Threats Tagged 'cwe-611'

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating tests are next executed. Affected versions: Spring REST Docs 4.0.0; 3.0.0 through 3.0.5; 2.0.0.RELEASE through 2.0.8.RELEASE.

ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists that could cause information disclosure of server-side file contents when an attacker with a Data Center Expert user account submits crafted XML payloads to SOAP service endpoints.

Improper Restriction of XML External Entity Reference vulnerability in SFS Consulting ww.Winsure allows XML Injection. This issue affects ww.Winsure: before 4.6.2.

Improper Restriction of XML External Entity Reference vulnerability in PruvaSoft Informatics Apinizer Management Console allows Data Serialization External Entities Blowup. This issue affects Apinizer Management Console: before 2024.05.1.

CVE-2026-49383 is a low-severity vulnerability in JetBrains IntelliJ IDEA before version 2026.1. It involves an XML External Entity (XXE) issue in the UI Designer form parser, which could allow limited information disclosure. The vulnerability requires local access and user interaction to exploit and does not impact integrity or availability.

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.

IBM Engineering Lifecycle Management versions 7.0.3 Interim Fix 001 through 7.2.0 Interim Fix 001 contain an XML External Entity (XXE) vulnerability. This flaw allows an authenticated attacker to exploit the XML processing functionality to disclose sensitive information or cause memory resource consumption. The vulnerability is identified as CWE-611 and has a CVSS v3.1 score of 7.1, indicating high severity. No official patch or remediation level has been confirmed yet.

CVE-2026-44618 is a medium severity vulnerability in Apache CXF's WS-Transfer module caused by insecure XML parser configuration that allows XML External Entity (XXE) attacks. This vulnerability affects Apache CXF versions 4.2.0 and 4.0.0. The issue is addressed in Apache CXF versions 4.2.1, 4.1.