VYPR

CWE-611

Improper Restriction of XML External Entity Reference

BaseDraft

Description

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-221

CVEs mapped to this weakness (684)

page 28 of 35
  • CVE-2022-28140Mar 29, 2022
    risk 0.00cvss epss 0.01

    Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2021-43090Mar 25, 2022
    risk 0.00cvss epss 0.02

    An XML External Entity (XXE) vulnerability exists in soa-model before 1.6.4 in the WSDLParser function.

  • CVE-2022-27201Mar 15, 2022
    risk 0.00cvss epss 0.01

    Jenkins Semantic Versioning Plugin 1.13 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file…

  • CVE-2022-27193Mar 15, 2022
    risk 0.00cvss epss 0.01

    CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.

  • CVE-2022-26661Mar 7, 2022
    risk 0.00cvss epss 0.01

    An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through…

  • CVE-2022-25312Mar 4, 2022
    risk 0.00cvss epss 0.03

    An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with…

  • CVE-2022-0839Mar 4, 2022
    risk 0.00cvss epss 0.03

    Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.

  • CVE-2022-0265Mar 3, 2022
    risk 0.00cvss epss 0.03

    Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast in 5.1-BETA-1.

  • CVE-2022-23640Mar 2, 2022
    risk 0.00cvss epss 0.01

    Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a…

  • CVE-2022-25209Feb 15, 2022
    risk 0.00cvss epss 0.01

    Jenkins Chef Sinatra Plugin 1.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2021-46365Feb 11, 2022
    risk 0.00cvss epss 0.02

    An issue in the Export function of Magnolia v6.2.3 and below allows attackers to execute XML External Entity attacks via a crafted XLF file.

  • CVE-2022-0219Jan 20, 2022
    risk 0.00cvss epss 0.01

    Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2.

  • CVE-2022-0198Jan 13, 2022
    risk 0.00cvss epss 0.01

    corenlp is vulnerable to Improper Restriction of XML External Entity Reference

  • CVE-2021-23463Dec 10, 2021
    risk 0.00cvss epss 0.03

    The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource()…

  • CVE-2021-43577Nov 12, 2021
    risk 0.00cvss epss 0.01

    Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2021-43576Nov 12, 2021
    risk 0.00cvss epss 0.02

    Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets…

  • CVE-2021-21701Nov 12, 2021
    risk 0.00cvss epss 0.02

    Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-26705Oct 31, 2021
    risk 0.00cvss epss 0.01

    The parseXML function in Easy-XML 0.5.0 was discovered to have a XML External Entity (XXE) vulnerability which allows for an attacker to expose sensitive data or perform a denial of service (DOS) via a crafted external entity entered into the XML content as input.

  • CVE-2020-25911Oct 31, 2021
    risk 0.00cvss epss 0.02

    A XML External Entity (XXE) vulnerability was discovered in the modRestServiceRequest component in MODX CMS 2.7.3 which can lead to an information disclosure or denial of service (DOS).

  • CVE-2021-3869Oct 19, 2021
    risk 0.00cvss epss 0.01

    corenlp is vulnerable to Improper Restriction of XML External Entity Reference