Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-59F8-2GF3-79Q3

Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2024-04-04 01:35
VLAI
Details

An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTTP, and outbound DNS).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13176"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-08T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTTP, and outbound DNS).",
  "id": "GHSA-59f8-2gf3-79q3",
  "modified": "2024-04-04T01:35:23Z",
  "published": "2022-05-24T16:52:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13176"
    },
    {
      "type": "WEB",
      "url": "https://www.logicallysecure.com/blog/3cx-phone-system-web-console-affected-by-xxe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-59QF-VRM9-Q977

Vulnerability from github – Published: 2025-11-17 18:30 – Updated: 2025-11-17 21:31
VLAI
Details

PDFPatcher thru 1.1.3.4663 executable's XML bookmark import functionality does not restrict XML external entity (XXE) references. The application uses .NET's XmlDocument class without disabling external entity resolution, enabling attackers to: Read arbitrary files from the victim's filesystem, exfiltrate sensitive data via out-of-band (OOB) HTTP requests, perform SSRF attacks against internal network resources, or cause a denial of service via entity expansion attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-63917"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-17T17:15:51Z",
    "severity": "HIGH"
  },
  "details": "PDFPatcher thru 1.1.3.4663 executable\u0027s XML bookmark import functionality does not restrict XML external entity (XXE) references. The application uses .NET\u0027s XmlDocument class without disabling external entity resolution, enabling attackers to: Read arbitrary files from the victim\u0027s filesystem, exfiltrate sensitive data via out-of-band (OOB) HTTP requests, perform SSRF attacks against internal network resources, or cause a denial of service via entity expansion attacks.",
  "id": "GHSA-59qf-vrm9-q977",
  "modified": "2025-11-17T21:31:24Z",
  "published": "2025-11-17T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63917"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cydtseng/Vulnerability-Research/blob/main/pdfpatcher/XXE-Importers.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wmjordan/PDFPatcher"
    },
    {
      "type": "WEB",
      "url": "https://www.cnblogs.com/pdfpatcher"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-59R4-VR3M-3RRH

Vulnerability from github – Published: 2022-05-14 03:01 – Updated: 2022-05-14 03:01
VLAI
Details

ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000616"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-09T20:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\\drivers\\utilities\\src\\main\\java\\org\\onosproject\\drivers\\utilities\\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity.",
  "id": "GHSA-59r4-vr3m-3rrh",
  "modified": "2022-05-14T03:01:32Z",
  "published": "2022-05-14T03:01:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000616"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.onosproject.org/#/c/18894"
    },
    {
      "type": "WEB",
      "url": "http://gms.cl0udz.com/Openconfig_xxe.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5C28-8WW8-7QF3

Vulnerability from github – Published: 2023-07-06 21:14 – Updated: 2024-04-04 05:43
VLAI
Details

A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to the software by a local user. 

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2161"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-16T05:15:09Z",
    "severity": "MODERATE"
  },
  "details": "\nA CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that\ncould cause unauthorized read access to the file system when a malicious configuration file is\nloaded on to the software by a local user.\u00a0",
  "id": "GHSA-5c28-8ww8-7qf3",
  "modified": "2024-04-04T05:43:21Z",
  "published": "2023-07-06T21:14:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2161"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-129-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-129-01.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5C5Q-XJ8P-HRG3

Vulnerability from github – Published: 2023-03-24 18:30 – Updated: 2025-05-30 18:30
VLAI
Details

An issue was discovered in Independentsoft JWord before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28152"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-24T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Independentsoft JWord before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file.",
  "id": "GHSA-5c5q-xj8p-hrg3",
  "modified": "2025-05-30T18:30:46Z",
  "published": "2023-03-24T18:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28152"
    },
    {
      "type": "WEB",
      "url": "https://cds.thalesgroup.com/en/tcs-cert/CVE-2023-28152"
    },
    {
      "type": "WEB",
      "url": "https://excellium-services.com/cert-xlm-advisory/CVE-2023-28152"
    },
    {
      "type": "WEB",
      "url": "https://www.independentsoft.de/jword/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5CJW-7JCV-34JX

Vulnerability from github – Published: 2022-05-14 01:36 – Updated: 2022-05-14 01:36
VLAI
Details

The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the parsing of atlassian plugin xml files in an uploaded JAR.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20233"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-18T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the parsing of atlassian plugin xml files in an uploaded JAR.",
  "id": "GHSA-5cjw-7jcv-34jx",
  "modified": "2022-05-14T01:36:14Z",
  "published": "2022-05-14T01:36:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20233"
    },
    {
      "type": "WEB",
      "url": "https://ecosystem.atlassian.net/browse/UPM-5964"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106661"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5CR4-4CRM-RRP5

Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07
VLAI
Details

Panasonic FPWIN Pro, all Versions 7.5.1.1 and prior, allows an attacker to craft a project file specifying a URI that causes the XML parser to access the URI and embed the contents, which may allow the attacker to disclose information that is accessible in the context of the user executing software.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-32972"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-09T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Panasonic FPWIN Pro, all Versions 7.5.1.1 and prior, allows an attacker to craft a project file specifying a URI that causes the XML parser to access the URI and embed the contents, which may allow the attacker to disclose information that is accessible in the context of the user executing software.",
  "id": "GHSA-5cr4-4crm-rrp5",
  "modified": "2022-05-24T19:07:22Z",
  "published": "2022-05-24T19:07:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32972"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-180-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5FJ4-9H5F-W6XG

Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32
VLAI
Details

IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 147630.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1727"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-15T20:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 147630.",
  "id": "GHSA-5fj4-9h5f-w6xg",
  "modified": "2022-05-13T01:32:55Z",
  "published": "2022-05-13T01:32:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1727"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/147630"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10718887"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5G9G-W9X5-3RFC

Vulnerability from github – Published: 2022-05-14 01:21 – Updated: 2022-05-14 01:21
VLAI
Details

SLD Registration of ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Fixed in versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT,KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49,KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. 7.73 KERNEL from 7.21 to 7.22, 7.45, 7.49, 7.53, 7.73, 7.75.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-0265"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-15T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "SLD Registration of ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Fixed in versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT,KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49,KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. 7.73 KERNEL from 7.21 to 7.22, 7.45, 7.49, 7.53, 7.73, 7.75.",
  "id": "GHSA-5g9g-w9x5-3rfc",
  "modified": "2022-05-14T01:21:26Z",
  "published": "2022-05-14T01:21:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0265"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/2729710"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106972"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107364"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5GWH-R76W-934H

Vulnerability from github – Published: 2024-01-09 09:30 – Updated: 2024-01-09 19:26
VLAI
Summary
Qualys Jenkins Plugin for WAS XML External Entity vulnerability
Details

Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.11"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.qualys.plugins:qualys-was"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-6149"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-09T19:26:01Z",
    "nvd_published_at": "2024-01-09T09:15:42Z",
    "severity": "MODERATE"
  },
  "details": "Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data",
  "id": "GHSA-5gwh-r76w-934h",
  "modified": "2024-01-09T19:26:01Z",
  "published": "2024-01-09T09:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6149"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/qualys-was-plugin/commit/b4eeb34747fa1b934abbdf686102f6495fdb02ee"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/qualys-was-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.qualys.com/security-advisories"
    },
    {
      "type": "WEB",
      "url": "https://www.qualys.com/security-advisories/cve-2023-6149"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Qualys Jenkins Plugin for WAS XML External Entity vulnerability"
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.