CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

196 vulnerabilities with CWE-917
CVE-2019-5353 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-5352 CRITICAL
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 9.8
CVE-2019-5351 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-5349 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-5348 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-5346 HIGH
HPE Intelligent Management Center PLAT < 7.3 E0506P09 - Remote Code Execution
CVSS 8.8
CVE-2019-5345 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-5344 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-5343 HIGH
HPE Intelligent Management Center PLAT < 7.3 E0506P09 - Remote Code Execution
CVSS 8.8
CVE-2019-5342 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11948 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11943 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11942 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2019-11628 HIGH
QlikView Server <11.20 SR19-12.30 SR2 - Auth Bypass
CVSS 8.2
CVE-2019-9041 HIGH
ZZZCMS zzzphp 1.6.1 - Remote Code Execution via Template Parser If Label
CVSS 7.2
CVE-2019-5916 CRITICAL
POWER EGG <= 2.9 Patch 4 - Expression Language Injection
CVSS 9.8
CVE-2019-7743 CRITICAL
Joomla! 2.5.0-3.9.2 - Deserialization of Untrusted Data via phar:// Stream Wrapper
CVSS 9.8
CVE-2018-16621 HIGH
Sonatype Nexus Repository Manager <3.14 - Code Injection
CVSS 7.2
CVE-2018-12533 CRITICAL
JBoss RichFaces 3.1.0-3.3.4 - Unauthenticated Expression Language Injection via Paint2DResource ImageData Path
CVSS 9.8
CVE-2018-12532 CRITICAL
JBoss RichFaces 4.5.3-4.5.17 - Unauthenticated Expression Language Injection via MediaOutputResource
CVSS 9.8
CVE-2010-1871 HIGH KEV
JBoss Enterprise Application Platform 4.3.0 - Remote Code Execution via JBoss Expression Language Injection
CVSS 8.8
Details
Vulnerabilities 196
Links
MITRE CWE Entry Search this CWE With Exploits