VYPR

CWE-611

Improper Restriction of XML External Entity Reference

BaseDraft

Description

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-221

CVEs mapped to this weakness (684)

page 30 of 35
  • CVE-2021-21642Apr 21, 2021
    risk 0.00cvss epss 0.38

    Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2021-28965Apr 21, 2021
    risk 0.00cvss epss 0.05

    The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.

  • CVE-2021-29421Apr 1, 2021
    risk 0.00cvss epss 0.02

    models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries.

  • CVE-2021-23901Jan 25, 2021
    risk 0.00cvss epss 0.04

    An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's…

  • CVE-2021-23899Jan 13, 2021
    risk 0.00cvss epss 0.02

    OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.

  • CVE-2020-28736Dec 30, 2020
    risk 0.00cvss epss 0.01

    Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).

  • CVE-2020-28734Dec 30, 2020
    risk 0.00cvss epss 0.01

    Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role.

  • CVE-2020-26247Dec 30, 2020
    risk 0.00cvss epss 0.01

    Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be…

  • CVE-2020-25649Dec 3, 2020
    risk 0.00cvss epss 0.18

    A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

  • CVE-2020-2324Dec 3, 2020
    risk 0.00cvss epss 0.01

    Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-29128Nov 26, 2020
    risk 0.00cvss epss 0.02

    petl before 1.68, in some configurations, allows resolution of entities in an XML document.

  • CVE-2020-26229Nov 23, 2020
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually…

  • CVE-2020-2315Nov 4, 2020
    risk 0.00cvss epss 0.01

    Jenkins Visualworks Store Plugin 1.1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2305Nov 4, 2020
    risk 0.00cvss epss 0.01

    Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2304Nov 4, 2020
    risk 0.00cvss epss 0.01

    Jenkins Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2298Oct 8, 2020
    risk 0.00cvss epss 0.01

    Jenkins Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-15232Oct 2, 2020
    risk 0.00cvss epss 0.01

    In mapfish-print before version 3.24, a user can do to an XML External Entity (XXE) attack with the provided SDL style.

  • CVE-2020-13940Oct 1, 2020
    risk 0.00cvss epss 0.02

    In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to…

  • CVE-2020-2284Sep 23, 2020
    risk 0.00cvss epss 0.01

    Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-25750Sep 18, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in DotPlant2 before 2020-09-14. In class Pay2PayPayment in payment/Pay2PayPayment.php, there is an XXE vulnerability in the checkResult function. The user input ($_POST['xml']) is used for simplexml_load_string without sanitization. NOTE: This…