CWE-611
Improper Restriction of XML External Entity Reference
Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Parent Weaknesses (ChildOf)
Related Weaknesses
Common Consequences
Scope
Impact
Read Application Data, Read Files or Directories
Scope
Impact
Bypass Protection Mechanism
Scope
Impact
DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
Potential Mitigations
Many XML parsers and validators can be configured to disable external entity expansion.
CVE-2022-42745Recruiter software allows reading arbitrary files using XXE
CVE-2005-1306A browser control can allow remote attackers to determine the existence of files via Javascript containing XML script.
CVE-2012-5656XXE during SVG image conversion
CVE-2012-2239XXE in PHP application allows reading the application's configuration file.
CVE-2012-3489XXE in database server
CVE-2012-4399XXE in rapid web application development framework allows reading arbitrary files.
CVE-2012-3363XXE via XML-RPC request.
CVE-2012-0037XXE in office document product using RDF.
CVE-2011-4107XXE in web-based administration tool for database.
CVE-2010-3322XXE in product that performs large-scale data analysis.
+1 more examples
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now