CWE-611
Improper Restriction of XML External Entity Reference
Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-221
CVEs mapped to this weakness (684)
page 25 of 35| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-38490 | 0.00 | — | 0.02 | Jul 27, 2023 | Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby… | |||
| CVE-2023-37942 | 0.00 | — | 0.01 | Jul 12, 2023 | Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2020-26708 | — | 0.00 | — | 0.01 | Jun 29, 2023 | requests-xml v0.2.3 was discovered to contain an XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file. | ||
| CVE-2020-26710 | — | 0.00 | — | 0.01 | Jun 29, 2023 | easy-parse v0.1.1 was discovered to contain a XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file. | ||
| CVE-2020-26709 | — | 0.00 | — | 0.01 | Jun 29, 2023 | py-xml v1.0 was discovered to contain an XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file. | ||
| CVE-2023-3276 | 0.00 | — | 0.01 | Jun 15, 2023 | A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference. The… | |||
| CVE-2023-34411 | — | 0.00 | — | 0.01 | Jun 5, 2023 | The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document. The earliest affected version is 0.8.9. | ||
| CVE-2023-28684 | 0.00 | — | 0.01 | Mar 23, 2023 | Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2023-28683 | 0.00 | — | 0.01 | Mar 23, 2023 | Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2023-28682 | 0.00 | — | 0.01 | Mar 23, 2023 | Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2023-28681 | 0.00 | — | 0.01 | Mar 23, 2023 | Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2023-28680 | 0.00 | — | 0.01 | Mar 23, 2023 | Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2018-25082 | — | 0.00 | — | 0.01 | Mar 21, 2023 | A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address… | ||
| CVE-2023-28685 | 0.00 | — | 0.01 | Mar 21, 2023 | Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2023-27476 | 0.00 | — | 0.01 | Mar 7, 2023 | OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to… | |||
| CVE-2023-27480 | 0.00 | — | 0.01 | Mar 7, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the… | |||
| CVE-2023-26043 | — | 0.00 | — | 0.01 | Feb 27, 2023 | GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read. This issue has been… | ||
| CVE-2016-15026 | — | 0.00 | — | 0.01 | Feb 20, 2023 | A vulnerability was found in 3breadt dd-plist 1.17 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. An attack has to be approached locally. Upgrading to version 1.18 is able to address… | ||
| CVE-2014-125087 | — | 0.00 | — | 0.01 | Feb 19, 2023 | A vulnerability was found in java-xmlbuilder up to 1.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. Upgrading to version 1.2 is able to address this issue. The name of the patch… | ||
| CVE-2023-23926 | — | 0.00 | — | 0.01 | Feb 16, 2023 | APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j. An XML External Entity (XXE) vulnerability found in the apoc.import.graphml procedure of APOC core plugin prior to version 5.5.0 and 4.4.0.14 (4.4 branch) in Neo4j graph database. XML External Entity (XXE)… |
- CVE-2023-38490Jul 27, 2023risk 0.00cvss —epss 0.02
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby…
- CVE-2023-37942Jul 12, 2023risk 0.00cvss —epss 0.01
Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2020-26708Jun 29, 2023risk 0.00cvss —epss 0.01
requests-xml v0.2.3 was discovered to contain an XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file.
- CVE-2020-26710Jun 29, 2023risk 0.00cvss —epss 0.01
easy-parse v0.1.1 was discovered to contain a XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file.
- CVE-2020-26709Jun 29, 2023risk 0.00cvss —epss 0.01
py-xml v1.0 was discovered to contain an XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file.
- CVE-2023-3276Jun 15, 2023risk 0.00cvss —epss 0.01
A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference. The…
- CVE-2023-34411Jun 5, 2023risk 0.00cvss —epss 0.01
The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document. The earliest affected version is 0.8.9.
- CVE-2023-28684Mar 23, 2023risk 0.00cvss —epss 0.01
Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2023-28683Mar 23, 2023risk 0.00cvss —epss 0.01
Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2023-28682Mar 23, 2023risk 0.00cvss —epss 0.01
Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2023-28681Mar 23, 2023risk 0.00cvss —epss 0.01
Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2023-28680Mar 23, 2023risk 0.00cvss —epss 0.01
Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2018-25082Mar 21, 2023risk 0.00cvss —epss 0.01
A vulnerability was found in zwczou WeChat SDK Python 0.3.0 and classified as critical. This issue affects the function validate/to_xml. The manipulation leads to xml external entity reference. The attack may be initiated remotely. Upgrading to version 0.5.5 is able to address…
- CVE-2023-28685Mar 21, 2023risk 0.00cvss —epss 0.01
Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2023-27476Mar 7, 2023risk 0.00cvss —epss 0.01
OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to…
- CVE-2023-27480Mar 7, 2023risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the…
- CVE-2023-26043Feb 27, 2023risk 0.00cvss —epss 0.01
GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read. This issue has been…
- CVE-2016-15026Feb 20, 2023risk 0.00cvss —epss 0.01
A vulnerability was found in 3breadt dd-plist 1.17 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. An attack has to be approached locally. Upgrading to version 1.18 is able to address…
- CVE-2014-125087Feb 19, 2023risk 0.00cvss —epss 0.01
A vulnerability was found in java-xmlbuilder up to 1.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. Upgrading to version 1.2 is able to address this issue. The name of the patch…
- CVE-2023-23926Feb 16, 2023risk 0.00cvss —epss 0.01
APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j. An XML External Entity (XXE) vulnerability found in the apoc.import.graphml procedure of APOC core plugin prior to version 5.5.0 and 4.4.0.14 (4.4 branch) in Neo4j graph database. XML External Entity (XXE)…