CVE-2018-1000632

HIGH

dom4j <2.1.1 - XML Injection

Title source: llm

Description

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

References (29)

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:0364

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:0362

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:0365

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:0380

[Mailing List] https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:1160

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:1162

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:1159

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:1161

[Mailing List] https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce%40%3Cdev.maven.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768%40%3Cdev.maven.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc%40%3Ccommits.maven.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74%40%3Ccommits.maven.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f%40%3Cdev.maven.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0%40%3Ccommits.maven.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458%40%3Cdev.maven.apache.org%3E

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3172

[Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2020.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2020.html

... and 9 more

Scores

CVSS v3 7.5

EPSS 0.0161

EPSS Percentile 81.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-91

Status published

Products (29)

debian/debian_linux 8.0

dom4j/dom4j 0Maven

dom4j_project/dom4j 2.0.0 - 2.0.3

netapp/oncommand_workflow_automation

netapp/snap_creator_framework

netapp/snapcenter

netapp/snapmanager (2 CPE variants)

oracle/flexcube_investor_servicing 12.0.4

oracle/flexcube_investor_servicing 12.1.0

oracle/flexcube_investor_servicing 12.3.0

... and 19 more

Published Aug 20, 2018

Tracked Since Feb 18, 2026