CWE-611
Improper Restriction of XML External Entity Reference
Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-221
CVEs mapped to this weakness (684)
page 29 of 35| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-3878 | — | 0.00 | — | 0.02 | Oct 15, 2021 | corenlp is vulnerable to Improper Restriction of XML External Entity Reference | ||
| CVE-2021-3312 | — | 0.00 | — | 0.01 | Oct 8, 2021 | An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document. | ||
| CVE-2021-41098 | 0.00 | — | 0.02 | Sep 27, 2021 | Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of… | |||
| CVE-2021-39239 | 0.00 | — | 0.04 | Sep 16, 2021 | A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server. | |||
| CVE-2021-38555 | 0.00 | — | 0.03 | Sep 11, 2021 | An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an… | |||
| CVE-2021-21680 | 0.00 | — | 0.01 | Aug 31, 2021 | Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks. | |||
| CVE-2021-39371 | — | 0.00 | — | 0.02 | Aug 23, 2021 | An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected. | ||
| CVE-2020-18705 | — | 0.00 | — | 0.03 | Aug 16, 2021 | XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/core/content/views.py'. | ||
| CVE-2020-18703 | — | 0.00 | — | 0.03 | Aug 16, 2021 | XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/utils/atom.py'. | ||
| CVE-2021-23418 | — | 0.00 | — | 0.02 | Jul 29, 2021 | The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks. | ||
| CVE-2021-21672 | 0.00 | — | 0.43 | Jun 30, 2021 | Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2021-25951 | — | 0.00 | — | 0.01 | Jun 30, 2021 | XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to cause a denial of service. | ||
| CVE-2021-29620 | 0.00 | — | 0.02 | Jun 23, 2021 | Report portal is an open source reporting and analysis framework. Starting from version 3.1.0 of the service-api XML parsing was introduced. Unfortunately the XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a… | |||
| CVE-2021-21669 | 0.00 | — | 0.26 | Jun 18, 2021 | Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2021-33813 | — | 0.00 | — | 0.19 | Jun 16, 2021 | An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. | ||
| CVE-2020-25817 | — | 0.00 | — | 0.01 | Jun 8, 2021 | SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity (XXE) attacks. When this developer utility is misused for purposes involving external or user… | ||
| CVE-2021-21659 | 0.00 | — | 0.67 | May 25, 2021 | Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2021-21658 | 0.00 | — | 0.02 | May 25, 2021 | Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2021-21657 | 0.00 | — | 0.02 | May 25, 2021 | Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2021-21656 | 0.00 | — | 0.02 | May 11, 2021 | Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
- CVE-2021-3878Oct 15, 2021risk 0.00cvss —epss 0.02
corenlp is vulnerable to Improper Restriction of XML External Entity Reference
- CVE-2021-3312Oct 8, 2021risk 0.00cvss —epss 0.01
An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.
- CVE-2021-41098Sep 27, 2021risk 0.00cvss —epss 0.02
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of…
- CVE-2021-39239Sep 16, 2021risk 0.00cvss —epss 0.04
A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.
- CVE-2021-38555Sep 11, 2021risk 0.00cvss —epss 0.03
An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an…
- CVE-2021-21680Aug 31, 2021risk 0.00cvss —epss 0.01
Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.
- CVE-2021-39371Aug 23, 2021risk 0.00cvss —epss 0.02
An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.
- CVE-2020-18705Aug 16, 2021risk 0.00cvss —epss 0.03
XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/core/content/views.py'.
- CVE-2020-18703Aug 16, 2021risk 0.00cvss —epss 0.03
XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/utils/atom.py'.
- CVE-2021-23418Jul 29, 2021risk 0.00cvss —epss 0.02
The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks.
- CVE-2021-21672Jun 30, 2021risk 0.00cvss —epss 0.43
Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2021-25951Jun 30, 2021risk 0.00cvss —epss 0.01
XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to cause a denial of service.
- CVE-2021-29620Jun 23, 2021risk 0.00cvss —epss 0.02
Report portal is an open source reporting and analysis framework. Starting from version 3.1.0 of the service-api XML parsing was introduced. Unfortunately the XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a…
- CVE-2021-21669Jun 18, 2021risk 0.00cvss —epss 0.26
Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2021-33813Jun 16, 2021risk 0.00cvss —epss 0.19
An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
- CVE-2020-25817Jun 8, 2021risk 0.00cvss —epss 0.01
SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity (XXE) attacks. When this developer utility is misused for purposes involving external or user…
- CVE-2021-21659May 25, 2021risk 0.00cvss —epss 0.67
Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2021-21658May 25, 2021risk 0.00cvss —epss 0.02
Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2021-21657May 25, 2021risk 0.00cvss —epss 0.02
Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2021-21656May 11, 2021risk 0.00cvss —epss 0.02
Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.