Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-611 (XML外部实体引用的不恰当限制(XXE)) — Vulnerability Class 424

424 vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)). AI Chinese analysis included.

CWE-611 represents a critical input validation weakness where applications improperly process XML documents containing external entity references. Attackers typically exploit this vulnerability by injecting malicious XML payloads that reference local files, remote servers, or internal network resources. This allows adversaries to perform server-side request forgery, read sensitive system files, or execute denial-of-service attacks by forcing the application to resolve dangerous URIs. To mitigate this risk, developers must rigorously disable XML external entity processing in their parsers. Implementing strict input validation, using safe XML libraries that inherently block external entities, and configuring parsers to reject any DTD or entity definitions are essential defensive measures. By ensuring that XML processors only handle expected, internal content, organizations can effectively prevent unauthorized data access and maintain the integrity of their systems against these sophisticated injection attacks.

MITRE CWE Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Common Consequences (3)
ConfidentialityRead Application Data, Read Files or Directories
If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the co…
IntegrityBypass Protection Mechanism
An attacker may supply a crafted DTD using URIs with schemes such as http://, forcing the application to make outgoing HTTP requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions; hide the source of attacks such as port scanning; or otherwise l…
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
The product could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing.
Mitigations (1)
Implementation, System ConfigurationMany XML parsers and validators can be configured to disable external entity expansion.
CVE IDTitleCVSSSeverityPublished
CVE-2024-54005 Siemens Comos 代码问题漏洞 — COMOS V10.3 5.1 Medium2024-12-10
CVE-2024-49704 Siemens Comos 代码问题漏洞 — COMOS V10.3 5.5 Medium2024-12-10
CVE-2024-47582 XML Entity Expansion Vulnerability in SAP NetWeaver AS JAVA — SAP NetWeaver AS JAVA 5.3 Medium2024-12-10
CVE-2024-52596 SimpleSAMLphp xml-common XXE vulnerability — xml-common 9.1 -2024-12-02
CVE-2024-52806 SimpleSAMLphp SAML2 has an XXE in parsing SAML messages — saml2 8.3 High2024-12-02
CVE-2024-52800 Potential XXE (XML External Entity Injection) vulnerability in veraPDF CLI — veraPDF-library 7.8 -2024-11-29
CVE-2024-9044 XML External Entity (XXE) Vulnerability in EasyTax — EasyTax 9.8 -2024-11-29
CVE-2023-24466 Possible XML External Entity Injection in OpenText iManager — iManager 7.5 High2024-11-22
CVE-2024-48917 XXE in PHPSpreadsheet's XLSX reader — PhpSpreadsheet 7.5 High2024-11-18
CVE-2024-47873 PhpSpreadsheet XmlScanner bypass leads to XXE — PhpSpreadsheet 7.5 High2024-11-18
CVE-2020-26066 Cisco SD-WAN vManage Software XML External Entity Vulnerability — Cisco Catalyst SD-WAN Manager 7.3 -2024-11-18
CVE-2021-1483 Cisco SD-WAN vManage Software XML External Entity Vulnerability — Cisco Catalyst SD-WAN Manager 6.4 Medium2024-11-15
CVE-2024-39726 IBM Engineering Insights XML external entity injection — Engineering Insights 8.2 High2024-11-15
CVE-2021-3902 Improper Restriction of XML External Entity Reference in dompdf/dompdf — dompdf/dompdf 8.1AIHighAI2024-11-15
CVE-2024-5919 PAN-OS: Authenticated XML External Entities (XXE) Injection Vulnerability — Cloud NGFW 7.7AIHighAI2024-11-14
CVE-2024-52007 XXE vulnerability in XSLT parsing in `org.hl7.fhir.core` — org.hl7.fhir.core 8.6 High2024-11-08
CVE-2024-10839 XML External Entity — SharePoint Manager Plus 8.5 High2024-11-08
CVE-2024-20531 Cisco Identity Services Engine XML External Entity Injection Vulnerability — Cisco Identity Services Engine Software 5.5 Medium2024-11-06
CVE-2024-45086 IBM WebSphere Application Server XML external entity injection — WebSphere Application Server 5.5 Medium2024-11-04
CVE-2024-50442 WordPress Royal Elementor Addons and Templates plugin <= 1.3.980 - XML External Entity (XXE) vulnerability — Royal Elementor Addons 6.5 Medium2024-10-28
CVE-2024-4690 Insecure usage for DocumentBuilderFactory and TransformerFactory in OpenText Application Automation Tools — OpenText Application Automation Tools 9.8AICriticalAI2024-10-16
CVE-2024-4189 Multiple XXE sinks in Run LoadRunner script step in OpenText Application Automation Tools — OpenText Application Automation Tools 9.8AICriticalAI2024-10-16
CVE-2024-4184 Multiple XXE sinks in ALM archive post-build step in OpenText Application Automation Tools — OpenText Application Automation Tools 9.8AICriticalAI2024-10-16
CVE-2024-45072 IBM WebSphere Application Server XML external entity injection — WebSphere Application Server 5.5 Medium2024-10-16
CVE-2024-8602 XML Eternal Entity Attack in the Software Library taxstatement.jar — Library taxstatement.jar 8.8AIHighAI2024-10-14
CVE-2024-28168 Apache XML Graphics FOP: XML External Entity (XXE) Processing — Apache XML Graphics FOP 7.5AIHighAI2024-10-09
CVE-2024-39586 Dell AppSync Server 代码问题漏洞 — AppSync 2.9 Low2024-10-09
CVE-2024-45293 XML External Entity Reference (XXE) in PHPSpreadsheet's XLSX reader — PhpSpreadsheet 7.5 High2024-10-07
CVE-2024-45745 TopQuadrant TopBraid EDG JavaScript console XXE — TopBraid EDG 5.0 Medium2024-09-27
CVE-2024-46985 DataEase has an XXE vulnerability — dataease 7.5 High2024-09-23

Vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)) represent 424 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.