CWE-611— Improper Restriction of XML External Entity Reference (XXE)
1,115 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-611page 10 of 23
- CVE-2020-27017MEDIUMCVSS 4.9EG 4.92020-11-09
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must …
- CVE-2020-27148HIGHCVSS 7.1EG 7.12021-01-12
The TIBCO EBX Add-on for Oracle Hyperion EPM, TIBCO EBX Data Exchange Add-on, and TIBCO EBX Insight Add-on components of TIBCO Software Inc.'s TIBCO EBX Add-ons contain a vulnerability that theoretically allows a low privileged attacker wi…
- CVE-2020-27858HIGHCVSS 7.5EG 7.52021-01-20
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CA Arcserve D2D 16.5. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getNews metho…
- CVE-2020-28387MEDIUMCVSS 5.5EG 5.52021-03-15
A vulnerability has been identified in Solid Edge SE2020 (All Versions < SE2020MP13), Solid Edge SE2021 (All Versions < SE2021MP3). When opening a specially crafted SEECTCXML file, the application could disclose arbitrary files to remote a…
- CVE-2020-28734HIGHCVSS 8.8EG 8.82020-12-30
Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role.
- CVE-2020-28736HIGHCVSS 8.8EG 8.82020-12-30
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).
- CVE-2020-29436MEDIUMCVSS 6.5EG 6.52020-12-17
Sonatype Nexus Repository Manager 3.x before 3.29.0 allows a user with admin privileges to configure the system to gain access to content outside of NXRM via an XXE vulnerability. Fixed in version 3.29.0.
- CVE-2020-3256MEDIUMCVSS 4.9EG 4.92020-05-06
A vulnerability in the web-based management interface of Cisco Hosted Collaboration Mediation Fulfillment (HCM-F) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected syste…
- CVE-2020-3405HIGHCVSS 7.3EG 7.32020-07-16
A vulnerability in the web UI of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling o…
- CVE-2020-35123MEDIUMCVSS 6.5EG 6.52020-12-17
In Zimbra Collaboration Suite Network Edition versions < 9.0.0 P10 and 8.8.15 P17, there exists an XXE vulnerability in the saml consumer store extension, which is vulnerable to XXE attacks. This has been fixed in Zimbra Collaboration Suit…
- CVE-2020-35604CRITICALCVSS 9.8EG 9.82020-12-21
An XXE attack can occur in Kronos WebTA 5.0.4 when SAML is used.
- CVE-2020-36124MEDIUMCVSS 6.5EG 6.52021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by XML External Entity (XXE) injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access t…
- CVE-2020-36640MEDIUMCVSS 5.5EG 5.52023-01-05
A vulnerability, which was classified as problematic, was found in bonitasoft bonita-connector-webservice up to 1.3.0. This affects the function TransformerConfigurationException of the file src/main/java/org/bonitasoft/connectors/ws/Secur…
- CVE-2020-36641MEDIUMCVSS 5.5EG 5.52023-01-05
A vulnerability classified as problematic was found in gturri aXMLRPC up to 1.12.0. This vulnerability affects the function ResponseParser of the file src/main/java/de/timroes/axmlrpc/ResponseParser.java. The manipulation leads to xml exte…
- CVE-2020-37192MEDIUMCVSS 6.2EG 6.22026-02-11
MSN Password Recovery 1.30 contains an XML external entity injection vulnerability that allows attackers to read local system files through crafted XML input. Attackers can exploit the 'Favorites' tab by injecting a malicious XML file that…
- CVE-2020-4246HIGHCVSS 7.1EG 7.12020-05-28
IBM Security Identity Governance and Intelligence 5.2.6 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume …
- CVE-2020-4300HIGHCVSS 8.2EG 8.22021-06-01
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM…
- CVE-2020-4377CRITICALCVSS 9.1EG 9.12020-08-03
IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM …
- CVE-2020-4462HIGHCVSS 8.2EG 8.22020-07-16
IBM Sterling External Authentication Server 6.0.1, 6.0.0, 2.4.3.2, and 2.4.2 and IBM Sterling Secure Proxy 6.0.1, 6.0.0, 3.4.3, and 3.4.2 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote at…
- CVE-2020-4463HIGHCVSS 8.2EG 9.02020-07-29
IBM Maximo Asset Management 7.6.0.1 and 7.6.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory r…
- CVE-2020-4481HIGHCVSS 8.2EG 8.22020-08-05
IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information o…
- CVE-2020-4509HIGHCVSS 7.6EG 7.62020-06-04
IBM QRadar SIEM 7.3 and 7.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Forc…
- CVE-2020-4510MEDIUMCVSS 5.5EG 5.52020-07-14
IBM QRadar SIEM 7.3 and 7.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Forc…
- CVE-2020-4606MEDIUMCVSS 4.4EG 4.42021-01-08
IBM Security Verify Privilege Manager 10.8 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A local attacker could exploit this vulnerability to expose sensitive information or consume memory resourc…
- CVE-2020-4643HIGHCVSS 7.5EG 7.52020-09-21
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information. IBM X-Forc…
- CVE-2020-4772HIGHCVSS 8.1EG 8.12020-10-12
An XML External Entity Injection (XXE) vulnerability may impact IBM Curam Social Program Management 7.0.9 and 7.0.10. A remote attacker could exploit this vulnerability to expose sensitive information, denial of service, server side reques…
- CVE-2020-4875HIGHCVSS 8.2EG 8.22022-01-21
IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory …
- CVE-2020-4876HIGHCVSS 8.2EG 8.22022-01-21
IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory …
- CVE-2020-4949HIGHCVSS 8.2EG 8.22021-01-26
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume …
- CVE-2020-5003CRITICALCVSS 9.1EG 9.12021-06-11
IBM Financial Transaction Manager 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources…
- CVE-2020-5013HIGHCVSS 8.1EG 8.12021-05-05
IBM QRadar SIEM 7.3 and 7.4 may vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Forc…
- CVE-2020-5323MEDIUMCVSS 5.4EG 8.12021-07-19
Dell EMC OpenManage Enterprise (OME) versions prior to 3.2 and OpenManage Enterprise-Modular (OME-M) versions prior to 1.10.00 contain an injection vulnerability. A remote authenticated malicious user with low privileges could potentially …
- CVE-2020-5602HIGHCVSS 7.5EG 7.52020-06-30
Mitsubishi Electoric FA Engineering Software (CPU Module Logging Configuration Tool Ver. 1.94Y and earlier, CW Configurator Ver. 1.010L and earlier, EM Software Development Kit (EM Configurator) Ver. 1.010L and earlier, GT Designer3 (GOT20…
- CVE-2020-6187MEDIUMCVSS 4.9EG 4.92020-02-12
SAP NetWeaver (Guided Procedures), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document input from a compromised admin, leading to Denial of Service.
- CVE-2020-6202HIGHCVSS 7.2EG 7.22020-03-10
SAP NetWeaver Application Server Java (User Management Engine), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; does not sufficiently validate the LDAP data source configuration XML document accepted from an untrusted source, leading t…
- CVE-2020-6238CRITICALCVSS 9.3EG 9.32020-04-14
SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partially) of SAP Commerce.
- CVE-2020-6590HIGHCVSS 7.5EG 7.52021-04-08
Forcepoint Web Security Content Gateway versions prior to 8.5.4 improperly process XML input, leading to information disclosure.
- CVE-2020-6958CRITICALCVSS 9.1EG 9.12020-01-14
An XXE vulnerability in JnlpSupport in Yet Another Java Service Wrapper (YAJSW) 12.14, as used in NSA Ghidra and other products, allows attackers to exfiltrate data from remote hosts and potentially cause denial-of-service.
- CVE-2020-7032MEDIUMCVSS 6.5EG 6.52020-11-13
An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Av…
- CVE-2020-7035HIGHCVSS 8.1EG 6.52021-04-23
An XML External Entities (XXE)vulnerability in the web-based user interface of Avaya Aura Orchestration Designer could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The aff…
- CVE-2020-7036HIGHCVSS 8.1EG 6.52021-04-23
An XML External Entities (XXE)vulnerability in Callback Assist could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Callback Assist includes all 4.0…
- CVE-2020-7037HIGHCVSS 8.1EG 8.12021-04-28
An XML External Entities (XXE) vulnerability in Media Server component of Avaya Equinox Conferencing could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system or even potentially …
- CVE-2020-7572HIGHCVSS 8.8EG 8.82020-11-19
A CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary XML code and obtain …
- CVE-2020-8256MEDIUMCVSS 4.9EG 4.92020-09-30
A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to gain arbitrary file reading access through Pulse Collaboration via XML External Entity (XXE) vulnerability.
- CVE-2020-8540CRITICALCVSS 9.8EG 9.82020-03-11
An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted D…
- CVE-2020-8541MEDIUMCVSS 6.5EG 6.52020-06-16
OX App Suite through 7.10.3 allows XXE attacks.
- CVE-2020-9044HIGHCVSS 7.5EG 7.52020-03-10
XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite…
- CVE-2020-9352CRITICALCVSS 9.8EG 9.82020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parame…
- CVE-2021-1369MEDIUMCVSS 5.4EG 5.42021-04-29
A vulnerability in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected device. This vulnerability is …
- CVE-2021-1483MEDIUMCVSS 6.4EG 6.42024-11-15
A vulnerability in the web UI of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. This vulnerability is due to improper han…
Map vulnerabilities like CWE-611 to your infrastructure
EchelonGraph correlates every CVE — across CWE-611 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →