CWE-611

Improper Restriction of XML External Entity Reference

Parent: CWE-610 - Externally Controlled Reference to a Resource in Another Sphere

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1,253 vulnerabilities with CWE-611
CVE-2018-12471 MEDIUM
SUSE Linux SMT < 3.0.37 - XML External Entity Injection
CVSS 6.5
CVE-2018-1702 HIGH
IBM Platform Symphony 7.1 Fix Pack 1, 7.1.1 and IBM Spectrum Symphony 7.1.2, 7.2.0.2 - XML External Entity Injection
CVSS 7.1
CVE-2018-17411 CRITICAL
iWay Data Quality Suite Web Console <10.6.1.ga-2016-11-20 - XSS
CVSS 9.8
CVE-2018-15531 CRITICAL
javamelody < 1.74.0 - XML External Entity Injection via parseSoapMethodName
CVSS 9.8
CVE-2018-1669 HIGH
IBM DataPower Gateway <7.6.0.9 - XXE
CVSS 7.1
CVE-2018-1607 HIGH
IBM Rational Engineering Lifecycle Manager <5.02, 6.0.6 - XXE
CVSS 7.1
CVE-2018-1588 HIGH
IBM Rational Engineering Lifecycle Manager 5.0-5.02 and 6.0-6.0.6 - XML External Entity Injection
CVSS 7.1
CVE-2018-12243 HIGH
Symantec Messaging Gateway <10.6.6 - XXE
CVSS 8.8
CVE-2018-11761 HIGH
Apache Tika 0.1-1.18 - XML External Entity Injection
CVSS 7.5
CVE-2018-12585 HIGH
OPC UA Java/.NET Legacy Stack - SSRF
CVSS 8.2
CVE-2018-8420 HIGH
Microsoft Windows - Remote Code Execution via MSXML Parser
CVSS 8.8
CVE-2018-16252 LOW
FsPro Labs Event Log Explorer 4.6.1.2115 - XML External Entity Injection via .elx File
CVSS 3.3
CVE-2018-16521 CRITICAL
HTML Form Entry 3.7.0 - XML External Entity Injection
CVSS 9.8
CVE-2018-16303 HIGH
PDF-XChange Editor <= 7.0.326.1 - Denial of Service via Crafted x:xmpmeta Structure
CVSS 7.5
CVE-2018-11719 MEDIUM
Xovis PC2, PC2R, and PC3 Firmware < 3.6.0 - XML External Entity Injection
CVSS 4.9
CVE-2018-13826 CRITICAL
Broadcom Project Portfolio Management < 14.3 - XXE
CVSS 9.1
CVE-2018-13823 HIGH
Broadcom Project Portfolio Management < 14.3 - XXE
CVSS 7.5
CVE-2018-11758 HIGH
Apache Cayenne < 3.1.3 - XML External Entity Injection in CayenneModeler
CVSS 8.1
CVE-2018-1000652 CRITICAL
JabRef <= 4.3.1 - XML External Entity Injection in MsBibImporter XML Parser
CVSS 10.0
CVE-2018-1000651 CRITICAL
Stroom < 5.4.5 - XML External Entity Injection via XML Parser
CVSS 10.0
CVE-2018-1000644 CRITICAL
Eclipse RDF4j < 2.4.0 - XML External Entity Injection in RDF XML Parser
CVSS 10.0
CVE-2018-1000639 CRITICAL
LatexDraw <= 4.0 - XML External Entity Injection via SVG Parsing
CVSS 9.6
CVE-2018-13417 CRITICAL
Vuze Bittorrent Client 5.7.6.0 - XML External Entity Injection via SSDP/UPnP XML Parser
CVSS 9.8
CVE-2018-13415 CRITICAL
Plex Media Server 1.13.2.5154 - Unauthenticated XML External Entity Injection via SSDP/UPnP Parser
CVSS 9.8
CVE-2018-11048 HIGH
Dell EMC Data Protection Advisor 6.2-6.5 & Integrated Data Protection Appliance 2.0-2.1 - XXE via REST API
CVSS 8.1
Details
Vulnerabilities 1,253
Links
MITRE CWE Entry Search this CWE With Exploits