Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-91

CWE-91

XML Injection (aka Blind XPath Injection)

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

128 vulnerabilities with CWE-91

CVE-2019-14277 CRITICAL

Axway SecureTransport <5.3-5.5 - Unauthenticated XXE

CVE-2019-1010017 HIGH

libnmap < 0.6.3 - Denial of Service via XML Injection

CVE-2019-9892 MEDIUM

OTRS <5.0.34, <6.0.17, <7.0.6 - Info Disclosure

CVE-2019-0268 HIGH

SAP BusinessObjects <4.30 - Info Disclosure

CVE-2018-1721 HIGH

IBM Cognos Analytics 11.0 and 11.1 - XML External Entity Injection

CVE-2018-19277 HIGH

PHPOffice PhpSpreadsheet <1.5.0 - XSS

CVE-2018-2477 HIGH

SAP NetWeaver <7.51 - Info Disclosure

CVE-2018-16784 HIGH

DedeCMS 5.7 SP2 - Remote Code Execution via XML Injection

CVE-2018-16785 HIGH

dedecms V5.7 SP2 - XML Injection

CVE-2018-1000632 HIGH

dom4j 2.0.0-2.0.3 - XML Injection via Element.addElement or Element.addAttribute

CVE-2018-1000526 HIGH

openpsa - XML Injection via RSS File Upload

CVE-2017-15685 HIGH

Crafter CMS Crafter Studio 3.0.1 - Unauthenticated XML External Entity Injection

CVE-2017-15683 HIGH

Crafter CMS Crafter Studio <3.0.1 - Info Disclosure

CVE-2017-1000452 HIGH

Samlify < 2.2.0 - XML Signature Wrapping

CVE-2017-10603 HIGH

Junos OS <15.1X53-D47-15.1R3 - Privilege Escalation

CVE-2017-2171 MEDIUM

BestWebSoft Plugins - Cross-Site Scripting via BestWebSoft Menu Function

CVE-2017-5654 HIGH

Ambari <2.4.3-2.5.0 - Info Disclosure

CVE-2016-6272 HIGH

Epic MyChart - XPath Injection via Help Topic Parameter

CVE-2016-5697 HIGH

ruby-saml < 1.3.0 - XML Signature Wrapping Attack

CVE-2016-2932 MEDIUM

IBM BigFix Remote Control <9.1.3 - Code Injection

CVE-2015-6970 CRITICAL

Bosch Security Systems NBN-498 Dinion2X - XML Injection

CVE-2015-3932 HIGH

Netlock Mokka < 2.7 - XML Signature Wrapping via Crafted ds:Object Node

CVE-2015-3931 HIGH

Microsec e-Szigno <3.2.7.12 - Code Injection

CVE-2014-1409 CRITICAL

MobileIron Virtual Smartphone Platform < 5.9.1 and Sentry < 5.0 - Authentication Bypass via XML Password Obfuscation

CVE-2013-4857 CRITICAL

D-Link DIR-865L Firmware - PHP File Inclusion via Router XML File

Previous Page 5 of 6 Next

Details

Vulnerabilities 128

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy