VYPR

CWE-611

Improper Restriction of XML External Entity Reference

BaseDraft

Description

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-221

CVEs mapped to this weakness (684)

page 18 of 35
  • CVE-2018-5434MedJun 13, 2018
    risk 0.38cvss 5.8epss 0.01

    The TIBCO Designer component of TIBCO Software Inc.'s TIBCO Runtime Agent, and TIBCO Runtime Agent for z/Linux contains vulnerabilities wherein a malicious user could perform XML external entity expansion (XXE) attacks to disclose host machine information. Affected releases are…

  • CVE-2017-6344MedFeb 27, 2017
    risk 0.38cvss 5.9epss 0.01

    XML External Entity (XXE) vulnerability in Grails PDF Plugin 0.6 allows remote attackers to read arbitrary files via a crafted XML document.

  • CVE-2016-7458MedDec 29, 2016
    risk 0.38cvss 5.8epss 0.01

    VMware vSphere Client 5.5 before U3e and 6.0 before U2a allows remote vCenter Server and ESXi instances to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

  • CVE-2018-0414MedOct 5, 2018
    risk 0.37cvss 5.7epss 0.02

    A vulnerability in the web-based UI of Cisco Secure Access Control Server could allow an authenticated, remote attacker to gain read access to certain information in an affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an…

  • CVE-2017-8710MedSep 13, 2017
    risk 0.37cvss 5.5epss 0.10

    The Microsoft Common Console Document (.msc) in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1 allows an attacker to read arbitrary files via an XML external entity (XXE) declaration, due to the way that the Microsoft Common Console Document (.msc) parses XML input…

  • CVE-2026-6807MedApr 28, 2026
    risk 0.36cvss 5.5epss 0.00

    A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to trigger improper handling of XML input, which may result in unintended exposure of sensitive information. The flaw stems from insufficient hardening of the XML parsing process.

  • CVE-2025-15251MedDec 30, 2025
    risk 0.36cvss 5.6epss 0.00

    A vulnerability was detected in beecue FastBee up to 2.1. Impacted is the function getRootElement of the file springboot/fastbee-server/sip-server/src/main/java/com/fastbee/sip/handler/req/ReqAbstractHandler.java of the component SIP Message Handler. The manipulation results in…

  • CVE-2025-57704MedAug 26, 2025
    risk 0.36cvss 5.5epss 0.00

    Delta Electronics EIP Builder version 1.11 is vulnerable to a File Parsing XML External Entity Processing Information Disclosure Vulnerability.

  • CVE-2025-40584MedAug 12, 2025
    risk 0.36cvss 5.5epss 0.00

    A vulnerability has been identified in SIMOTION SCOUT TIA V5.4 (All versions), SIMOTION SCOUT TIA V5.5 (All versions), SIMOTION SCOUT TIA V5.6 (All versions < V5.6 SP1 HF7), SIMOTION SCOUT TIA V5.7 (All versions < V5.7 SP1 HF1), SIMOTION SCOUT V5.4 (All versions), SIMOTION SCOUT…

  • CVE-2024-12298MedJan 14, 2025
    risk 0.36cvss 5.5epss 0.00

    We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Attackers may be able to abuse this vulnerability to disclose confidential data on a computer.

  • CVE-2024-49704MedDec 10, 2024
    risk 0.36cvss 5.5epss 0.00

    A vulnerability has been identified in COMOS V10.3 (All versions < V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions < V10.4.3.0.47), COMOS V10.4.4 (All versions < V10.4.4.2), COMOS V10.4.4.1 (All…

  • CVE-2018-10077MedApr 20, 2018
    risk 0.36cvss 4.9epss 0.08

    XML external entity (XXE) vulnerability in Geist WatchDog Console 3.2.2 allows remote authenticated administrators to read arbitrary files via crafted XML data.

  • CVE-2018-1000069MedMar 13, 2018
    risk 0.36cvss 5.5epss 0.02

    FreePlane version 1.5.9 and earlier contains a XML External Entity (XXE) vulnerability in XML Parser in mindmap loader that can result in stealing data from victim's machine. This attack appears to require the victim to open a specially crafted mind map file. This vulnerability…

  • CVE-2017-8557MedJul 11, 2017
    risk 0.36cvss 5.5epss 0.02

    Windows System Information Console in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an information disclosure vulnerability improperly parses XML…

  • CVE-2017-7457MedApr 14, 2017
    risk 0.36cvss 5.0epss 0.02

    XML External Entity via ".AOP" files used by Moxa MX-AOPC Server 1.5 result in remote file disclosure.

  • CVE-2016-5749MedMar 23, 2017
    risk 0.36cvss 5.5epss 0.00

    NetIQ Access Manager 4.1 before 4.1.2 HF 1 and 4.2 before 4.2.2 was parsing incoming SAML requests with external entity resolution enabled, which could lead to local file disclosure via an XML External Entity (XXE) attack.

  • CVE-2016-5748MedMar 23, 2017
    risk 0.36cvss 5.5epss 0.00

    External Entity Processing (XXE) vulnerability in the "risk score" application of NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to disclose the content of local files to logged-in users.

  • CVE-2016-9318MedNov 16, 2016
    risk 0.36cvss 5.5epss 0.03

    libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE)…

  • CVE-2016-5000MedAug 5, 2016
    risk 0.36cvss 5.5epss 0.04

    The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

  • CVE-2012-5656MedJan 18, 2013
    risk 0.36cvss 5.5epss 0.01

    The rasterization process in Inkscape before 0.48.4 allows local users to read arbitrary files via an external entity in a SVG file, aka an XML external entity (XXE) injection attack.