Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-611 (XML外部实体引用的不恰当限制(XXE)) — Vulnerability Class 424

424 vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)). AI Chinese analysis included.

CWE-611 represents a critical input validation weakness where applications improperly process XML documents containing external entity references. Attackers typically exploit this vulnerability by injecting malicious XML payloads that reference local files, remote servers, or internal network resources. This allows adversaries to perform server-side request forgery, read sensitive system files, or execute denial-of-service attacks by forcing the application to resolve dangerous URIs. To mitigate this risk, developers must rigorously disable XML external entity processing in their parsers. Implementing strict input validation, using safe XML libraries that inherently block external entities, and configuring parsers to reject any DTD or entity definitions are essential defensive measures. By ensuring that XML processors only handle expected, internal content, organizations can effectively prevent unauthorized data access and maintain the integrity of their systems against these sophisticated injection attacks.

MITRE CWE Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Common Consequences (3)
ConfidentialityRead Application Data, Read Files or Directories
If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the co…
IntegrityBypass Protection Mechanism
An attacker may supply a crafted DTD using URIs with schemes such as http://, forcing the application to make outgoing HTTP requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions; hide the source of attacks such as port scanning; or otherwise l…
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
The product could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing.
Mitigations (1)
Implementation, System ConfigurationMany XML parsers and validators can be configured to disable external entity expansion.
CVE IDTitleCVSSSeverityPublished
CVE-2020-1693 spacewalk 代码问题漏洞 — spacewalk 8.6 High2020-02-17
CVE-2019-6194 Lenovo XClarity Administrator 代码问题漏洞 — XClarity Administrator (LXCA) 5.7 Medium2020-02-14
CVE-2019-15983 Cisco Data Center Network Manager XML External Entity Read Access Vulnerability — Cisco Data Center Network Manager 4.9 -2020-01-06
CVE-2019-3768 Dell RSA Authentication Manager 代码问题漏洞 — RSA Authentication Manager 6.5 -2020-01-03
CVE-2019-10172 jackson-mapper-asl 代码问题漏洞 — jackson-mapper-asl 7.5 -2019-11-18
CVE-2019-18227 Advantech WISE-PaaS/RMM 代码问题漏洞 — Advantech WISE-PaaS/RMM 7.5 -2019-10-31
CVE-2019-12711 Cisco Unified Communications Manager XML External Expansion Vulnerability — Cisco Unified Communications Manager 9.1 -2019-10-02
CVE-2019-10976 Mitsubishi Electric FR Configurator2 代码问题漏洞 — Mitsubishi Electric FR Configurator2 5.5 -2019-07-25
CVE-2019-1903 Cisco Security Manager XML Entity Expansion Vulnerability — Cisco Security Manager 9.1 -2019-06-20
CVE-2019-10244 Eclipse Kura 代码问题漏洞 — Eclipse Kura 7.5 -2019-04-09
CVE-2019-1698 Cisco IoT Field Network Director XML External Entity Vulnerability — Cisco IoT Field Network Director (IoT-FND) 4.9 -2019-02-21
CVE-2019-3772 Spring Integration XML External Entity Injection (XXE) — Spring Integration 9.8 -2019-01-18
CVE-2019-3773 Spring Web Services XML External Entity Injection (XXE) — Spring Web Services 9.8 -2019-01-18
CVE-2019-3774 Spring Batch XML External Entity Injection (XXE) — Spring Batch 9.8 -2019-01-18
CVE-2018-17247 Elasticsearch Security 跨站脚本漏洞 — Elasticsearch 5.9 -2018-12-20
CVE-2018-15444 Cisco Energy Management Suite XML External Entity Vulnerability — Cisco Energy Management Suite 6.3 -2018-11-08
CVE-2018-17912 Fr. Sauter AG CASE Suite 安全漏洞 — CASE Suite 7.5 -2018-11-02
CVE-2018-12544 Eclipse Vert.x 安全漏洞 — Eclipse Vert.x 9.8 -2018-10-10
CVE-2018-10614 Wecon LeviStudioU 安全漏洞 — LeviStudioU 7.8 -2018-10-09
CVE-2018-17889 Wecon PI Studio HMI和PI Studio 安全漏洞 — PI Studio HMI 6.5 -2018-10-08
CVE-2018-0414 Cisco Secure Access Control Server XML External Entity Injection Vulnerability — Cisco Secure Access Control Server Solution Engine (ACSE) 5.7 -2018-10-05
CVE-2018-12471 External Entity processing in the RegistrationSharing module — SMT 8.1 -2018-10-04
CVE-2017-7464 Red Hat JBoss Enterprise Application Platform 安全漏洞 — JBoss 9.8 -2018-07-27
CVE-2017-7545 jbpmmigration 安全漏洞 — jbpm-designer 6.5 -2018-07-26
CVE-2018-10600 SEL AcSELerator Architect 安全漏洞 — AcSELerator Architect 9.8 -2018-07-24
CVE-2016-9487 EpubCheck 4.0.1 is vulnerable to external XML entity processing attacks — EpubCheck 7.8 -2018-07-13
CVE-2016-9491 ManageEngine Applications Manager 12 and 13 is vulnerable to privilege escalation due to improper restriction of an XML external entity — Applications Manager 4.9 -2018-07-13
CVE-2017-7465 Red Hat JBoss Enterprise Application Platform 代码注入漏洞 — jboss 9.8 -2018-06-27
CVE-2017-3206 The Action Message Format (AMF3) deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages — Flamingo amf-serializer 9.8 -2018-06-11
CVE-2018-10613 GE MDS PulseNET和MDS PulseNET Enterprise 安全漏洞 — MDS PulseNET and MDS PulseNET Enterprise 7.5 -2018-06-04

Vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)) represent 424 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.