Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-611 (XML外部实体引用的不恰当限制(XXE)) — Vulnerability Class 424

424 vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)). AI Chinese analysis included.

CWE-611 represents a critical input validation weakness where applications improperly process XML documents containing external entity references. Attackers typically exploit this vulnerability by injecting malicious XML payloads that reference local files, remote servers, or internal network resources. This allows adversaries to perform server-side request forgery, read sensitive system files, or execute denial-of-service attacks by forcing the application to resolve dangerous URIs. To mitigate this risk, developers must rigorously disable XML external entity processing in their parsers. Implementing strict input validation, using safe XML libraries that inherently block external entities, and configuring parsers to reject any DTD or entity definitions are essential defensive measures. By ensuring that XML processors only handle expected, internal content, organizations can effectively prevent unauthorized data access and maintain the integrity of their systems against these sophisticated injection attacks.

MITRE CWE Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Common Consequences (3)
ConfidentialityRead Application Data, Read Files or Directories
If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the co…
IntegrityBypass Protection Mechanism
An attacker may supply a crafted DTD using URIs with schemes such as http://, forcing the application to make outgoing HTTP requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions; hide the source of attacks such as port scanning; or otherwise l…
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
The product could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing.
Mitigations (1)
Implementation, System ConfigurationMany XML parsers and validators can be configured to disable external entity expansion.
CVE IDTitleCVSSSeverityPublished
CVE-2025-32138 WordPress Easy Google Maps plugin <= 1.11.18 - XML External Entity vulnerability — Easy Google Maps 6.6 Medium2025-04-04
CVE-2025-3241 zhangyanbo2007 youkefu XML Document CallCenterRouterController.java xml external entity reference — youkefu 6.3 Medium2025-04-04
CVE-2025-31487 The XWiki JIRA extension allows data leak through an XXE attack by using a fake JIRA server — jira 7.7 High2025-04-03
CVE-2025-1781 CSS Validator 安全漏洞 — CSS Validator 6.5 -2025-03-28
CVE-2025-29932 JetBrains GoLand 代码问题漏洞 — GoLand 4.1 Medium2025-03-25
CVE-2025-25036 Jalios JPlatform 10 Authenticated XML External Entity Injection (XXE) — JPlatform 6.8 Medium2025-03-21
CVE-2025-2365 crmeb_java WeChatMessageController.java webHook xml external entity reference — crmeb_java 6.3 Medium2025-03-17
CVE-2025-27136 LocalS3 CreateBucketConfiguration Endpoint XML External Entity (XXE) Injection — local-s3 8.1 -2025-03-10
CVE-2025-0162 IBM Aspera Shares XML external entity injection — Aspera Shares 7.1 High2025-03-07
CVE-2023-38693 RCE in Lucee REST endpoint — Lucee 9.8 Critical2025-03-05
CVE-2025-24521 Keysight Ixia Vision Product Family Improper Restriction of XML External Entity Reference — Ixia Vision Product Family 4.9 Medium2025-03-05
CVE-2024-49781 IBM OpenPages XML external entity injection — OpenPages with Watson 7.1 High2025-02-20
CVE-2023-47160 IBM Cognos Controller XML external entity injection — Cognos Controller 8.2 High2025-02-19
CVE-2024-25066 RSA Authentication Manager 安全漏洞 — Authentication Manager 4.3 Medium2025-02-17
CVE-2025-1225 ywoa WXCallBack Interface XMLParse.java extract xml external entity reference — ywoa 6.3 Medium2025-02-12
CVE-2024-54171 IBM EntireX XML external entity injection — EntireX 7.1 High2025-02-06
CVE-2024-49352 IBM Cognos Anaytics XML external entity injection — Cognos Analytics 7.1 High2025-02-05
CVE-2024-52807 XXE vulnerability in XSLT parsing in `org.hl7.fhir.publisher` — fhir-ig-publisher 8.6 High2025-01-24
CVE-2024-42185 HCL BigFix Patch Download Plug-ins are affected by an insecure package which is susceptible to XML injection attacks — BigFix Patch Management Download Plug-ins 2.5 Low2025-01-23
CVE-2025-23195 Apache Ambari: XML External Entity (XXE) Vulnerability in Ambari/Oozie — Apache Ambari 7.5 -2025-01-21
CVE-2024-12476 Schneider Electric Web Designer 代码问题漏洞 — Web Designer for BMXNOR0200H 7.8 High2025-01-17
CVE-2024-12298 Vulnerability Report on Improper Restriction of XML External Entity Reference in NB-Designer — Programable Terminals NB-Designer 5.5 Medium2025-01-14
CVE-2024-56324 GoCD vulnerable to XXE injection via abuse of pipeline XML "snippet" editing by group admins — gocd 6.5 -2025-01-03
CVE-2024-56322 GoCD vulnerable to XXE injection via abuse of unused XML configuration repository functionality — gocd 6.7 -2025-01-03
CVE-2024-40896 libxml2 安全漏洞 — libxml2 7.5AIHighAI2024-12-23
CVE-2024-56356 JetBrains TeamCity 代码问题漏洞 — TeamCity 5.9 Medium2024-12-20
CVE-2021-22501 OpenText Operations Bridge Manager 安全漏洞 — Operations Bridge Manager 9.1 -2024-12-19
CVE-2024-55887 Ucum-java has an XXE vulnerability in XML parsing — Ucum-java 8.6 High2024-12-13
CVE-2024-49535 Acrobat Reader | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611) — Acrobat Reader 6.3 Medium2024-12-10
CVE-2024-49064 Microsoft SharePoint Information Disclosure Vulnerability — Microsoft SharePoint Enterprise Server 2016 6.5 Medium2024-12-10

Vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)) represent 424 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.