Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-611 (XML外部实体引用的不恰当限制(XXE)) — Vulnerability Class 424

424 vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)). AI Chinese analysis included.

CWE-611 represents a critical input validation weakness where applications improperly process XML documents containing external entity references. Attackers typically exploit this vulnerability by injecting malicious XML payloads that reference local files, remote servers, or internal network resources. This allows adversaries to perform server-side request forgery, read sensitive system files, or execute denial-of-service attacks by forcing the application to resolve dangerous URIs. To mitigate this risk, developers must rigorously disable XML external entity processing in their parsers. Implementing strict input validation, using safe XML libraries that inherently block external entities, and configuring parsers to reject any DTD or entity definitions are essential defensive measures. By ensuring that XML processors only handle expected, internal content, organizations can effectively prevent unauthorized data access and maintain the integrity of their systems against these sophisticated injection attacks.

MITRE CWE Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Common Consequences (3)
ConfidentialityRead Application Data, Read Files or Directories
If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the co…
IntegrityBypass Protection Mechanism
An attacker may supply a crafted DTD using URIs with schemes such as http://, forcing the application to make outgoing HTTP requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions; hide the source of attacks such as port scanning; or otherwise l…
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
The product could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing.
Mitigations (1)
Implementation, System ConfigurationMany XML parsers and validators can be configured to disable external entity expansion.
CVE IDTitleCVSSSeverityPublished
CVE-2024-46984 XML External Entity Reference (XXE) vulnerability can lead to a Server Side Request Forgery attack in gematik app-referencevalidator — app-referencevalidator 8.6 High2024-09-19
CVE-2024-7098 XML Injection in SFS Consulting's ww.Winsure — ww.Winsure 9.8 -2024-09-16
CVE-2024-45294 `org.hl7.fhir.core` XXE vulnerability in XSLT transforms — org.hl7.fhir.core 8.6 High2024-09-06
CVE-2024-45048 XML External Entity Reference (XXE) in PHPSpreadsheet — PhpSpreadsheet 8.8 High2024-08-28
CVE-2024-6893 Journyx Unauthenticated XML External Entities Injection — Journyx (jtime) 9.8AICriticalAI2024-08-07
CVE-2024-3930 XML External Entity in Akana — Akana API Platform 6.3 Medium2024-07-30
CVE-2023-48362 Apache Drill: XXE Vulnerability in XML Format Reader — Apache Drill 8.8AIHighAI2024-07-24
CVE-2024-6961 XXE in Guardrails AI when consuming RAIL documents 5.9 Medium2024-07-21
CVE-2024-5625 XML External Entity Injection in PruvaSoft Informatics' Apinizer Management Console — Apinizer Management Console 6.5 Medium2024-07-18
CVE-2023-50304 IBM Engineering Requirements Management DOORS XML external entity injection — Engineering Requirements Management DOORS 7.1 High2024-07-18
CVE-2024-38374 Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java — cyclonedx-core-java 7.5 High2024-06-28
CVE-2023-49110 XML External Entity Injection in Kiuwan SAST — SAST 8.1 -2024-06-20
CVE-2024-34102 XXE can expose crypt key and other secrets granting full admin access — Adobe Commerce 9.8 Critical2024-06-13
CVE-2023-45192 IBM Engineering Requirements Management DOORS Next XML external entity injection — Engineering Requirements Management DOORS Next 8.2 High2024-06-06
CVE-2024-3969 XML External Entity injection vulnerability in iManager — iManager 7.8 High2024-05-28
CVE-2024-4357 XML External Entity Processing Information Disclosure — Telerik Report Server 6.5 Medium2024-05-15
CVE-2024-3486 XML External Entity injection vulnerability in iManager — iManager 7.8 High2024-05-15
CVE-2024-30043 Microsoft SharePoint Server Information Disclosure Vulnerability — Microsoft SharePoint Enterprise Server 2016 6.5 Medium2024-05-14
CVE-2024-34345 @cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability — cyclonedx-javascript-library 8.1 High2024-05-09
CVE-2023-51605 Honeywell Saia PG5 Controls Suite XML External Entity Processing Information Disclosure Vulnerability — Saia PG5 Controls Suite 5.5 -2024-05-03
CVE-2023-51604 Honeywell Saia PG5 Controls Suite XML External Entity Processing Information Disclosure Vulnerability — Saia PG5 Controls Suite 5.5 -2024-05-03
CVE-2023-51602 Honeywell Saia PG5 Controls Suite XML External Entity Processing Information Disclosure Vulnerability — Saia PG5 Controls Suite 5.5 -2024-05-03
CVE-2023-51601 Honeywell Saia PG5 Controls Suite XML External Entity Processing Information Disclosure Vulnerability — Saia PG5 Controls Suite 5.5 -2024-05-03
CVE-2023-51600 Honeywell Saia PG5 Controls Suite XML External Entity Processing Information Disclosure Vulnerability — Saia PG5 Controls Suite 5.5 -2024-05-03
CVE-2023-51591 Voltronic Power ViewPower Pro doDocument XML External Entity Processing Information Disclosure Vulnerability — ViewPower Pro 7.5 -2024-05-03
CVE-2023-44412 D-Link D-View addDv7Probe XML External Entity Processing Information Disclosure Vulnerability — D-View 7.5 -2024-05-03
CVE-2023-42035 Visualware MyConnection Server doIForward XML External Entity Processing Information Disclosure Vulnerability — MyConnection Server 7.5 -2024-05-03
CVE-2023-40507 LG Simple Editor copyContent XML External Entity Processing Information Disclosure Vulnerability — Simple Editor 7.5 -2024-05-03
CVE-2023-40506 LG Simple Editor copyContent XML External Entity Processing Information Disclosure Vulnerability — Simple Editor 7.5 -2024-05-03
CVE-2023-40503 LG Simple Editor saveXmlFile XML External Entity Processing Information Disclosure Vulnerability — Simple Editor 7.5 -2024-05-03

Vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)) represent 424 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.