CWE-611— Improper Restriction of XML External Entity Reference (XXE)
1,115 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-611page 2 of 23
- CVE-2017-1000498HIGHCVSS 7.8EG 7.82018-01-03
AndroidSVG version 1.2.2 is vulnerable to XXE attacks in the SVG parsing component resulting in denial of service and possibly remote code execution
- CVE-2017-14699MEDIUMCVSS 6.5EG 6.52018-01-29
Multiple XML external entity (XXE) vulnerabilities in the AiCloud feature on ASUS DSL-AC51, DSL-AC52U, DSL-AC55U, DSL-N55U C1, DSL-N55U D1, DSL-AC56U, DSL-N10_C1, DSL-N12U C1, DSL-N12E C1, DSL-N14U, DSL-N14U-B1, DSL-N16, DSL-N16U, DSL-N17U…
- CVE-2017-15691MEDIUMCVSS 6.5EG 6.52018-04-26
In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE…
- CVE-2017-15725HIGHCVSS 7.5EG 7.52019-10-28
An XML External Entity Injection vulnerability exists in Dzone AnswerHub.
- CVE-2017-16349HIGHCVSS 8.1EG 8.12018-08-02
An exploitable XML external entity vulnerability exists in the reporting functionality of SAP BPC. A specially crafted XML request can cause an XML external entity to be referenced, resulting in information disclosure and potential denial …
- CVE-2017-1666HIGHCVSS 8.1EG 8.12018-01-09
IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory…
- CVE-2017-1758HIGHCVSS 7.1EG 7.12018-02-21
IBM Financial Transaction Manager for ACH Services for Multi-Platform (IBM Control Center 6.0 and 6.1, IBM Financial Transaction Manager 3.0.2, 3.0.3, 3.0.4, and 3.1.0, IBM Transformation Extender Advanced 9.0) is vulnerable to a XML Exter…
- CVE-2017-17762HIGHCVSS 7.5EG 7.52018-08-29
XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request involving util/xmlrpc/Handler.ashx.
- CVE-2017-18110MEDIUMCVSS 6.5EG 6.52019-03-29
The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability.
- CVE-2017-18111HIGHCVSS 8.7EG 8.72019-03-29
The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAut…
- CVE-2017-18197CRITICALCVSS 9.8EG 9.82018-02-24
In mxGraphViewImageReader.java in mxGraph before 3.7.6, the SAXParserFactory instance in convert() is missing flags to prevent XML External Entity (XXE) attacks, as demonstrated by /ServerView.
- CVE-2017-18438MEDIUMCVSS 6.3EG 6.32019-08-02
cPanel before 64.0.21 allows demo accounts to execute code via Encoding API calls (SEC-242).
- CVE-2017-20151MEDIUMCVSS 5.5EG 9.82022-12-30
A vulnerability classified as problematic was found in iText RUPS. This vulnerability affects unknown code of the file src/main/java/com/itextpdf/rups/model/XfaFile.java. The manipulation leads to xml external entity reference. The patch i…
- CVE-2017-2815HIGHCVSS 8.1EG 8.12018-05-15
An exploitable XML entity injection vulnerability exists in OpenFire User Import Export Plugin 2.6.0. A specially crafted web request can cause the retrieval of arbitrary files or denial of service. An authenticated attacker can send a cra…
- CVE-2017-3206CRITICALCVSS 9.8EG 9.82018-06-11
The Java implementation of AMF3 deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it…
- CVE-2017-3208CRITICALCVSS 9.8EG 9.82018-06-11
The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly…
- CVE-2017-5828HIGHCVSS 8.1EG 8.12018-02-15
An arbitrary command execution vulnerability in HPE Aruba ClearPass Policy Manager version 6.6.x was found.
- CVE-2017-6323HIGHCVSS 8.0EG 8.02018-04-16
The Symantec Management Console prior to ITMS 8.1 RU1, ITMS 8.0_POST_HF6, and ITMS 7.6_POST_HF7 has an issue whereby XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lea…
- CVE-2017-7375CRITICALCVSS 9.8EG 9.82018-02-19
A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, t…
- CVE-2017-7426MEDIUMCVSS 5.4EG 9.12018-03-01
The NetIQ Identity Manager Plugins before 4.6.1 contained various XML External XML Entity (XXE) handling flaws that could be used by attackers to leak information or cause denial of service attacks.
- CVE-2017-7464HIGHCVSS 8.7EG 9.82018-07-27
It was found that the JAXP implementation used in JBoss EAP 7.0 for SAX and DOM parsing is vulnerable to certain XXE flaws. An attacker could use this flaw to cause DoS, SSRF, or information disclosure if they are able to provide XML conte…
- CVE-2017-7465CRITICALCVSS 9.0EG 9.82018-06-27
It was found that the JAXP implementation used in JBoss EAP 7.0 for XSLT processing is vulnerable to code injection. An attacker could use this flaw to cause remote code execution if they are able to provide XSLT content for parsing. Doing…
- CVE-2017-7545MEDIUMCVSS 6.5EG 6.52018-07-26
It was discovered that the XmlUtils class in jbpmmigration 6.5 performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application s…
- CVE-2017-8315HIGHCVSS 7.5EG 7.52018-04-20
Eclipse XML parser for the Eclipse IDE versions 2017.2.5 and earlier was found vulnerable to an XML External Entity attack. An attacker can exploit the vulnerability by implementing malicious code on Androidmanifest.xml.
- CVE-2017-8316HIGHCVSS 7.5EG 7.52018-08-03
IntelliJ IDEA XML parser was found vulnerable to XML External Entity attack, an attacker can exploit the vulnerability by implementing malicious code on both Androidmanifest.xml.
- CVE-2017-9362HIGHCVSS 8.8EG 8.82019-03-25
ManageEngine ServiceDesk Plus before 9312 contains an XML injection at add Configuration items CMDB API.
- CVE-2018-0100MEDIUMCVSS 4.4EG 4.42018-01-18
A vulnerability in the Profile Editor of the Cisco AnyConnect Secure Mobility Client could allow an unauthenticated, local attacker to have read and write access to information stored in the affected system. The vulnerability is due to imp…
- CVE-2018-0108MEDIUMCVSS 5.3EG 5.32018-01-18
A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to collect customer files via an out-of-band XML External Entity (XXE) injection. An attacker could exploit this vulnerability to gain informati…
- CVE-2018-0207LOWCVSS 3.3EG 3.32018-03-08
A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerabi…
- CVE-2018-0218LOWCVSS 3.3EG 3.32018-03-08
A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerabi…
- CVE-2018-0414MEDIUMCVSS 5.7EG 5.72018-10-05
A vulnerability in the web-based UI of Cisco Secure Access Control Server could allow an authenticated, remote attacker to gain read access to certain information in an affected system. The vulnerability is due to improper handling of XML …
- CVE-2018-0765HIGHCVSS 7.5EG 7.52018-05-09
A denial of service vulnerability exists when .NET and .NET Core improperly process XML documents, aka ".NET and .NET Core Denial of Service Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft…
- CVE-2018-0878LOWCVSS 3.1EG 3.12018-03-14
Windows Remote Assistance in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709…
- CVE-2018-1000008HIGHCVSS 8.8EG 8.82018-01-23
Jenkins PMD Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side reques…
- CVE-2018-1000009HIGHCVSS 8.8EG 8.82018-01-23
Jenkins Checkstyle Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side…
- CVE-2018-1000010HIGHCVSS 8.8EG 8.82018-01-23
Jenkins DRY Plugin 2.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side reques…
- CVE-2018-1000011HIGHCVSS 8.8EG 8.82018-01-23
Jenkins FindBugs Plugin 4.71 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side r…
- CVE-2018-1000012HIGHCVSS 8.8EG 8.82018-01-23
Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side r…
- CVE-2018-1000054HIGHCVSS 8.3EG 8.32018-02-09
Jenkins CCM Plugin 3.1 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request…
- CVE-2018-1000055HIGHCVSS 8.3EG 8.32018-02-09
Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-sid…
- CVE-2018-1000056HIGHCVSS 8.3EG 8.32018-02-09
Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side requ…
- CVE-2018-1000069MEDIUMCVSS 5.5EG 5.52018-03-13
FreePlane version 1.5.9 and earlier contains a XML External Entity (XXE) vulnerability in XML Parser in mindmap loader that can result in stealing data from victim's machine. This attack appears to require the victim to open a specially cr…
- CVE-2018-1000090HIGHCVSS 7.5EG 7.52018-03-13
textpattern version version 4.6.2 contains a XML Injection vulnerability in Import XML feature that can result in Denial of service in context to the web server by exhausting server memory resources. This attack appear to be exploitable vi…
- CVE-2018-1000124CRITICALCVSS 10.0EG 10.02018-03-13
I Librarian I-librarian version 4.8 and earlier contains a XML External Entity (XXE) vulnerability in line 154 of importmetadata.php(simplexml_load_string) that can result in an attacker reading the contents of a file and SSRF. This attack…
- CVE-2018-1000198MEDIUMCVSS 6.5EG 6.52018-06-05
A XML external entity processing vulnerability exists in Jenkins Black Duck Hub Plugin 3.1.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read permission to make Jenkins process XML eternal entities in an XM…
- CVE-2018-1000515HIGHCVSS 7.5EG 7.52018-06-26
ventrian News-Articles version NewsArticles.00.09.11 contains a XML External Entity (XXE) vulnerability in News-Articles/API/MetaWebLog/Handler.ashx.vb that can result in Attacker can read any file in the server or use smbrelay attack to a…
- CVE-2018-1000540HIGHCVSS 7.8EG 7.82018-06-26
LoboEvolution version < 9b75694cedfa4825d4a2330abf2719d470c654cd contains a XML External Entity (XXE) vulnerability in XML Parsing when viewing the XML file in the browser that can result in disclosure of confidential data, denial of servi…
- CVE-2018-1000542HIGHCVSS 7.8EG 7.82018-06-26
netbeans-mmd-plugin version <= 1.4.3 contains a XML External Entity (XXE) vulnerability in MMD file import that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be …
- CVE-2018-1000546HIGHCVSS 7.8EG 7.82018-06-26
Triplea version <= 1.9.0.0.10291 contains a XML External Entity (XXE) vulnerability in Importing game data that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be …
- CVE-2018-1000548HIGHCVSS 7.8EG 7.82018-06-26
Umlet version < 14.3 contains a XML External Entity (XXE) vulnerability in File parsing that can result in disclosure of confidential data, denial of service, server side request forgery. This attack appear to be exploitable via Specially …
Map vulnerabilities like CWE-611 to your infrastructure
EchelonGraph correlates every CVE — across CWE-611 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →