CVEbaza.plSłownik CWECWE-611
Common Weakness Enumeration

CWE-611

Improper Restriction of XML External Entity Reference

Kategoria: BaseCVE: 1522
Opis

Produkt przetwarza dokument XML zawierający jednostki XML z URI, które rozwiązują się do dokumentów spoza zamierzonej sfery kontroli, powodując osadzenie nieprawidłowych dokumentów w wyjściu produktu. Podatność ta może być wykorzystana do wstrzykiwania złośliwych treści lub ujawnienia poufnych informacji.

Description (EN)

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Podatności CVE z CWE-611 (1522)
10.0
CVSS
CRITICAL
CVE-2022-22486

IBM Tivoli Workload Scheduler 9.4, 9.5, and 10.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 226328.

pub. 2023-02-03
10.0
CVSS
CRITICAL
CVE-2019-14678

SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used.

pub. 2019-11-14
10.0
CVSS
CRITICAL
CVE-2015-9280

MailEnable before 8.60 allows XXE via an XML document in the request.aspx Options parameter.

pub. 2019-01-16
10.0
CVSS
CRITICAL
CVE-2018-1000820

neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 45bc09c.

pub. 2018-12-20
10.0
CVSS
CRITICAL
CVE-2018-1000821

MicroMathematics version before commit 5c05ac8 contains a XML External Entity (XXE) vulnerability in SMathStudio files that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Specially crafted SMathStudio files. This vulnerability appears to have been fixed in after commit 5c05ac8.

pub. 2018-12-20
10.0
CVSS
CRITICAL
CVE-2018-1000822

codelibs fess version before commit faa265b contains a XML External Entity (XXE) vulnerability in GSA XML file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via specially crafted GSA XML files. This vulnerability appears to have been fixed in after commit faa265b.

pub. 2018-12-20
10.0
CVSS
CRITICAL
CVE-2018-1000823

exist version <= 5.0.0-RC4 contains a XML External Entity (XXE) vulnerability in XML Parser for REST Server that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.

pub. 2018-12-20
10.0
CVSS
CRITICAL
CVE-2018-1000825

FreeCol version <= nightly-2018-08-22 contains a XML External Entity (XXE) vulnerability in FreeColXMLReader parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Freecol file.

pub. 2018-12-20
10.0
CVSS
CRITICAL
CVE-2018-1000830

XR3Player version <= V3.124 contains a XML External Entity (XXE) vulnerability in Playlist parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.

pub. 2018-12-20
10.0
CVSS
CRITICAL
CVE-2018-1000831

K9Mail version <= v5.600 contains a XML External Entity (XXE) vulnerability in WebDAV response parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via malicious WebDAV server or intercept the reponse of a valid WebDAV server.

pub. 2018-12-20
10.0
CVSS
CRITICAL
CVE-2018-1000835

KeePassDX version <= 2.5.0.0beta17 contains a XML External Entity (XXE) vulnerability in kdbx file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.

pub. 2018-12-20
10.0
CVSS
CRITICAL
CVE-2018-1000837

UML Designer version <= 8.0.0 contains a XML External Entity (XXE) vulnerability in XML parser for plugins that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via malicious plugins.xml file.

pub. 2018-12-20
10.0
CVSS
CRITICAL
CVE-2018-1000838

autopsy version <= 4.9.0 contains a XML External Entity (XXE) vulnerability in CaseMetadata XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Specially crafted CaseMetadata.

pub. 2018-12-20
10.0
CVSS
CRITICAL
CVE-2018-1000644

Eclipse RDF4j version < 2.4.0 Milestone 2 contains a XML External Entity (XXE) vulnerability in RDF4j XML parser parsing RDF files that can result in the disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted RDF file.

pub. 2018-08-20
10.0
CVSS
CRITICAL
CVE-2018-1000651

Stroom version <5.4.5 contains a XML External Entity (XXE) vulnerability in XML Parser that can result in disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted XML file.

pub. 2018-08-20
10.0
CVSS
CRITICAL
CVE-2018-1000652

JabRef version <=4.3.1 contains a XML External Entity (XXE) vulnerability in MsBibImporter XML Parser that can result in disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted MsBib file. This vulnerability appears to have been fixed in after commit 89f855d.

pub. 2018-08-20
10.0
CVSS
CRITICAL
CVE-2018-1000124

I Librarian I-librarian version 4.8 and earlier contains a XML External Entity (XXE) vulnerability in line 154 of importmetadata.php(simplexml_load_string) that can result in an attacker reading the contents of a file and SSRF. This attack appear to be exploitable via posting xml in the Parameter form_import_textarea.

pub. 2018-03-13
10.0
CVSS
CRITICAL
CVE-2017-7664

Uploaded XML documents were not correctly validated in Apache OpenMeetings 3.1.0.

pub. 2017-07-17
10.0
CVSS
CRITICAL
CVE-2017-8110

www.modified-shop.org modified eCommerce Shopsoftware 2.0.2.2 rev 10690 has XXE in api/it-recht-kanzlei/api-it-recht-kanzlei.php.

pub. 2017-04-25
9.9
CVSS
CRITICAL
CVE-2025-30220

Klasa Schemas w bibliotece GeoTools (gt-xsd-core) nie stosuje poprawnie mechanizmu rozwiązywania encji (EntityResolver) podczas przetwarzania dokumentów XML, co prowadzi do podatności XML External Entity (XXE). Błąd o ocenie krytycznej (CVSS 9.9) może umożliwić zdalnemu atakującemu odczyt poufnych plików z serwera lub wykonanie ataków SSRF bez żadnego uwierzytelnienia.

pub. 2025-06-10
Pokazano 20 z 1522 podatności
Informacje
ID: CWE-611
Typ: Base
Podatności: 1522
MITRE CWE ↗
← Słownik CWE
CWE-611 — Niewłaściwe ograniczenie odwołań do zewnętrznych jednostek XML | Słownik CWE | CVEbaza.pl