Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-611 (XML外部实体引用的不恰当限制(XXE)) — Vulnerability Class 424

424 vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)). AI Chinese analysis included.

CWE-611 represents a critical input validation weakness where applications improperly process XML documents containing external entity references. Attackers typically exploit this vulnerability by injecting malicious XML payloads that reference local files, remote servers, or internal network resources. This allows adversaries to perform server-side request forgery, read sensitive system files, or execute denial-of-service attacks by forcing the application to resolve dangerous URIs. To mitigate this risk, developers must rigorously disable XML external entity processing in their parsers. Implementing strict input validation, using safe XML libraries that inherently block external entities, and configuring parsers to reject any DTD or entity definitions are essential defensive measures. By ensuring that XML processors only handle expected, internal content, organizations can effectively prevent unauthorized data access and maintain the integrity of their systems against these sophisticated injection attacks.

MITRE CWE Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Common Consequences (3)
ConfidentialityRead Application Data, Read Files or Directories
If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the co…
IntegrityBypass Protection Mechanism
An attacker may supply a crafted DTD using URIs with schemes such as http://, forcing the application to make outgoing HTTP requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions; hide the source of attacks such as port scanning; or otherwise l…
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
The product could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing.
Mitigations (1)
Implementation, System ConfigurationMany XML parsers and validators can be configured to disable external entity expansion.
CVE IDTitleCVSSSeverityPublished
CVE-2020-7037 Avaya Equinox Conferencing XXE vulnerability — Avaya Meetings Server 8.1 High2021-04-28
CVE-2020-7036 XXE in Avaya Callback Assist Administration — Callback Assist 8.1 High2021-04-23
CVE-2020-7035 XXE in Avaya Aura Orchestration Designer — Aura Orchestration Designer 8.1 High2021-04-23
CVE-2021-29447 WordPress Authenticated XXE attack when installation is running PHP 8 — wordpress-develop 7.1 High2021-04-15
CVE-2021-27604 SAP ERP 代码问题漏洞 — SAP Process Integration (Enterprise Service Repository JAVA Mappings) 6.5 -2021-04-14
CVE-2020-6590 Forcepoint Web Security Content Gateway 代码问题漏洞 — Forcepoint Web Security Content Gateway 7.5 -2021-04-08
CVE-2020-28387 Siemens Solid Edge 代码问题漏洞 — Solid Edge SE2020 5.5 -2021-03-15
CVE-2021-21517 Dell SRS Policy Manager 代码问题漏洞 — SRS Policy Manager 7.2 High2021-03-01
CVE-2019-18943 XML External Entity processing — Solutions Business Manager 6.1 Medium2021-02-26
CVE-2021-21266 XXE vulnerability in OpenHAB — openhab-addons 6.4 Medium2021-02-01
CVE-2021-23901 An XML external entity (XXE) injection vulnerability exists in the Nutch DmozParser — Apache Nutch 9.1 -2021-01-25
CVE-2020-27858 Check Point Arcserve D2D 代码问题漏洞 — D2D 7.5 -2021-01-20
CVE-2020-26981 Siemens Jt2go和Siemens Teamcenter Visualization 代码问题漏洞 — JT2Go 6.5 -2021-01-12
CVE-2020-26247 XXE in Nokogiri — nokogiri 2.6 Low2020-12-30
CVE-2020-25649 Fasterxml Jackson 代码问题漏洞 — jackson-databind 7.5 -2020-12-03
CVE-2020-26229 XML External Entity in Dashboard Widget — TYPO3.CMS 3.7 Low2020-11-23
CVE-2020-7572 Schneider Electric EcoStruxure Building Operation WebReports 代码问题漏洞 — EcoStruxure Building Operation WebReports V1.9 - V3.1 8.8 -2020-11-19
CVE-2020-7032 Avaya WebLM Improper Restriction of XML External Entity Reference — WebLM 6.5 Medium2020-11-13
CVE-2020-15232 XML External Entity attack in mapfish-print — mapfish-print 9.3 Critical2020-10-02
CVE-2020-8256 Pulse Secure Connect Secure 代码问题漏洞 — Pulse Connect Secure 4.9 -2020-09-29
CVE-2020-17408 NEC ExpressCluster 代码问题漏洞 — ExpressCluster 7.5 -2020-09-10
CVE-2020-15419 Veeam ONE 代码问题漏洞 — ONE 7.5 -2020-07-28
CVE-2020-15418 Veeam ONE 代码问题漏洞 — ONE 7.5 -2020-07-28
CVE-2020-3405 Cisco SD-WAN vManage Software XML External Entity Vulnerability — Cisco SD-WAN vManage 7.3 -2020-07-16
CVE-2019-17637 Eclipse Web Tools Platform 代码问题漏洞 — Eclipse Web Tools Platform 7.1 -2020-07-15
CVE-2020-12025 Rockwell Automation Logix Designer Studio 5000 代码问题漏洞 — Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 3.3 -2020-07-14
CVE-2020-2012 PAN-OS: Panorama: XML external entity reference ('XXE') vulnerability leads the to information leak — PAN-OS 7.5 High2020-05-13
CVE-2020-3256 Cisco Hosted Collaboration Mediation Fulfillment XML External Expansion Vulnerability — Cisco Hosted Collaboration Mediation Fulfillment 4.9 -2020-05-06
CVE-2020-10629 Advantech WebAccess/NMS 代码问题漏洞 — WebAccess/NMS 7.5 -2020-04-09
CVE-2020-9044 Metasys Improper Restriction of XML External Entity Reference — Metasys Application and Data Server (ADS, ADS-Lite) 7.5 High2020-03-10

Vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)) represent 424 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.