CWE-611— Improper Restriction of XML External Entity Reference (XXE)
1,115 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-611page 6 of 23
- CVE-2018-8527MEDIUMCVSS 5.5EG 5.52018-10-10
An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing a malicious XEL file containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulner…
- CVE-2018-8532MEDIUMCVSS 5.5EG 5.52018-10-10
An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing a malicious XMLA file containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulne…
- CVE-2018-8533MEDIUMCVSS 5.5EG 5.52018-10-10
An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing malicious XML content containing a reference to an external entity, aka "SQL Server Management Studio Information Disclosure Vulne…
- CVE-2018-8819HIGHCVSS 7.5EG 7.52018-06-14
An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclos…
- CVE-2018-8940CRITICALCVSS 9.8EG 9.82019-05-14
ClientServiceConfigController.cs in Enghouse Cloud Contact Center Platform 7.2.5 has functionality for loading external XML files and parsing them, allowing an attacker to upload a malicious XML file and reference it in the URL of the appl…
- CVE-2018-9116CRITICALCVSS 9.1EG 9.12018-03-29
An XXE vulnerability within WireMock before 2.16.0 allows a remote unauthenticated attacker to access local files and internal resources and potentially cause a Denial of Service.
- CVE-2018-9375HIGHCVSS 7.8EG 7.82025-01-17
In multiple functions of UserDictionaryProvider.java, there is a possible way to add and delete words in the user dictionary due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges…
- CVE-2018-9379MEDIUMCVSS 5.5EG 5.52025-01-17
In multiple functions of MiniThumbFile.java, there is a possible way to view the thumbnails of deleted photos due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User in…
- CVE-2019-0188HIGHCVSS 7.5EG 7.52019-05-28
Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.
- CVE-2019-0228CRITICALCVSS 9.8EG 9.82019-04-17
Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.
- CVE-2019-0265MEDIUMCVSS 4.9EG 4.92019-02-15
SLD Registration of ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Fixed in versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT,KRNL32UC 7.21, 7.21EXT, 7.22, 7…
- CVE-2019-0277MEDIUMCVSS 6.5EG 6.52019-03-12
SAP HANA extended application services, version 1, advanced does not sufficiently validate an XML document accepted from an authenticated developer with privileges to the SAP space (XML External Entity vulnerability).
- CVE-2019-0284MEDIUMCVSS 6.0EG 6.02019-04-10
SLD Registration in SAP HANA (fixed in versions 1.0, 2.0) does not sufficiently validate an XML document accepted from an untrusted source. The attacker can call SLDREG with an XML file containing a reference to an XML External Entity (XXE…
- CVE-2019-0340MEDIUMCVSS 5.4EG 5.42019-08-14
The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to Missing XML Validation vulnerability. This issue affects the file upload at multiple locations. An attacker can read lo…
- CVE-2019-0756HIGHCVSS 8.8EG 8.82019-04-09
A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'.
- CVE-2019-0790HIGHCVSS 8.8EG 8.82019-04-09
A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0791, CVE-2019-0792, CVE-2019-0793, …
- CVE-2019-0791HIGHCVSS 8.8EG 8.82019-04-09
A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0790, CVE-2019-0792, CVE-2019-0793, …
- CVE-2019-0792HIGHCVSS 8.8EG 8.82019-04-09
A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0790, CVE-2019-0791, CVE-2019-0793, …
- CVE-2019-0793HIGHCVSS 8.8EG 8.82019-04-09
A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0790, CVE-2019-0791, CVE-2019-0792, …
- CVE-2019-0795HIGHCVSS 8.8EG 8.82019-04-09
A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0790, CVE-2019-0791, CVE-2019-0792, …
- CVE-2019-0948MEDIUMCVSS 4.7EG 4.72019-06-12
An information disclosure vulnerability exists in the Windows Event Viewer (eventvwr.msc) when it improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could rea…
- CVE-2019-1003015CRITICALCVSS 9.1EG 9.12019-02-06
An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to control the HTTP serv…
- CVE-2019-10080MEDIUMCVSS 6.5EG 6.52019-11-19
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information su…
- CVE-2019-1010202MEDIUMCVSS 6.5EG 6.52019-07-23
Jeesite 1.2.7 is affected by: XML External Entity (XXE). The impact is: sensitive information disclosure. The component is: convertToModel() function in src/main/java/com.thinkgem.jeesite/modules/act/service/ActProcessService.java. The att…
- CVE-2019-1010268CRITICALCVSS 9.8EG 9.82019-07-18
Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request hand…
- CVE-2019-10172HIGHCVSS 7.5EG 7.52019-11-18
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
- CVE-2019-10244HIGHCVSS 7.5EG 7.52019-04-09
In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could potentially be target of XXE attack due to an …
- CVE-2019-10264HIGHCVSS 7.2EG 7.22019-07-26
An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. With a valid administrator account, the "Move / Import / Export Users" screen has an Import Users option. This option accepts a ZIP archive containing a users.xml file th…
- CVE-2019-10266HIGHCVSS 7.5EG 7.52019-07-26
An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. When sending an out-of-bounds XML document to a URL, it is possible to read the file structure and even the content of files without authentication.
- CVE-2019-10309CRITICALCVSS 9.3EG 6.12019-04-30
Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attackers on the same netwo…
- CVE-2019-10327HIGHCVSS 8.1EG 8.12019-05-31
An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a mali…
- CVE-2019-10337HIGHCVSS 7.5EG 7.52019-06-11
An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro to have Jenkins resolve external entities, resulting in the ex…
- CVE-2019-10466HIGHCVSS 8.1EG 8.12019-10-23
An XML external entities (XXE) vulnerability in Jenkins 360 FireLine Plugin allows attackers with Overall/Read access to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side req…
- CVE-2019-1057HIGHCVSS 7.5EG 8.82019-08-14
A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the user’s…
- CVE-2019-1060HIGHCVSS 8.8EG 8.82019-10-10
A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'.
- CVE-2019-10718HIGHCVSS 7.5EG 7.52019-06-21
BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Blind Injection, related to pingback.axd and BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs.
- CVE-2019-10782MEDIUMCVSS 5.3EG 5.32020-01-30
All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulnerable to XML External Entity (XXE) Injection due to an incomplete fix for CVE-2019-9658.
- CVE-2019-10976MEDIUMCVSS 5.5EG 5.52019-07-26
Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the…
- CVE-2019-11216MEDIUMCVSS 6.5EG 6.52019-12-04
BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the import functionality. One can import a malicious XML file and perform XXE attacks to download local files from the server, or do DoS attacks with XML expansion attacks. X…
- CVE-2019-11392HIGHCVSS 7.5EG 7.52019-06-21
BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd.
- CVE-2019-11519MEDIUMCVSS 4.9EG 4.92019-04-25
Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen.
- CVE-2019-11677CRITICALCVSS 9.8EG 9.82019-05-02
The Custom Report import function in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to XML External Entity (XXE) Injection.
- CVE-2019-1187MEDIUMCVSS 5.5EG 7.52019-08-14
A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote una…
- CVE-2019-12154CRITICALCVSS 9.1EG 9.12019-06-11
XXE in the XML parser library in RealObjects PDFreactor before 10.1.10722 allows attackers to supply malicious XML content in externally referenced resources, leading to disclosure of local file contents and/or denial of service conditions.
- CVE-2019-12331HIGHCVSS 8.8EG 8.82019-11-07
PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the …
- CVE-2019-12415MEDIUMCVSS 5.5EG 5.52019-10-23
In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resource…
- CVE-2019-12711MEDIUMCVSS 6.5EG 6.52019-10-02
A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to access sensitive information or…
- CVE-2019-12924CRITICALCVSS 9.8EG 9.82019-07-08
MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. It was possible for an attacker to use a vulnerability in the configuration of the XML pr…
- CVE-2019-13031HIGHCVSS 8.1EG 8.12019-06-28
LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule.
- CVE-2019-13176HIGHCVSS 7.5EG 7.52019-08-08
An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SS…
Map vulnerabilities like CWE-611 to your infrastructure
EchelonGraph correlates every CVE — across CWE-611 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →