Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-611 (XML外部实体引用的不恰当限制(XXE)) — Vulnerability Class 424

424 vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)). AI Chinese analysis included.

CWE-611 represents a critical input validation weakness where applications improperly process XML documents containing external entity references. Attackers typically exploit this vulnerability by injecting malicious XML payloads that reference local files, remote servers, or internal network resources. This allows adversaries to perform server-side request forgery, read sensitive system files, or execute denial-of-service attacks by forcing the application to resolve dangerous URIs. To mitigate this risk, developers must rigorously disable XML external entity processing in their parsers. Implementing strict input validation, using safe XML libraries that inherently block external entities, and configuring parsers to reject any DTD or entity definitions are essential defensive measures. By ensuring that XML processors only handle expected, internal content, organizations can effectively prevent unauthorized data access and maintain the integrity of their systems against these sophisticated injection attacks.

MITRE CWE Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Common Consequences (3)
ConfidentialityRead Application Data, Read Files or Directories
If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the co…
IntegrityBypass Protection Mechanism
An attacker may supply a crafted DTD using URIs with schemes such as http://, forcing the application to make outgoing HTTP requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions; hide the source of attacks such as port scanning; or otherwise l…
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
The product could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing.
Mitigations (1)
Implementation, System ConfigurationMany XML parsers and validators can be configured to disable external entity expansion.
CVE IDTitleCVSSSeverityPublished
CVE-2022-3338 XXE in Trellix ePO server — Trellix ePolicy Orchestrator (ePO) 5.4 Medium2022-10-18
CVE-2022-42341 Adobe ColdFusion Improper Restriction of XML External Entity Reference Arbitrary file system read — ColdFusion 7.5 High2022-10-14
CVE-2022-38419 Adobe ColdFusion Solr Service XML External Entity Processing Arbitrary file system read — ColdFusion 7.5 High2022-10-14
CVE-2022-40705 Apache SOAP: XML External Entity Injection (XXE) allows unauthenticated users to read arbitrary files via HTTP — Apache SOAP 7.5 -2022-09-22
CVE-2022-1700 Forcepoint Data Loss Prevention 代码问题漏洞 — Data Loss Prevention (DLP) 7.5 High2022-09-12
CVE-2022-39135 Apache Calcite: potential XEE attacks — Apache Calcite 9.8 -2022-09-11
CVE-2022-2759 Delta Electronics Delta Robot Automation Studio 代码问题漏洞 — Delta Robot Automation Studio (DRAS) 5.5 Medium2022-08-31
CVE-2022-2330 XXE vulnerability in DLP Endpoint for Windows — DLP Endpoint for Windows 6.5 Medium2022-08-30
CVE-2020-14379 Red Hat JBoss EJB Client 代码问题漏洞 — Red Hat AMQ 5.6 -2022-08-16
CVE-2022-2838 Eclipse Sphinx 代码问题漏洞 — Eclipse Sphinx 7.5 -2022-08-16
CVE-2022-1704 Inductive Automation Ignition — Ignition 7.6 High2022-08-05
CVE-2022-2414 Dogtag PKI 代码问题漏洞 — Dogtag PKI 7.5 -2022-07-29
CVE-2022-2131 OpenKM XXE Injection — OpenKM Document Management Community 8.5 High2022-07-25
CVE-2022-32458 Data Systems Consulting Co., Ltd. BPM - XML External Entity (XXE) Injection — BPM 7.5 High2022-07-20
CVE-2022-35168 SAP Business One 代码问题漏洞 — SAP Business one 7.5 -2022-07-12
CVE-2021-41042 Eclipse Lyo 代码问题漏洞 — Eclipse Lyo 5.3 -2022-07-07
CVE-2022-23170 SysAid - Okta SSO integration — SysAid - Okta SSO integration 5.9 Medium2022-06-24
CVE-2022-32285 Siemens Mendix SAML Module 代码问题漏洞 — Mendix SAML Module (Mendix 7 compatible) 7.5 -2022-06-14
CVE-2022-29801 Siemens Teamcenter 代码问题漏洞 — Teamcenter V12.4 7.5 -2022-05-10
CVE-2022-1331 Delta Electronics DMARS Improper Restriction of XML External Entity Reference — DMARS 5.5 Medium2022-05-03
CVE-2022-21949 Multiple XXE vulnerabilities in OBS — Open Build Service 8.8 High2022-05-03
CVE-2022-29265 Improper Restriction of XML External Entity References in Multiple Components — Apache NiFi 7.5 -2022-04-30
CVE-2022-24898 Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml — xwiki-commons 4.9 Medium2022-04-28
CVE-2022-0272 Improper Restriction of XML External Entity Reference in detekt/detekt — detekt/detekt 9.1 -2022-04-21
CVE-2021-43990 ICSA-22-109-03 FANUC ROBOGUIDE Simulation Platform — ROBOGUIDE 6.1 Medium2022-04-20
CVE-2022-1018 ICSA-22-088-01 Rockwell Automation ISaGRAF — Connected Component Workbench 5.5 Medium2022-04-01
CVE-2022-0221 Schneider Electric SCADAPack 代码问题漏洞 — SCADAPack Workbench 5.5 Medium2022-03-28
CVE-2021-44477 GE Gas Power ToolBoxST Improper Restriction of XML External Entity Reference — ToolBoxST 7.5 High2022-03-25
CVE-2022-0861 ePO XML extended entity vulnerability — McAfee ePolicy Orchestrator (ePO) 3.5 Low2022-03-23
CVE-2022-22795 Signiant - Manager+Agents XML External Entity (XXE) — Signiant 6.8 Medium2022-03-09

Vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)) represent 424 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.