XXE, or XML External Entity, is part of the XML spec that can introduce a vulnerability in poorly crafted XML parsers.
The XML specification allows an XML file to refer to entities that are not part of the XML file itself. More specific, an XML file may contain an external general parsed entity. An XML parser can try to open and parse that external entity.
To use this vulnerability, the attacker creates an XML file that refers to the entity they're interested in - for example, the /etc/passwd file:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
The parser is instructed to parse this external file, and process it - possibly exposing its contents, or part thereof, to the attacker. A creative attacker could also use this for other purposes, e.g. using the parser to scan ports.
Source: