CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

196 vulnerabilities with CWE-917
CVE-2020-1959 CRITICAL
Apache Syncope < 2.1.6 - Unauthenticated Remote Code Execution via Java EL Expression Injection
CVSS 9.8
CVE-2020-10199 HIGH KEV
Nexus Repository Manager Java EL Injection RCE
CVSS 8.8
CVE-2020-7799 HIGH
FusionAuth <1.11.0 - Command Injection
CVSS 7.2
CVE-2019-16469 HIGH
Adobe Experience Manager <6.6 - Info Disclosure
CVSS 7.5
CVE-2019-12822 HIGH
Embedthis GoAhead < 4.1.1 and 5.x < 5.0.1 - Denial of Service via Malformed HTTP Header
CVSS 7.5
CVE-2019-11986 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11985 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11969 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11965 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11964 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11963 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11962 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11961 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11960 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11959 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11958 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11955 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11954 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11953 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11952 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11951 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11949 CRITICAL
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 9.8
CVE-2019-5389 HIGH
HPE Intelligent Management Center PLAT < 7.3 E0506P09 - Remote Code Execution
CVSS 8.8
CVE-2019-5388 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-5387 CRITICAL
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 9.8
Details
Vulnerabilities 196
Links
MITRE CWE Entry Search this CWE With Exploits