CWE-611— Improper Restriction of XML External Entity Reference (XXE)
947 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-611page 1 of 19
- CVE-2011-3600HIGHCVSS 7.5EG 7.52019-11-26
The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it c…
- CVE-2012-1102HIGHCVSS 7.5EG 7.52021-07-09
It was discovered that the XML::Atom Perl module before version 0.39 did not disable external entities when parsing XML from potentially untrusted sources. This may allow attackers to gain read access to otherwise protected resources, depe…
- CVE-2012-2656HIGHCVSS 7.5EG 7.52019-12-18
An XML eXternal Entity (XXE) issue exists in Restlet 1.1.10 in an endpoint using XML transport, which lets a remote attacker obtain sensitive information.
- CVE-2013-4333CRITICALCVSS 9.1EG 9.12020-01-24
OpenPNE 3 versions 3.8.7, 3.6.11, 3.4.21.1, 3.2.7.6, 3.0.8.5 has an External Entity Injection Vulnerability
- CVE-2013-4334CRITICALCVSS 9.8EG 9.82020-02-07
opWebAPIPlugin 0.5.1, 0.4.0, and 0.1.0: XXE Vulnerabilities
- CVE-2014-0931CRITICALCVSS 9.12018-04-20
Multiple XML external entity (XXE) vulnerabilities in the (1) CCRC WAN Server / CM Server, (2) Perl CC/CQ integration trigger scripts, (3) CMAPI Java interface, (4) ClearCase remote client, and (5) CMI and OSLC-based ClearQuest integration…
- CVE-2014-0950HIGHCVSS 7.12018-04-20
Multiple XML external entity (XXE) vulnerabilities in (1) CQWeb / CM Server, (2) ClearQuest Native client, (3) ClearQuest Eclipse client, and (4) ClearQuest Eclipse Designer components in IBM Rational ClearQuest 7.1.1 through 7.1.1.9, 7.1.…
- CVE-2014-125087MEDIUMCVSS 5.5EG 5.52023-02-19
A vulnerability was found in java-xmlbuilder up to 1.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. Upgrading to version 1.2 is able to ad…
- CVE-2014-2052CRITICALCVSS 9.8EG 9.82020-02-11
Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
- CVE-2014-2296HIGHCVSS 8.82018-07-20
XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass auth…
- CVE-2014-3005CRITICALCVSS 9.82018-02-01
XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a cra…
- CVE-2014-3244CRITICALCVSS 9.82018-02-01
XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.
- CVE-2014-3599MEDIUMCVSS 6.5EG 6.52019-11-12
HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy
- CVE-2014-3643HIGHCVSS 7.5EG 7.52019-12-15
jersey: XXE via parameter entities not disabled by the jersey SAX parser
- CVE-2014-3990CRITICALCVSS 9.82018-03-20
The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitra…
- CVE-2014-5238HIGHCVSS 7.8EG 7.82020-01-14
XML external entity (XXE) vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev11 and 7.6.x before 7.6.0-rev9 allows remote attackers to read arbitrary files and possibly other unspecified impact via a crafted OpenDocument Text docu…
- CVE-2015-10029MEDIUMCVSS 5.5EG 5.52023-01-07
A vulnerability classified as problematic was found in kelvinmo simplexrd up to 3.1.0. This vulnerability affects unknown code of the file simplexrd/simplexrd.class.php. The manipulation leads to xml external entity reference. Upgrading to…
- CVE-2015-10082MEDIUMCVSS 5.5EG 9.82023-02-21
A vulnerability classified as problematic has been found in UIKit0 libplist 1.12. This affects the function plist_from_xml of the file src/xplist.c of the component XML Handler. The manipulation leads to xml external entity reference. The …
- CVE-2015-1809HIGHCVSS 7.5EG 7.52020-01-15
XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query.
- CVE-2015-1811HIGHCVSS 7.5EG 7.52020-01-15
XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via a crafted XML document.
- CVE-2015-3907CRITICALCVSS 9.82019-07-03
CodeIgniter Rest Server (aka codeigniter-restserver) 2.7.1 allows XXE attacks.
- CVE-2015-7461MEDIUMCVSS 6.52018-03-20
XML external entity (XXE) vulnerability in IBM Connections 3.0.1.1 and earlier, 4.0, 4.5, and 5.0 before CR4 allows remote authenticated users to cause a denial of service (memory consumption) via crafted XML data. IBM X-Force ID: 108357.
- CVE-2015-7968MEDIUMCVSS 4.3EG 4.32020-03-09
nwbc_ext2int in SAP NetWeaver Application Server before Security Note 2183189 allows XXE attacks for local file inclusion via the sap/bc/ui2/nwbc/nwbc_ext2int/ URI.
- CVE-2015-8031CRITICALCVSS 9.8EG 9.82022-07-18
Hudson (aka org.jvnet.hudson.main:hudson-core) before 3.3.2 allows XXE attacks.
- CVE-2015-8549HIGHCVSS 7.1EG 7.12020-01-15
XML external entity (XXE) vulnerability in PyAMF before 0.8.0 allows remote attackers to cause a denial of service or read arbitrary files via a crafted Action Message Format (AMF) payload.
- CVE-2015-9280CRITICALCVSS 10.02019-01-16
MailEnable before 8.60 allows XXE via an XML document in the request.aspx Options parameter.
- CVE-2016-0219MEDIUMCVSS 6.52018-01-16
XML external entity (XXE) vulnerability in IBM Rational Team Concert 3.0 before 3.0.1.6 iFix7 Interim Fix 1, 4.0 before 4.0.7 iFix10, 5.0 before 5.0.2 iFix15, and 6.0 before 6.0.1 iFix4 allows remote authenticated users to cause a denial o…
- CVE-2016-0250MEDIUMCVSS 5.42018-03-12
XML external entity (XXE) vulnerability in IBM InfoSphere Information Governance Catalog 11.3 before 11.3.1.2 and 11.5 before 11.5.0.1 allows remote authenticated users to read arbitrary files or cause a denial of service via crafted XML d…
- CVE-2016-0268MEDIUMCVSS 4.32018-03-09
XML external entity (XXE) vulnerability in IBM Financial Transaction Manager (FTM) for ACH Services for Multi-Platform 2.1.1.2 and 3.0.0.x before fp0013, Financial Transaction Manager (FTM) for Check Services for Multi-Platform 2.1.1.2 and…
- CVE-2016-0369LOWCVSS 2.72018-02-21
XML external entity (XXE) vulnerability in IBM Forms Experience Builder 8.5, 8.5.1, and 8.6 allows remote authenticated users to obtain sensitive information via crafted XML data. IBM X-Force ID: 112088.
- CVE-2016-15011MEDIUMCVSS 5.5EG 5.52023-01-06
A vulnerability classified as problematic was found in e-Contract dssp up to 1.3.1. Affected by this vulnerability is the function checkSignResponse of the file dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java.…
- CVE-2016-15026MEDIUMCVSS 5.3EG 5.32023-02-20
A vulnerability was found in 3breadt dd-plist 1.17 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. An attack has to be approached locally. Upgrad…
- CVE-2016-8526HIGHCVSS 8.82018-08-06
Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to an XML external entities (XXE). XXEs are a way to permit XML parsers to access storage that exist on external systems. If an unprivileged user is permitted to co…
- CVE-2016-9487HIGHCVSS 7.82018-07-13
EpubCheck 4.0.1 does not properly restrict resolving external entities when parsing XML in EPUB files during validation. An attacker who supplies a specially crafted EPUB file may be able to exploit this behavior to read arbitrary files, o…
- CVE-2016-9491MEDIUMCVSS 4.92018-07-13
ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Appl…
- CVE-2017-1000477HIGHCVSS 7.52018-01-03
XMLBundle version 0.1.7 is vulnerable to XXE attacks which can result in denial of service attacks.
- CVE-2017-1000496HIGHCVSS 8.82018-01-03
Commsy version 9.0.0 is vulnerable to XXE attacks in the configuration import functionality resulting in denial of service and possibly remote execution of code.
- CVE-2017-1000497CRITICALCVSS 9.82018-01-03
Pepperminty-Wiki version 0.15 is vulnerable to XXE attacks in the getsvgsize function resulting in denial of service and possibly remote code execution
- CVE-2017-1000498HIGHCVSS 7.82018-01-03
AndroidSVG version 1.2.2 is vulnerable to XXE attacks in the SVG parsing component resulting in denial of service and possibly remote code execution
- CVE-2017-14699MEDIUMCVSS 6.52018-01-29
Multiple XML external entity (XXE) vulnerabilities in the AiCloud feature on ASUS DSL-AC51, DSL-AC52U, DSL-AC55U, DSL-N55U C1, DSL-N55U D1, DSL-AC56U, DSL-N10_C1, DSL-N12U C1, DSL-N12E C1, DSL-N14U, DSL-N14U-B1, DSL-N16, DSL-N16U, DSL-N17U…
- CVE-2017-15691MEDIUMCVSS 6.52018-04-26
In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE…
- CVE-2017-15725HIGHCVSS 7.5EG 7.52019-10-28
An XML External Entity Injection vulnerability exists in Dzone AnswerHub.
- CVE-2017-16349HIGHCVSS 8.12018-08-02
An exploitable XML external entity vulnerability exists in the reporting functionality of SAP BPC. A specially crafted XML request can cause an XML external entity to be referenced, resulting in information disclosure and potential denial …
- CVE-2017-1666HIGHCVSS 8.12018-01-09
IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory…
- CVE-2017-1758HIGHCVSS 7.12018-02-21
IBM Financial Transaction Manager for ACH Services for Multi-Platform (IBM Control Center 6.0 and 6.1, IBM Financial Transaction Manager 3.0.2, 3.0.3, 3.0.4, and 3.1.0, IBM Transformation Extender Advanced 9.0) is vulnerable to a XML Exter…
- CVE-2017-17762HIGHCVSS 7.52018-08-29
XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request involving util/xmlrpc/Handler.ashx.
- CVE-2017-18110MEDIUMCVSS 6.52019-03-29
The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability.
- CVE-2017-18111HIGHCVSS 8.72019-03-29
The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAut…
- CVE-2017-18197CRITICALCVSS 9.82018-02-24
In mxGraphViewImageReader.java in mxGraph before 3.7.6, the SAXParserFactory instance in convert() is missing flags to prevent XML External Entity (XXE) attacks, as demonstrated by /ServerView.
- CVE-2017-18438MEDIUMCVSS 6.3EG 6.32019-08-02
cPanel before 64.0.21 allows demo accounts to execute code via Encoding API calls (SEC-242).
Map vulnerabilities like CWE-611 to your infrastructure
EchelonGraph correlates every CVE — across CWE-611 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →