VYPR

CWE-611

Improper Restriction of XML External Entity Reference

BaseDraft

Description

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-221

CVEs mapped to this weakness (684)

page 4 of 35
  • CVE-2025-10183CriSep 9, 2025
    risk 0.59cvss 9.1epss 0.00

    A blind XML External Entity (XXE) injection in the OpenMessaging webservice in TecCom TecConnect 4.1 allows an unauthenticated attacker to exfiltrate arbitrary files to an attacker-controlled server. TecConnect 4.1 is considered end-of-life as of December 2023. Users are advised…

  • CVE-2025-31039CriJun 9, 2025
    risk 0.59cvss 9.1epss 0.00

    Improper Restriction of XML External Entity Reference vulnerability in pixelgrade Category Icon category-icon allows XML Entity Linking.This issue affects Category Icon: from n/a through <= 1.0.3.

  • CVE-2018-8494HigOct 10, 2018
    risk 0.59cvss 8.8epss 0.22

    A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka "MS XML Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019,…

  • CVE-2018-15531CriSep 26, 2018
    risk 0.59cvss 9.8epss 0.28

    JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.

  • CVE-2018-13826CriAug 30, 2018
    risk 0.59cvss 9.1epss 0.02

    An XML external entity vulnerability in the XOG functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to conduct server side request forgery attacks.

  • CVE-2018-14473CriAug 4, 2018
    risk 0.59cvss 9.1epss 0.03

    OCS Inventory 2.4.1 lacks a proper XML parsing configuration, allowing the use of external entities. This issue can be exploited by an attacker sending a crafted HTTP request in order to exfiltrate information or cause a Denial of Service.

  • CVE-2018-11640CriJul 3, 2018
    risk 0.59cvss 9.1epss 0.02

    XML External Entity (XXE) vulnerability in the web service in Dialogic PowerMedia XMS before 3.5 SU2 allows remote attackers to read arbitrary files or cause a denial of service (resource consumption).

  • CVE-2017-7465CriJun 27, 2018
    risk 0.59cvss 9.0epss 0.03

    It was found that the JAXP implementation used in JBoss EAP 7.0 for XSLT processing is vulnerable to code injection. An attacker could use this flaw to cause remote code execution if they are able to provide XSLT content for parsing. Doing a transform in JAXP requires the use of…

  • CVE-2014-0931CriApr 20, 2018
    risk 0.59cvss 9.1epss 0.03

    Multiple XML external entity (XXE) vulnerabilities in the (1) CCRC WAN Server / CM Server, (2) Perl CC/CQ integration trigger scripts, (3) CMAPI Java interface, (4) ClearCase remote client, and (5) CMI and OSLC-based ClearQuest integrations components in IBM Rational ClearCase…

  • CVE-2018-9116CriMar 29, 2018
    risk 0.59cvss 9.1epss 0.02

    An XXE vulnerability within WireMock before 2.16.0 allows a remote unauthenticated attacker to access local files and internal resources and potentially cause a Denial of Service.

  • CVE-2017-1383CriAug 2, 2017
    risk 0.59cvss 9.1epss 0.03

    IBM InfoSphere Information Server 9.1, 11.3, and 11.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 127155.

  • CVE-2016-6111CriMar 31, 2017
    risk 0.59cvss 9.1epss 0.02

    IBM Curam Social Program Management 6.0 and 7.0 are vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all…

  • CVE-2016-9706CriFeb 15, 2017
    risk 0.59cvss 9.1epss 0.02

    IBM Integration Bus 9.0 and 10.0 and WebSphere Message Broker SOAP FLOWS is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive…

  • CVE-2016-2908CriFeb 1, 2017
    risk 0.59cvss 9.1epss 0.03

    IBM Single Sign On for Bluemix could allow a remote attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML parser. A remote attacker could exploit this vulnerability to read arbitrary files on the system or cause…

  • CVE-2016-7460CriDec 29, 2016
    risk 0.59cvss 9.1epss 0.02

    The Single Sign-On feature in VMware vCenter Server 5.5 before U3e and 6.0 before U2a and vRealize Automation 6.x before 6.2.5 allows remote attackers to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in…

  • CVE-2016-9180CriDec 22, 2016
    risk 0.59cvss 9.1epss 0.04

    perl-XML-Twig: The option to `expand_external_ents`, documented as controlling external entity expansion in XML::Twig does not work. External entities are always expanded, regardless of the option's setting.

  • CVE-2012-3363CriFeb 13, 2013
    risk 0.59cvss 9.1epss 0.50

    Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC…

  • CVE-2012-2239CriNov 24, 2012
    risk 0.59cvss 9.1epss 0.02

    Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack, as demonstrated by reading config.php.

  • CVE-2024-22218HigAug 15, 2024
    risk 0.58cvss 8.8epss 0.01

    XML External Entity (XXE) vulnerability in Terminalfour 8.0.0001 through 8.3.18 and XML JDBC versions up to 1.0.4 allows authenticated users to submit malicious XML via unspecified features which could lead to various actions such as accessing the underlying server, remote code…

  • CVE-2017-9096HigNov 8, 2017
    risk 0.58cvss 8.8epss 0.10

    The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.