CWE-611
Improper Restriction of XML External Entity Reference
Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-221
CVEs mapped to this weakness (684)
page 28 of 35| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-28140 | 0.00 | — | 0.01 | Mar 29, 2022 | Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2021-43090 | — | 0.00 | — | 0.02 | Mar 25, 2022 | An XML External Entity (XXE) vulnerability exists in soa-model before 1.6.4 in the WSDLParser function. | ||
| CVE-2022-27201 | 0.00 | — | 0.01 | Mar 15, 2022 | Jenkins Semantic Versioning Plugin 1.13 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file… | |||
| CVE-2022-27193 | — | 0.00 | — | 0.01 | Mar 15, 2022 | CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter. | ||
| CVE-2022-26661 | — | 0.00 | — | 0.01 | Mar 7, 2022 | An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through… | ||
| CVE-2022-25312 | 0.00 | — | 0.03 | Mar 4, 2022 | An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with… | |||
| CVE-2022-0839 | 0.00 | — | 0.03 | Mar 4, 2022 | Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0. | |||
| CVE-2022-0265 | 0.00 | — | 0.03 | Mar 3, 2022 | Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast in 5.1-BETA-1. | |||
| CVE-2022-23640 | 0.00 | — | 0.01 | Mar 2, 2022 | Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a… | |||
| CVE-2022-25209 | 0.00 | — | 0.01 | Feb 15, 2022 | Jenkins Chef Sinatra Plugin 1.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2021-46365 | — | 0.00 | — | 0.02 | Feb 11, 2022 | An issue in the Export function of Magnolia v6.2.3 and below allows attackers to execute XML External Entity attacks via a crafted XLF file. | ||
| CVE-2022-0219 | — | 0.00 | — | 0.01 | Jan 20, 2022 | Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2. | ||
| CVE-2022-0198 | — | 0.00 | — | 0.01 | Jan 13, 2022 | corenlp is vulnerable to Improper Restriction of XML External Entity Reference | ||
| CVE-2021-23463 | — | 0.00 | — | 0.03 | Dec 10, 2021 | The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource()… | ||
| CVE-2021-43577 | 0.00 | — | 0.01 | Nov 12, 2021 | Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2021-43576 | 0.00 | — | 0.02 | Nov 12, 2021 | Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets… | |||
| CVE-2021-21701 | 0.00 | — | 0.02 | Nov 12, 2021 | Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2020-26705 | — | 0.00 | — | 0.01 | Oct 31, 2021 | The parseXML function in Easy-XML 0.5.0 was discovered to have a XML External Entity (XXE) vulnerability which allows for an attacker to expose sensitive data or perform a denial of service (DOS) via a crafted external entity entered into the XML content as input. | ||
| CVE-2020-25911 | — | 0.00 | — | 0.02 | Oct 31, 2021 | A XML External Entity (XXE) vulnerability was discovered in the modRestServiceRequest component in MODX CMS 2.7.3 which can lead to an information disclosure or denial of service (DOS). | ||
| CVE-2021-3869 | — | 0.00 | — | 0.01 | Oct 19, 2021 | corenlp is vulnerable to Improper Restriction of XML External Entity Reference |
- CVE-2022-28140Mar 29, 2022risk 0.00cvss —epss 0.01
Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2021-43090Mar 25, 2022risk 0.00cvss —epss 0.02
An XML External Entity (XXE) vulnerability exists in soa-model before 1.6.4 in the WSDLParser function.
- CVE-2022-27201Mar 15, 2022risk 0.00cvss —epss 0.01
Jenkins Semantic Versioning Plugin 1.13 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file…
- CVE-2022-27193Mar 15, 2022risk 0.00cvss —epss 0.01
CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.
- CVE-2022-26661Mar 7, 2022risk 0.00cvss —epss 0.01
An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through…
- CVE-2022-25312Mar 4, 2022risk 0.00cvss —epss 0.03
An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with…
- CVE-2022-0839Mar 4, 2022risk 0.00cvss —epss 0.03
Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.
- CVE-2022-0265Mar 3, 2022risk 0.00cvss —epss 0.03
Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast in 5.1-BETA-1.
- CVE-2022-23640Mar 2, 2022risk 0.00cvss —epss 0.01
Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a…
- CVE-2022-25209Feb 15, 2022risk 0.00cvss —epss 0.01
Jenkins Chef Sinatra Plugin 1.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2021-46365Feb 11, 2022risk 0.00cvss —epss 0.02
An issue in the Export function of Magnolia v6.2.3 and below allows attackers to execute XML External Entity attacks via a crafted XLF file.
- CVE-2022-0219Jan 20, 2022risk 0.00cvss —epss 0.01
Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2.
- CVE-2022-0198Jan 13, 2022risk 0.00cvss —epss 0.01
corenlp is vulnerable to Improper Restriction of XML External Entity Reference
- CVE-2021-23463Dec 10, 2021risk 0.00cvss —epss 0.03
The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource()…
- CVE-2021-43577Nov 12, 2021risk 0.00cvss —epss 0.01
Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2021-43576Nov 12, 2021risk 0.00cvss —epss 0.02
Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets…
- CVE-2021-21701Nov 12, 2021risk 0.00cvss —epss 0.02
Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2020-26705Oct 31, 2021risk 0.00cvss —epss 0.01
The parseXML function in Easy-XML 0.5.0 was discovered to have a XML External Entity (XXE) vulnerability which allows for an attacker to expose sensitive data or perform a denial of service (DOS) via a crafted external entity entered into the XML content as input.
- CVE-2020-25911Oct 31, 2021risk 0.00cvss —epss 0.02
A XML External Entity (XXE) vulnerability was discovered in the modRestServiceRequest component in MODX CMS 2.7.3 which can lead to an information disclosure or denial of service (DOS).
- CVE-2021-3869Oct 19, 2021risk 0.00cvss —epss 0.01
corenlp is vulnerable to Improper Restriction of XML External Entity Reference