CWE-611— Improper Restriction of XML External Entity Reference (XXE)
1,115 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-611page 12 of 23
- CVE-2021-29140HIGHCVSS 8.2EG 8.22021-04-29
A remote XML external entity (XXE) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulne…
- CVE-2021-29421HIGHCVSS 7.5EG 7.52021-04-01
models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries.
- CVE-2021-29447HIGHCVSS 7.1EG 9.02021-04-15
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to inter…
- CVE-2021-29620HIGHCVSS 7.5EG 7.52021-06-23
Report portal is an open source reporting and analysis framework. Starting from version 3.1.0 of the service-api XML parsing was introduced. Unfortunately the XML parser was not configured properly to prevent XML external entity (XXE) atta…
- CVE-2021-29831HIGHCVSS 8.1EG 8.12021-09-21
IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive inf…
- CVE-2021-29997MEDIUMCVSS 5.3EG 5.32021-04-13
An issue was discovered in Wind River VxWorks 7 before 21.03. A specially crafted packet may lead to buffer over-read on IKE.
- CVE-2021-30006HIGHCVSS 7.5EG 7.52021-05-11
In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure.
- CVE-2021-30137HIGHCVSS 7.7EG 7.72021-09-15
Assyst 10 SP7.5 has authenticated XXE leading to SSRF via XML unmarshalling. The application allows users to send JSON or XML data to the server. It was possible to inject malicious XML data through several access points.
- CVE-2021-30201HIGHCVSS 7.5EG 6.52021-07-09
The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) entities are insecurely processed and fetched by the system and returned to the attacker. Detailed description Given the following …
- CVE-2021-3055MEDIUMCVSS 6.5EG 6.52021-09-08
An improper restriction of XML external entity (XXE) reference vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to read any arbitrary file from the file system and send a specifically craf…
- CVE-2021-31842MEDIUMCVSS 5.0EG 5.52021-09-17
XML Entity Expansion injection vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2021 Update allows a local user to initiate high CPU and memory consumption resulting in a Denial of Service attack throug…
- CVE-2021-32754MEDIUMCVSS 5.3EG 5.32021-07-12
FlowDroid is a data flow analysis tool. FlowDroid versions prior to 2.9.0 contained an XML external entity (XXE) vulnerability that allowed an attacker who had control over the source/sink definition file in XML format to read files from e…
- CVE-2021-32925MEDIUMCVSS 6.5EG 6.52021-05-13
admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities.
- CVE-2021-32972MEDIUMCVSS 5.5EG 5.52021-07-09
Panasonic FPWIN Pro, all Versions 7.5.1.1 and prior, allows an attacker to craft a project file specifying a URI that causes the XML parser to access the URI and embed the contents, which may allow the attacker to disclose information that…
- CVE-2021-3312MEDIUMCVSS 6.5EG 6.52021-10-08
An XML external entity (XXE) vulnerability in Alkacon OpenCms 11.0, 11.0.1 and 11.0.2 allows remote authenticated users with edit privileges to exfiltrate files from the server's file system by uploading a crafted SVG document.
- CVE-2021-33208HIGHCVSS 7.2EG 7.22022-03-30
The "Register an Ehcache Configuration File" admin feature in MashZone NextGen through 10.7 GA allows XXE attacks via a malicious XML configuration file.
- CVE-2021-33813HIGHCVSS 7.5EG 7.52021-06-16
An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
- CVE-2021-33950HIGHCVSS 7.5EG 7.52023-02-17
An issue discovered in OpenKM v6.3.10 allows attackers to obtain sensitive information via the XMLTextExtractor function.
- CVE-2021-34436CRITICALCVSS 9.8EG 9.82021-09-02
In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to LemMinX) in order to provide language supp…
- CVE-2021-34706MEDIUMCVSS 6.4EG 6.42021-10-06
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information or conduct a server-side request forgery (SSRF) attack through an a…
- CVE-2021-34823CRITICALCVSS 9.1EG 9.12021-08-13
The ON24 ScreenShare (aka DesktopScreenShare.app) plugin before 2.0 for macOS allows remote file access via its built-in HTTP server. This allows unauthenticated remote users to retrieve files accessible to the logged-on macOS user. When a…
- CVE-2021-35066CRITICALCVSS 9.8EG 9.82021-06-21
An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132.
- CVE-2021-35201MEDIUMCVSS 6.5EG 6.52021-09-30
NEI in NETSCOUT nGeniusONE 6.3.0 build 1196 allows XML External Entity (XXE) attacks.
- CVE-2021-35496HIGHCVSS 7.5EG 7.52021-10-12
The XMLA Connections component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Ser…
- CVE-2021-36172MEDIUMCVSS 4.3EG 4.32021-11-02
An improper restriction of XML external entity reference vulnerability in the parser of XML responses of FortiPortal before 6.0.6 may allow an attacker who controls the producer of XML reports consumed by FortiPortal to trigger a denial of…
- CVE-2021-37178MEDIUMCVSS 5.5EG 5.52021-08-10
A vulnerability has been identified in Solid Edge SE2021 (All Versions < SE2021MP7). An XML external entity injection vulnerability in the underlying XML parser could cause the affected application to disclose arbitrary files to remote att…
- CVE-2021-37425CRITICALCVSS 9.1EG 9.12021-08-10
Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the certificate and private key.
- CVE-2021-38298CRITICALCVSS 9.8EG 9.82021-10-07
Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE.
- CVE-2021-3836MEDIUMCVSS 5.5EG 5.52021-12-14
dbeaver is vulnerable to Improper Restriction of XML External Entity Reference
- CVE-2021-38555CRITICALCVSS 9.1EG 9.12021-09-11
An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allo…
- CVE-2021-38584HIGHCVSS 7.2EG 7.22021-08-11
The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585).
- CVE-2021-3869HIGHCVSS 7.5EG 7.52021-10-19
corenlp is vulnerable to Improper Restriction of XML External Entity Reference
- CVE-2021-3878CRITICALCVSS 9.8EG 9.82021-10-15
corenlp is vulnerable to Improper Restriction of XML External Entity Reference
- CVE-2021-3902CRITICALCVSS 9.8EG 9.82024-11-15
An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can…
- CVE-2021-39239HIGHCVSS 7.5EG 7.52021-09-16
A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.
- CVE-2021-39371HIGHCVSS 7.5EG 7.52021-08-23
An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.
- CVE-2021-40356HIGHCVSS 7.5EG 7.52021-09-14
A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All versions < 13.2.0.2). The application conta…
- CVE-2021-40439MEDIUMCVSS 6.5EG 6.52021-10-07
Apache OpenOffice has a dependency on expat software. Versions prior to 2.1.0 were subject to CVE-2013-0340 a "Billion Laughs" entity expansion denial of service attack and exploit via crafted XML files. ODF files consist of a set of XML f…
- CVE-2021-40500HIGHCVSS 7.5EG 7.52021-10-12
SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. These endpoints are normally exposed over …
- CVE-2021-40510HIGHCVSS 7.5EG 7.52022-06-21
XML eXternal Entity (XXE) in OBDA systems’ Mastro 1.0 allows remote attackers to read system files via custom DTDs.
- CVE-2021-40722CRITICALCVSS 9.8EG 9.82022-01-13
AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be abused by an attacker to achieve RCE.
- CVE-2021-41042MEDIUMCVSS 5.3EG 5.32022-07-07
In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.
- CVE-2021-41098HIGHCVSS 7.5EG 7.52021-09-27
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who pa…
- CVE-2021-41411CRITICALCVSS 9.8EG 9.82022-06-16
drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.
- CVE-2021-41770HIGHCVSS 7.5EG 7.52021-10-07
Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure.
- CVE-2021-42194HIGHCVSS 7.2EG 7.22022-03-20
The wechat_return function in /controller/Index.php of EyouCms V1.5.4-UTF8-SP3 passes the user's input directly into the simplexml_ load_ String function, which itself does not prohibit external entities, triggering a XML external entity (…
- CVE-2021-42537MEDIUMCVSS 5.9EG 7.52022-07-27
VISAM VBASE version 11.6.0.6 processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
- CVE-2021-42560HIGHCVSS 8.8EG 8.82022-01-12
An issue was discovered in CALDERA 2.9.0. The Debrief plugin receives base64 encoded "SVG" parameters when generating a PDF document. These SVG documents are parsed in an unsafe manner and can be leveraged for XXE attacks (e.g., File Exfil…
- CVE-2021-42646CRITICALCVSS 9.1EG 9.12022-05-11
XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 …
- CVE-2021-42776HIGHCVSS 7.7EG 7.72021-12-01
CloverDX Server before 5.11.2 and and 5.12.x before 5.12.1 allows XXE during configuration import.
Map vulnerabilities like CWE-611 to your infrastructure
EchelonGraph correlates every CVE — across CWE-611 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →