CWE-611— Improper Restriction of XML External Entity Reference (XXE)
1,115 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-611page 11 of 23
- CVE-2021-1530MEDIUMCVSS 5.4EG 5.42021-05-06
A vulnerability in the web-based management interface of Cisco BroadWorks Messaging Server Software could allow an authenticated, remote attacker to access sensitive information or cause a partial denial of service (DoS) condition on an af…
- CVE-2021-1628CRITICALCVSS 9.8EG 9.82021-03-26
MuleSoft is aware of a XML External Entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect both CloudHub and on-premise customers. Affected versions: Mule 4.x runtime released before February 2, 2…
- CVE-2021-1630HIGHCVSS 7.5EG 7.52021-08-05
XML external entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect CloudHub, GovCloud, Runtime Fabric, Pivotal Cloud Foundry, Private Cloud Edition, and on-premise customers.
- CVE-2021-20353HIGHCVSS 8.2EG 8.22021-02-10
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume …
- CVE-2021-20399CRITICALCVSS 9.1EG 9.12021-07-27
IBM Qradar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or con…
- CVE-2021-20453HIGHCVSS 8.2EG 8.22021-04-20
IBM WebSphere Application Server 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory…
- CVE-2021-20454HIGHCVSS 8.2EG 8.22021-04-21
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume m…
- CVE-2021-20482HIGHCVSS 7.1EG 7.12021-03-30
IBM Cloud Pak for Automation 20.0.2 and 20.0.3 IF002 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume me…
- CVE-2021-20492HIGHCVSS 8.2EG 8.22021-05-26
IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive informat…
- CVE-2021-20502HIGHCVSS 7.1EG 7.12021-03-30
IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Fo…
- CVE-2021-20595HIGHCVSS 8.2EG 8.22021-07-13
Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air Conditioning System/Centralized Controllers (G-50A Ver.3.35 and prior, GB-50A Ver.3.35 and prior, GB-24A Ver.9.11 and prior, AG-150A-A Ver.3.20 …
- CVE-2021-20801MEDIUMCVSS 6.5EG 6.52021-10-13
Cybozu Remote Service 3.1.8 to 3.1.9 allows a remote authenticated attacker to conduct XML External Entity (XXE) attacks and obtain the information stored in the product via unspecified vectors. This issue occurs only when using Mozilla Fi…
- CVE-2021-20838HIGHCVSS 7.5EG 7.52021-11-01
Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS) condition by processing a specially cra…
- CVE-2021-20839MEDIUMCVSS 6.5EG 6.52021-11-01
Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS) condition to the other servers by proce…
- CVE-2021-21266MEDIUMCVSS 6.4EG 6.42021-02-01
openHAB is a vendor and technology agnostic open source automation software for your home. In openHAB before versions 2.5.12 and 3.0.1 the XML external entity (XXE) attack allows attackers in the same network as the openHAB instance to ret…
- CVE-2021-21470MEDIUMCVSS 4.4EG 4.42021-01-12
SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which could result in XXE-based attacks in ap…
- CVE-2021-21517HIGHCVSS 7.2EG 7.22021-03-01
SRS Policy Manager 6.X is affected by an XML External Entity Injection (XXE) vulnerability due to a misconfigured XML parser that processes user-supplied DTD input without sufficient validation. A remote unauthenticated attacker can potent…
- CVE-2021-21642HIGHCVSS 8.1EG 8.12021-04-21
Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2021-21672MEDIUMCVSS 4.3EG 4.32021-06-30
Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2021-21680HIGHCVSS 7.1EG 7.12021-08-31
Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.
- CVE-2021-21701MEDIUMCVSS 6.5EG 6.52021-11-12
Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2021-22140HIGHCVSS 7.5EG 7.52021-05-13
Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could c…
- CVE-2021-22158HIGHCVSS 7.2EG 7.22021-04-06
The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) is vulnerable to XML external entity (XXE) injection in the Web Console. The vulnerability requires admin user privileges and knowledge of the XML file's encryptio…
- CVE-2021-22338MEDIUMCVSS 5.3EG 5.32021-06-29
There is an XXE injection vulnerability in eCNS280 V100R005C00 and V100R005C10. A module does not perform the strict operation to the input XML message. Attacker can send specific message to exploit this vulnerability, leading to the modul…
- CVE-2021-22498HIGHCVSS 8.1EG 8.12021-01-19
XML External Entity Injection vulnerability in Micro Focus Application Lifecycle Management (Previously known as Quality Center) product. The vulnerability affects versions 12.x, 12.60 Patch 5 and earlier, 15.0.1 Patch 2 and earlier and 15…
- CVE-2021-22501MEDIUMCVSS 5.3EG 0.02024-12-19
Improper Restriction of XML External Entity Reference vulnerability in OpenText™ Operations Bridge Manager allows Input Data Manipulation. The vulnerability could be exploited to confidential information This issue affects Operations…
- CVE-2021-22523HIGHCVSS 7.6EG 7.62021-07-22
XML External Entity vulnerability in Micro Focus Verastream Host Integrator, affecting version 7.8 Update 1 and earlier versions. The vulnerability could allow the control of web browser and hijacking user sessions.
- CVE-2021-23418MEDIUMCVSS 6.3EG 6.32021-07-29
The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks.
- CVE-2021-23463HIGHCVSS 8.1EG 8.12021-12-10
The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML()…
- CVE-2021-23792HIGHCVSS 7.3EG 7.32022-05-06
The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if t…
- CVE-2021-23899CRITICALCVSS 9.8EG 9.82021-01-13
OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.
- CVE-2021-23901CRITICALCVSS 9.1EG 9.12021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an atta…
- CVE-2021-2401MEDIUMCVSS 5.3EG 5.32021-07-21
Vulnerability in the Oracle BI Publisher product of Oracle Fusion Middleware (component: E-Business Suite - XDO). Supported versions that are affected are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability a…
- CVE-2021-25163HIGHCVSS 8.1EG 8.12021-04-29
A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.
- CVE-2021-25164MEDIUMCVSS 6.5EG 6.52021-04-28
A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.
- CVE-2021-25165HIGHCVSS 8.1EG 8.12021-04-28
A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.
- CVE-2021-25951HIGHCVSS 7.5EG 7.52021-06-30
XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to cause a denial of service.
- CVE-2021-26703CRITICALCVSS 9.8EG 9.82021-03-01
EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted JSON/XML input to a cgi/ajax/phrase URI.
- CVE-2021-26969MEDIUMCVSS 6.5EG 6.52021-03-05
A remote authenticated authenticated xml external entity (xxe) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Due to improper restrictions on XML entities a vulnerability exists in the web-…
- CVE-2021-27184HIGHCVSS 7.5EG 7.52021-02-11
Pelco Digital Sentry Server 7.18.72.11464 has an XML External Entity vulnerability (exploitable via the DTD parameter entities technique), resulting in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB…
- CVE-2021-27492MEDIUMCVSS 5.5EG 5.52021-05-27
When opening a specially crafted 3DXML file, the application containing Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior could disclose arbitrary fi…
- CVE-2021-27604MEDIUMCVSS 6.5EG 6.52021-04-14
In order to prevent XML External Entity vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Enterprise Service Repository JAVA Mappings), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, SAP recommends to refe…
- CVE-2021-27635MEDIUMCVSS 6.5EG 6.52021-06-09
SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an administrator to connect over a network and submit a specially crafted XML file in the application because of missing XML Validation…
- CVE-2021-27736MEDIUMCVSS 6.5EG 6.52021-04-22
FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.
- CVE-2021-27741CRITICALCVSS 9.1EG 9.12021-08-13
" Security vulnerability in HCL Commerce Management Center allowing XML external entity (XXE) injection"
- CVE-2021-27777HIGHCVSS 7.5EG 7.52022-05-12
XML External Entity (XXE) injection vulnerabilities occur when poorly configured XML parsers process user supplied input without sufficient validation. Attackers can exploit this vulnerability to manipulate XML content and inject malicious…
- CVE-2021-27931CRITICALCVSS 9.1EG 9.12021-03-03
LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files …
- CVE-2021-28110HIGHCVSS 7.5EG 7.52021-03-19
/exec in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in its XML parser.
- CVE-2021-28684MEDIUMCVSS 4.3EG 4.32021-06-21
The XML parser used in ConeXware PowerArchiver before 20.10.02 allows processing of external entities, which might lead to exfiltration of local files over the network (via an XXE attack).
- CVE-2021-28973MEDIUMCVSS 4.9EG 4.92021-04-13
The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE attacks.
Map vulnerabilities like CWE-611 to your infrastructure
EchelonGraph correlates every CVE — across CWE-611 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →