VYPR

CWE-611

Improper Restriction of XML External Entity Reference

BaseDraft

Description

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-221

CVEs mapped to this weakness (684)

page 29 of 35
  • CVE-2021-3878Oct 15, 2021
    risk 0.00cvss epss 0.02

    corenlp is vulnerable to Improper Restriction of XML External Entity Reference

  • CVE-2021-3312Oct 8, 2021
    risk 0.00cvss epss 0.01

    An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.

  • CVE-2021-41098Sep 27, 2021
    risk 0.00cvss epss 0.02

    Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of…

  • CVE-2021-39239Sep 16, 2021
    risk 0.00cvss epss 0.04

    A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.

  • CVE-2021-38555Sep 11, 2021
    risk 0.00cvss epss 0.03

    An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an…

  • CVE-2021-21680Aug 31, 2021
    risk 0.00cvss epss 0.01

    Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.

  • CVE-2021-39371Aug 23, 2021
    risk 0.00cvss epss 0.02

    An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.

  • CVE-2020-18705Aug 16, 2021
    risk 0.00cvss epss 0.03

    XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/core/content/views.py'.

  • CVE-2020-18703Aug 16, 2021
    risk 0.00cvss epss 0.03

    XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/utils/atom.py'.

  • CVE-2021-23418Jul 29, 2021
    risk 0.00cvss epss 0.02

    The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks.

  • CVE-2021-21672Jun 30, 2021
    risk 0.00cvss epss 0.43

    Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2021-25951Jun 30, 2021
    risk 0.00cvss epss 0.01

    XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to cause a denial of service.

  • CVE-2021-29620Jun 23, 2021
    risk 0.00cvss epss 0.02

    Report portal is an open source reporting and analysis framework. Starting from version 3.1.0 of the service-api XML parsing was introduced. Unfortunately the XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a…

  • CVE-2021-21669Jun 18, 2021
    risk 0.00cvss epss 0.26

    Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2021-33813Jun 16, 2021
    risk 0.00cvss epss 0.19

    An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.

  • CVE-2020-25817Jun 8, 2021
    risk 0.00cvss epss 0.01

    SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity (XXE) attacks. When this developer utility is misused for purposes involving external or user…

  • CVE-2021-21659May 25, 2021
    risk 0.00cvss epss 0.67

    Jenkins URLTrigger Plugin 0.48 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2021-21658May 25, 2021
    risk 0.00cvss epss 0.02

    Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2021-21657May 25, 2021
    risk 0.00cvss epss 0.02

    Jenkins Filesystem Trigger Plugin 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2021-21656May 11, 2021
    risk 0.00cvss epss 0.02

    Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.