Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-611 (XML外部实体引用的不恰当限制(XXE)) — Vulnerability Class 424

424 vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)). AI Chinese analysis included.

CWE-611 represents a critical input validation weakness where applications improperly process XML documents containing external entity references. Attackers typically exploit this vulnerability by injecting malicious XML payloads that reference local files, remote servers, or internal network resources. This allows adversaries to perform server-side request forgery, read sensitive system files, or execute denial-of-service attacks by forcing the application to resolve dangerous URIs. To mitigate this risk, developers must rigorously disable XML external entity processing in their parsers. Implementing strict input validation, using safe XML libraries that inherently block external entities, and configuring parsers to reject any DTD or entity definitions are essential defensive measures. By ensuring that XML processors only handle expected, internal content, organizations can effectively prevent unauthorized data access and maintain the integrity of their systems against these sophisticated injection attacks.

MITRE CWE Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Common Consequences (3)
ConfidentialityRead Application Data, Read Files or Directories
If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the co…
IntegrityBypass Protection Mechanism
An attacker may supply a crafted DTD using URIs with schemes such as http://, forcing the application to make outgoing HTTP requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions; hide the source of attacks such as port scanning; or otherwise l…
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
The product could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing.
Mitigations (1)
Implementation, System ConfigurationMany XML parsers and validators can be configured to disable external entity expansion.
CVE IDTitleCVSSSeverityPublished
CVE-2023-36419 Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability — Azure HDInsight 8.8 High2023-10-10
CVE-2023-41365 Information Disclosure vulnerability in SAP Business One (B1i) — SAP Business One (B1i) 4.3 Medium2023-10-10
CVE-2023-45612 JetBrains Ktor 代码问题漏洞 — Ktor 8.6 High2023-10-09
CVE-2023-42445 Possible local file exfiltration by XML External entity injection — gradle 6.8 Medium2023-10-06
CVE-2023-3892 Unsafe XML parsing of 3rd party DICOM private tags may lead to XXE — MIM Assistant 5.6 Medium2023-09-19
CVE-2023-41369 External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application) — SAP S/4HANA (Create Single Payment application) 3.5 Low2023-09-12
CVE-2023-35892 IBM Financial Transaction Manager for SWIFT Services XML external entity injection — Financial Transaction Manager for SWIFT Services 7.1 High2023-09-04
CVE-2023-41034 DDFFileParser in eclipse leshan is vulnerable to XXE Attacks — leshan 6.5 Medium2023-08-31
CVE-2022-46751 Apache Ivy: XML External Entity vulnerability in Apache Ivy — Apache Ivy 8.6 -2023-08-21
CVE-2023-0871 An XML External Entity injection vulnerability — Horizon 5.4 Medium2023-08-11
CVE-2023-35389 Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability — Microsoft Dynamics 365 (on-premises) version 9.0 6.5 Medium2023-08-08
CVE-2020-26064 Cisco SD-WAN vManage 代码问题漏洞 — Cisco SD-WAN vManage 7.3 -2023-08-04
CVE-2023-30951 CVE-2023-30951 — com.palantir.magritte:magritte-rest-source-bundle 6.3 Medium2023-08-03
CVE-2023-38490 Kirby XML External Entity (XXE) vulnerability in the XML data handler — kirby 6.8 Medium2023-07-27
CVE-2023-37200 Schneider Electric EcoStruxure OPC UA Server Expert 代码问题漏洞 — EcoStruxure OPC UA Server Expert 5.5 Medium2023-07-12
CVE-2023-3113 Lenovo XClarity Administrator 代码问题漏洞 — Lenovo XClarity Administrator 8.2 High2023-06-26
CVE-2023-3276 Dromara HuTool XML Parsing Module XmlUtil.java readBySax xml external entity reference — HuTool 5.5 Medium2023-06-15
CVE-2023-32706 Denial Of Service due to Untrusted XML Tag in XML Parser within SAML Authentication — Splunk Enterprise 7.7 High2023-06-01
CVE-2023-2806 Weaver e-cology API RequestInfoByXml xml external entity reference — e-cology 5.5 Medium2023-05-19
CVE-2023-20174 Cisco Identity Services Engine XML External Entity Injection Vulnerabilities — Cisco Identity Services Engine Software 4.9 Medium2023-05-18
CVE-2023-20173 Cisco Identity Services Engine XML External Entity Injection Vulnerabilities — Cisco Identity Services Engine Software 4.9 Medium2023-05-18
CVE-2023-2161 Schneider Electric OPC Factory Server 代码问题漏洞 — OPC Factory Server (OFS) 5.0 Medium2023-05-16
CVE-2023-27554 IBM WebSphere Application Server XML external entity injection — WebSphere Application Server 6.3 Medium2023-05-11
CVE-2022-45876 CVE-2022-45876 — VBASE 5.5 -2023-04-26
CVE-2023-28828 Siemens Polarion 代码问题漏洞 — Polarion ALM 5.9 Medium2023-04-11
CVE-2023-27876 IBM TRIRIGA Application Platform XML external entity injection — TRIRIGA Application Platform 7.1 High2023-04-07
CVE-2023-20030 Cisco Identity Services Engine XML External Entity Injection Vulnerability — Cisco Identity Services Engine Software 6.0 Medium2023-04-05
CVE-2022-43941 Hitachi Vantara Pentaho Business Analytics Server - Improper Restriction of XML External Entity Reference — Pentaho Business Analytics Server 7.1 High2023-04-03
CVE-2022-43473 ManageEngine OpManager 代码问题漏洞 — OpManager 5.8 Medium2023-03-30
CVE-2022-36969 AVEVA Edge 代码问题漏洞 — Edge 5.5 -2023-03-29

Vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)) represent 424 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.