CWE-91

XML Injection (aka Blind XPath Injection)

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

116 vulnerabilities with CWE-91
CVE-2017-15683 HIGH
Crafter CMS Crafter Studio <3.0.1 - Info Disclosure
CVSS 8.6
CVE-2017-1000452 HIGH
Samlify <2.2.0 - Impersonation
CVSS 7.5
CVE-2017-10603 HIGH
Junos OS <15.1X53-D47-15.1R3 - Privilege Escalation
CVSS 7.0
CVE-2017-2171 MEDIUM
Captcha <4.3.0 - XSS
CVSS 6.1
CVE-2017-5654 HIGH
Ambari <2.4.3-2.5.0 - Info Disclosure
CVSS 7.5
CVE-2016-6272 HIGH
Epic MyChart - XPath Injection
CVSS 7.5
CVE-2016-5697 HIGH
Ruby-saml <1.3.0 - Info Disclosure
CVSS 7.5
CVE-2016-2932 MEDIUM
IBM BigFix Remote Control <9.1.3 - Code Injection
CVSS 5.3
CVE-2015-6970 CRITICAL
Bosch Security Systems NBN-498 Dinion2X - XML Injection
CVSS 9.8
CVE-2015-3932 HIGH
Netlock Mokka <2.7.8.1204 - SSRF
CVSS 7.8
CVE-2015-3931 HIGH
Microsec e-Szigno <3.2.7.12 - Code Injection
CVSS 7.8
CVE-2014-1409 CRITICAL
Mobileiron Virtual Smartphone Platform < 5.9.1 - Authentication Bypass
CVSS 9.1
CVE-2013-4857 CRITICAL
D-Link DIR-865L - Code Injection
CVSS 9.8
CVE-2013-7429 CRITICAL
Googlemaps <3.1 - Code Injection
CVSS 9.8
CVE-2013-4221
Restlet <2.1.4 - Code Injection
CVE-2008-5024
Mozilla Firefox <3.0.4-2.0.0.18 & Thunderbird <2.0.0.18 & SeaMonkey...
Details
Vulnerabilities 116
Links
MITRE CWE Entry Search this CWE With Exploits