External XML Entity Injection (XXE)


It is possible to cause the application’s XML parser to include external resources. This can include files or in some circumstances initiate requests to third party servers.


Consult the documentation for the XML Parser used by the target application for security guidelines and hardening steps. It is recommended that all XML parsers disable external entity resolution and XML xinclude features. Most XML parsers based on libxml can also be configured to disable network access.


ID Aggregated CWE Type Risk
611.1 false 611 Active high