Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-611 (XML外部实体引用的不恰当限制(XXE)) — Vulnerability Class 424

424 vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)). AI Chinese analysis included.

CWE-611 represents a critical input validation weakness where applications improperly process XML documents containing external entity references. Attackers typically exploit this vulnerability by injecting malicious XML payloads that reference local files, remote servers, or internal network resources. This allows adversaries to perform server-side request forgery, read sensitive system files, or execute denial-of-service attacks by forcing the application to resolve dangerous URIs. To mitigate this risk, developers must rigorously disable XML external entity processing in their parsers. Implementing strict input validation, using safe XML libraries that inherently block external entities, and configuring parsers to reject any DTD or entity definitions are essential defensive measures. By ensuring that XML processors only handle expected, internal content, organizations can effectively prevent unauthorized data access and maintain the integrity of their systems against these sophisticated injection attacks.

MITRE CWE Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Common Consequences (3)
ConfidentialityRead Application Data, Read Files or Directories
If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the co…
IntegrityBypass Protection Mechanism
An attacker may supply a crafted DTD using URIs with schemes such as http://, forcing the application to make outgoing HTTP requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions; hide the source of attacks such as port scanning; or otherwise l…
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
The product could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing.
Mitigations (1)
Implementation, System ConfigurationMany XML parsers and validators can be configured to disable external entity expansion.
CVE IDTitleCVSSSeverityPublished
CVE-2023-39472 Inductive Automation Ignition SimpleXMLReader XML External Entity Processing Information Disclosure Vulnerability — Ignition 6.5 -2024-05-03
CVE-2024-29010 SonicWALL GMS 安全漏洞 — GMS 7.1 High2024-05-01
CVE-2024-22354 IBM WebSphere Application Server XML external entity injection — WebSphere Application Server 7.0 High2024-04-17
CVE-2024-25971 Dell PowerProtect Data Manager 代码问题漏洞 — PowerProtect Data Manager 5.5 Medium2024-03-28
CVE-2024-31139 JetBrains TeamCity 安全漏洞 — TeamCity 5.9 Medium2024-03-28
CVE-2024-2826 lakernote EasyAdmin saveReportFile xml external entity reference — EasyAdmin 6.3 Medium2024-03-22
CVE-2024-27266 IBM Maximo Application Suite XML external entity injection — Maximo Asset Management 8.2 High2024-03-14
CVE-2023-50168 Pegasystem PEGA Platform 代码问题漏洞 — Pega Platform 7.7 High2024-03-14
CVE-2024-28198 XML external entity (XXE) injection in OpenOLAT — OpenOLAT 4.6 Medium2024-03-11
CVE-2023-25926 IBM Security Guardium Key Lifecycle Manager XML external entity injection — Security Guardium Key Lifecycle Manager 5.5 Medium2024-02-29
CVE-2023-50380 Apache Ambari: authenticated users could perform XXE to read arbitrary files on the server — Apache Ambari 8.1 -2024-02-27
CVE-2024-25129 Limited data exfiltration in CodeQL CLI — codeql-cli-binaries 2.7 Low2024-02-22
CVE-2024-25606 Liferay Portal和Liferay DXP 安全漏洞 — Portal 8.0 High2024-02-20
CVE-2024-24743 XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures) — SAP NetWeaver AS Java (Guided Procedures) 8.6 High2024-02-13
CVE-2023-32327 IBM Security Access Manager Container XML external entity injection — Security Verify Access Appliance 7.1 High2024-02-03
CVE-2024-1167 SEW-EURODRIVE MOVITOOLS MotionStudio Improper Restriction of XML External Entity Reference — MOVITOOLS MotionStudio 5.5 Medium2024-02-01
CVE-2023-4554 XML External Entity (XXE) Processing — AppBuilder 4.9 Medium2024-01-29
CVE-2023-45139 fonttools XML External Entity Injection (XXE) Vulnerability — fonttools 7.5 High2024-01-10
CVE-2023-6149 Possible XXE vulnerability in Jenkins Plugin for Qualys Web Application Security — Web App Scanning Connector Jenkins Plugin 5.7 Medium2024-01-09
CVE-2023-6147 Possible XXE vulnerability in Jenkins Plugin for Qualys Policy Compliance — Policy Compliance Connector Jenkins Plugin 5.7 Medium2024-01-09
CVE-2023-6280 XML External Entity Reference on 52North WPS — 52North WPS 7.2 High2023-12-19
CVE-2023-6836 WSO2 API Manager 安全漏洞 — WSO2 API Manager 4.6 Medium2023-12-15
CVE-2023-6721 Improper Restriction of XML External Entity Reference in Repox — Repox 8.3 High2023-12-13
CVE-2023-6194 Eclipse Memory Analyzer 代码问题漏洞 — Eclipse Memory Analyzer (tools.mat) 2.8 Low2023-12-11
CVE-2023-49733 Apache Cocoon's StreamGenerator is vulnerable to XXE injection — Apache Cocoon 7.5 -2023-11-30
CVE-2023-22274 ZDI-CAN-21305: Adobe RoboHelp Server UpdateCommandStream XML External Entity Processing Information Disclosure Vulnerability — RoboHelp 7.5 High2023-11-17
CVE-2023-46590 Siemens OPC UA Modelling Editor 安全漏洞 — Siemens OPC UA Modelling Editor (SiOME) 7.5 High2023-11-14
CVE-2023-4218 XXE in eclipse.platform / Eclipse IDE — Eclipse IDE 5.0 Medium2023-11-09
CVE-2023-5136 Incorrect Permission Assignment in the TopoGrafix DataPlugin for GPX — TopoGrafix DataPlugin for GPX 5.5 Medium2023-11-08
CVE-2023-43067 Dell Unity 代码问题漏洞 — Unity 4.9 Medium2023-10-23

Vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)) represent 424 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.