VYPR

CWE-611

Improper Restriction of XML External Entity Reference

BaseDraft

Description

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-221

CVEs mapped to this weakness (684)

page 25 of 35
  • CVE-2023-38490Jul 27, 2023
    risk 0.00cvss epss 0.02

    Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby…

  • CVE-2023-37942Jul 12, 2023
    risk 0.00cvss epss 0.01

    Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-26708Jun 29, 2023
    risk 0.00cvss epss 0.01

    requests-xml v0.2.3 was discovered to contain an XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file.

  • CVE-2020-26710Jun 29, 2023
    risk 0.00cvss epss 0.01

    easy-parse v0.1.1 was discovered to contain a XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file.

  • CVE-2020-26709Jun 29, 2023
    risk 0.00cvss epss 0.01

    py-xml v1.0 was discovered to contain an XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file.

  • CVE-2023-3276Jun 15, 2023
    risk 0.00cvss epss 0.01

    A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference. The…

  • CVE-2023-34411Jun 5, 2023
    risk 0.00cvss epss 0.01

    The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document. The earliest affected version is 0.8.9.

  • CVE-2023-28684Mar 23, 2023
    risk 0.00cvss epss 0.01

    Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2023-28683Mar 23, 2023
    risk 0.00cvss epss 0.01

    Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2023-28682Mar 23, 2023
    risk 0.00cvss epss 0.01

    Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2023-28681Mar 23, 2023
    risk 0.00cvss epss 0.01

    Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2023-28680Mar 23, 2023
    risk 0.00cvss epss 0.01

    Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2018-25082Mar 21, 2023
    risk 0.00cvss epss 0.01

    A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address…

  • CVE-2023-28685Mar 21, 2023
    risk 0.00cvss epss 0.01

    Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2023-27476Mar 7, 2023
    risk 0.00cvss epss 0.01

    OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to…

  • CVE-2023-27480Mar 7, 2023
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the…

  • CVE-2023-26043Feb 27, 2023
    risk 0.00cvss epss 0.01

    GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read. This issue has been…

  • CVE-2016-15026Feb 20, 2023
    risk 0.00cvss epss 0.01

    A vulnerability was found in 3breadt dd-plist 1.17 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. An attack has to be approached locally. Upgrading to version 1.18 is able to address…

  • CVE-2014-125087Feb 19, 2023
    risk 0.00cvss epss 0.01

    A vulnerability was found in java-xmlbuilder up to 1.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. Upgrading to version 1.2 is able to address this issue. The name of the patch…

  • CVE-2023-23926Feb 16, 2023
    risk 0.00cvss epss 0.01

    APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j. An XML External Entity (XXE) vulnerability found in the apoc.import.graphml procedure of APOC core plugin prior to version 5.5.0 and 4.4.0.14 (4.4 branch) in Neo4j graph database. XML External Entity (XXE)…