",
  "modified": "2025-07-08T21:30:28Z",
  "published": "2025-07-08T21:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49544"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HMHP-8P9W-M9G8

Vulnerability from github – Published: 2023-12-30 06:30 – Updated: 2024-01-05 21:30
VLAI
Details

Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the Remote upload endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-30T06:15:43Z",
    "severity": "CRITICAL"
  },
  "details": "Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the Remote upload endpoint.",
  "id": "GHSA-hmhp-8p9w-m9g8",
  "modified": "2024-01-05T21:30:32Z",
  "published": "2023-12-30T06:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52252"
    },
    {
      "type": "WEB",
      "url": "https://harkenzo.tlstickle.com/2023-03-17-UR-Web-Triggerable-RCE"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/51309"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HMQ6-FRV3-4727

Vulnerability from github – Published: 2018-10-18 17:43 – Updated: 2022-09-14 00:10
VLAI
Summary
jackson-dataformat-xml vulnerable to XML external entity (XXE)
Details

XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.dataformat:jackson-dataformat-xml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-3720"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:40:41Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.",
  "id": "GHSA-hmq6-frv3-4727",
  "modified": "2022-09-14T00:10:34Z",
  "published": "2018-10-18T17:43:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3720"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-hmq6-frv3-4727"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184561.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "jackson-dataformat-xml vulnerable to XML external entity (XXE)"
}

GHSA-HPGX-PFP3-82QV

Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45
VLAI
Details

IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 198059.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20502"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-30T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 198059.",
  "id": "GHSA-hpgx-pfp3-82qv",
  "modified": "2022-05-24T17:45:43Z",
  "published": "2022-05-24T17:45:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20502"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/198059"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6437579"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HPM7-9WR3-CCFG

Vulnerability from github – Published: 2025-06-18 18:30 – Updated: 2025-06-18 18:30
VLAI
Details

IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15

is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36049"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T16:15:27Z",
    "severity": "HIGH"
  },
  "details": "IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15 \n\nis vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands.",
  "id": "GHSA-hpm7-9wr3-ccfg",
  "modified": "2025-06-18T18:30:32Z",
  "published": "2025-06-18T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36049"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7237146"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HQV6-VRP9-42X2

Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2025-03-31 12:30
VLAI
Details

Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-2052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-11T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.",
  "id": "GHSA-hqv6-vrp9-42x2",
  "modified": "2025-03-31T12:30:44Z",
  "published": "2022-05-17T19:57:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2052"
    },
    {
      "type": "WEB",
      "url": "https://owncloud.org/security/advisories/xxe-multiple-third-party-components"
    },
    {
      "type": "WEB",
      "url": "https://www.securityfocus.com/bid/66222"
    },
    {
      "type": "WEB",
      "url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HR2V-VC99-3C32

Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01
VLAI
Details

Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by XML External Entity (XXE) injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access the platform as any desired user (clients and administrators).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36124"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-07T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by XML External Entity (XXE) injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access the platform as any desired user (clients and administrators).",
  "id": "GHSA-hr2v-vc99-3c32",
  "modified": "2022-05-24T19:01:47Z",
  "published": "2022-05-24T19:01:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36124"
    },
    {
      "type": "WEB",
      "url": "https://blog.pridesec.com.br/p/4c972078-5f01-419e-8bea-cf31ff2e3670"
    },
    {
      "type": "WEB",
      "url": "https://marketing.paxtechnology.com/about-pax"
    },
    {
      "type": "WEB",
      "url": "https://www.whatspos.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HR5M-P87F-R39Q

Vulnerability from github – Published: 2022-05-14 01:05 – Updated: 2022-05-14 01:05
VLAI
Details

IBM QRadar Network Security 5.4 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 128377.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1458"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-05T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM QRadar Network Security 5.4 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 128377.",
  "id": "GHSA-hr5m-p87f-r39q",
  "modified": "2022-05-14T01:05:31Z",
  "published": "2022-05-14T01:05:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1458"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/128377"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22007551"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100638"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.