CWE-91
Allowed-with-ReviewXML Injection (aka Blind XPath Injection)
Abstraction: Base · Status: Draft
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
190 vulnerabilities reference this CWE, most recent first.
GHSA-P746-QW73-QMMX
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2025-11-06 23:42Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "magento/project-community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.7-p1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.3.7"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.2-p1"
},
{
"fixed": "2.4.2-p2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.2"
]
}
],
"aliases": [
"CVE-2021-36033"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-06T23:42:40Z",
"nvd_published_at": "2021-09-01T15:15:00Z",
"severity": "CRITICAL"
},
"details": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.",
"id": "GHSA-p746-qw73-qmmx",
"modified": "2025-11-06T23:42:40Z",
"published": "2022-05-24T19:12:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36033"
},
{
"type": "PACKAGE",
"url": "https://github.com/magento/magento2"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Magento XML Injection vulnerability in the Widgets Module"
}
GHSA-P9WF-3XPG-C9G5
Vulnerability from github – Published: 2021-09-02 17:11 – Updated: 2024-10-24 21:53An XML external entity (XXE) injection in PyWPS before 4.5.0 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pywps"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-39371"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-25T19:48:42Z",
"nvd_published_at": "2021-08-23T01:15:00Z",
"severity": "HIGH"
},
"details": "An XML external entity (XXE) injection in PyWPS before 4.5.0 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.",
"id": "GHSA-p9wf-3xpg-c9g5",
"modified": "2024-10-24T21:53:22Z",
"published": "2021-09-02T17:11:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39371"
},
{
"type": "WEB",
"url": "https://github.com/geopython/OWSLib/issues/790"
},
{
"type": "WEB",
"url": "https://github.com/geopython/pywps/pull/616"
},
{
"type": "WEB",
"url": "https://github.com/geopython/pywps/commit/7d6b26a2e931df2feca0b7fb24f4d01610825aee"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-p9wf-3xpg-c9g5"
},
{
"type": "PACKAGE",
"url": "https://github.com/geopython/pywps"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pywps/PYSEC-2021-121.yaml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "XML External Entity Injection in PyWPS"
}
GHSA-PFG4-R8VJ-QQM4
Vulnerability from github – Published: 2025-03-18 18:30 – Updated: 2025-03-19 21:30An XML external entity (XXE) injection vulnerability in the component /weixin/aes/XMLParse.java of yimioa before v2024.07.04 allows attackers to execute arbitrary code via supplying a crafted XML file.
{
"affected": [],
"aliases": [
"CVE-2025-25589"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-18T16:15:27Z",
"severity": "MODERATE"
},
"details": "An XML external entity (XXE) injection vulnerability in the component /weixin/aes/XMLParse.java of yimioa before v2024.07.04 allows attackers to execute arbitrary code via supplying a crafted XML file.",
"id": "GHSA-pfg4-r8vj-qqm4",
"modified": "2025-03-19T21:30:52Z",
"published": "2025-03-18T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25589"
},
{
"type": "WEB",
"url": "https://gitee.com/r1bbit/yimioa/issues/IBI81R"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PJ98-2XF6-CFF5
Vulnerability from github – Published: 2023-09-20 15:30 – Updated: 2024-04-28 06:31paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "reportlab"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-19450"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-21T16:57:08Z",
"nvd_published_at": "2023-09-20T14:15:12Z",
"severity": "CRITICAL"
},
"details": "paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with \u0027\u003cunichar code=\"\u0027 followed by arbitrary Python code, a similar issue to CVE-2019-17626.",
"id": "GHSA-pj98-2xf6-cff5",
"modified": "2024-04-28T06:31:24Z",
"published": "2023-09-20T15:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19450"
},
{
"type": "WEB",
"url": "https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.md"
},
{
"type": "WEB",
"url": "https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.md#release-353115102019"
},
{
"type": "PACKAGE",
"url": "https://hg.reportlab.com/hg-public/reportlab"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHMCB2GJQKFMGVO5RWHN222NQL5XYPHZ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HADPTB3SBU7IVRMDK7OL6WSQRU5AFWDZ"
},
{
"type": "WEB",
"url": "https://pastebin.com/5MicRrr4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "ReportLab vulnerable to remote code execution via paraparser"
}
GHSA-PQQ2-XHG5-JR2V
Vulnerability from github – Published: 2025-12-05 00:31 – Updated: 2025-12-10 18:30An XPath Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from the Firebox configuration through an exposed authentication or management web interface. This vulnerability only affects Firebox systems that have at least one authentication hotspot configured.This issue affects Fireware OS 11.11 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.
{
"affected": [],
"aliases": [
"CVE-2025-1545"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-04T22:15:48Z",
"severity": "HIGH"
},
"details": "An XPath Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from the Firebox configuration through an exposed authentication or management web interface. This vulnerability only affects Firebox systems that have at least one authentication hotspot configured.This issue affects Fireware OS 11.11 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.",
"id": "GHSA-pqq2-xhg5-jr2v",
"modified": "2025-12-10T18:30:22Z",
"published": "2025-12-05T00:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1545"
},
{
"type": "WEB",
"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00025"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q8C5-P3CQ-8MH2
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:36ClipSoft REXPERT 1.0.0.527 and earlier version allows arbitrary file creation and execution via report print function of rexpert viewer with modified XML document. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page.
{
"affected": [],
"aliases": [
"CVE-2019-17323"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-30T21:15:00Z",
"severity": "HIGH"
},
"details": "ClipSoft REXPERT 1.0.0.527 and earlier version allows arbitrary file creation and execution via report print function of rexpert viewer with modified XML document. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page.",
"id": "GHSA-q8c5-p3cq-8mh2",
"modified": "2024-04-04T02:36:36Z",
"published": "2022-05-24T17:00:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17323"
},
{
"type": "WEB",
"url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35184"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q8R6-5HFW-5JFF
Vulnerability from github – Published: 2026-06-11 13:05 – Updated: 2026-06-12 19:24Impact
guzzlehttp/guzzle-services does not safely serialize scalar XML element values containing the CDATA terminator ]]>. The XML request serializer writes values containing <, >, or & with XMLWriter::writeCData($value). If attacker-controlled input contains ]]>, the CDATA section closes early and the remainder is interpreted as XML markup. This is an outgoing request-body integrity issue, not a response parsing issue. The attacker does not need to control the service description or schema.
Users are affected when all of the following are true:
- The application uses
guzzlehttp/guzzle-servicesto serialize outgoing requests. - A request parameter or
additionalParametersschema useslocation: xml. - The value is serialized as XML element text, not an XML attribute.
- The value can contain attacker-controlled, user-controlled, tenant-controlled, or otherwise untrusted input.
- The value is not constrained by a safe
enum,pattern, or custom filter that excludes]]>. - The downstream service parses the generated XML structurally and may act on unexpected, duplicated, or injected elements.
Applications that serialize untrusted input into location: xml request parameters can emit XML containing attacker-controlled elements outside the intended text node. Depending on the receiving service, this can alter operation semantics, smuggle privileged fields, bypass modeled parameter boundaries, or create conflicting duplicated elements. Fixed service descriptions are sufficient if they contain an XML element parameter populated from attacker-controlled input.
Users are not directly affected if they only use Guzzle Services to deserialize HTTP response bodies. Response XML parsing uses the response XML location visitor and does not invoke the vulnerable request XML serializer. Response bodies matter only in a second-order flow, such as parsing attacker-controlled response XML, storing or forwarding a parsed string value, and later using it as a location: xml request parameter.
Example fixed service description:
'DisplayName' => ['location' => 'xml', 'type' => 'string']
If an attacker-controlled display name is:
Alice]]></DisplayName><Role>admin</Role><DisplayName><![CDATA[
the vulnerable serializer can emit an injected element outside the intended DisplayName text node:
<Request><DisplayName><![CDATA[Alice]]></DisplayName><Role>admin</Role><DisplayName><![CDATA[]]></DisplayName></Request>
If the downstream service treats <Role> as meaningful, the attacker has set a field the modeled DisplayName parameter was not intended to set.
Patches
The issue is patched in 1.5.4 and later by safely splitting embedded CDATA terminators before serialization. The fix preserves the original scalar value as XML text and prevents injected nodes.
Workarounds
If you cannot upgrade immediately, constrain attacker-controlled XML element values with a strict enum, pattern, or custom filter that excludes ]]>, or avoid serializing untrusted data into location: xml element text until patched. Where appropriate for the service schema, XML attributes are not affected because they are written with XMLWriter attribute APIs rather than CDATA sections.
To determine whether action is needed, search service descriptions for request parameters using location: xml, including operation parameters and additionalParameters. Response-only models are not directly affected unless parsed values are reused for request serialization. For object and array parameters, review nested scalar properties because leaf element values can still be affected.
References
- https://www.w3.org/TR/xml/#sec-cdata-sect
- https://www.php.net/manual/en/xmlwriter.writecdata.php
- https://www.php.net/manual/en/xmlwriter.text.php
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "guzzlehttp/guzzle-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53723"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-11T13:05:01Z",
"nvd_published_at": "2026-06-11T14:16:31Z",
"severity": "MODERATE"
},
"details": "### Impact\n\n`guzzlehttp/guzzle-services` does not safely serialize scalar XML element values containing the CDATA terminator `]]\u003e`. The XML request serializer writes values containing `\u003c`, `\u003e`, or `\u0026` with `XMLWriter::writeCData($value)`. If attacker-controlled input contains `]]\u003e`, the CDATA section closes early and the remainder is interpreted as XML markup. This is an outgoing request-body integrity issue, not a response parsing issue. The attacker does not need to control the service description or schema.\n\nUsers are affected when all of the following are true:\n\n1. The application uses `guzzlehttp/guzzle-services` to serialize outgoing requests.\n2. A request parameter or `additionalParameters` schema uses `location: xml`.\n3. The value is serialized as XML element text, not an XML attribute.\n4. The value can contain attacker-controlled, user-controlled, tenant-controlled, or otherwise untrusted input.\n5. The value is not constrained by a safe `enum`, `pattern`, or custom filter that excludes `]]\u003e`.\n6. The downstream service parses the generated XML structurally and may act on unexpected, duplicated, or injected elements.\n\nApplications that serialize untrusted input into `location: xml` request parameters can emit XML containing attacker-controlled elements outside the intended text node. Depending on the receiving service, this can alter operation semantics, smuggle privileged fields, bypass modeled parameter boundaries, or create conflicting duplicated elements. Fixed service descriptions are sufficient if they contain an XML element parameter populated from attacker-controlled input.\n\nUsers are not directly affected if they only use Guzzle Services to deserialize HTTP response bodies. Response XML parsing uses the response XML location visitor and does not invoke the vulnerable request XML serializer. Response bodies matter only in a second-order flow, such as parsing attacker-controlled response XML, storing or forwarding a parsed string value, and later using it as a `location: xml` request parameter.\n\nExample fixed service description:\n\n```php\n\u0027DisplayName\u0027 =\u003e [\u0027location\u0027 =\u003e \u0027xml\u0027, \u0027type\u0027 =\u003e \u0027string\u0027]\n```\n\nIf an attacker-controlled display name is:\n\n```text\nAlice]]\u003e\u003c/DisplayName\u003e\u003cRole\u003eadmin\u003c/Role\u003e\u003cDisplayName\u003e\u003c![CDATA[\n```\n\nthe vulnerable serializer can emit an injected element outside the intended `DisplayName` text node:\n\n```xml\n\u003cRequest\u003e\u003cDisplayName\u003e\u003c![CDATA[Alice]]\u003e\u003c/DisplayName\u003e\u003cRole\u003eadmin\u003c/Role\u003e\u003cDisplayName\u003e\u003c![CDATA[]]\u003e\u003c/DisplayName\u003e\u003c/Request\u003e\n```\n\nIf the downstream service treats `\u003cRole\u003e` as meaningful, the attacker has set a field the modeled `DisplayName` parameter was not intended to set.\n\n### Patches\n\nThe issue is patched in `1.5.4` and later by safely splitting embedded CDATA terminators before serialization. The fix preserves the original scalar value as XML text and prevents injected nodes.\n\n### Workarounds\n\nIf you cannot upgrade immediately, constrain attacker-controlled XML element values with a strict `enum`, `pattern`, or custom filter that excludes `]]\u003e`, or avoid serializing untrusted data into `location: xml` element text until patched. Where appropriate for the service schema, XML attributes are not affected because they are written with XMLWriter attribute APIs rather than CDATA sections.\n\nTo determine whether action is needed, search service descriptions for request parameters using `location: xml`, including operation `parameters` and `additionalParameters`. Response-only `models` are not directly affected unless parsed values are reused for request serialization. For object and array parameters, review nested scalar properties because leaf element values can still be affected.\n\n### References\n\n- https://www.w3.org/TR/xml/#sec-cdata-sect\n- https://www.php.net/manual/en/xmlwriter.writecdata.php\n- https://www.php.net/manual/en/xmlwriter.text.php",
"id": "GHSA-q8r6-5hfw-5jff",
"modified": "2026-06-12T19:24:06Z",
"published": "2026-06-11T13:05:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/guzzle/guzzle-services/security/advisories/GHSA-q8r6-5hfw-5jff"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53723"
},
{
"type": "PACKAGE",
"url": "https://github.com/guzzle/guzzle-services"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "guzzlehttp/guzzle-services\u0027 XML Request Serialization Vulnerable to XML Injection via CDATA Terminator"
}
GHSA-QPG2-VX7J-3869
Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2024-10-26 22:32ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "reportlab"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.28"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-17626"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-27T16:52:31Z",
"nvd_published_at": "2019-10-16T12:15:00Z",
"severity": "CRITICAL"
},
"details": "ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with \u0027\u003cspan color=\"\u0027 followed by arbitrary Python code.",
"id": "GHSA-qpg2-vx7j-3869",
"modified": "2024-10-26T22:32:16Z",
"published": "2022-05-24T22:00:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17626"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4663"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20191016111823/https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4273-1"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240719-0006"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202007-35"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZPHP2BJSTP4IYCSJRQINP763IHO6ASL"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NSCTOE3DITFICY2XKBYZ5WAF5TSQ52DM"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZPHP2BJSTP4IYCSJRQINP763IHO6ASL"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSCTOE3DITFICY2XKBYZ5WAF5TSQ52DM"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00019.html"
},
{
"type": "WEB",
"url": "https://hg.reportlab.com/hg-public/reportlab/rev/51a521ad7dd3"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/reportlab/PYSEC-2019-117.yaml"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-qpg2-vx7j-3869"
},
{
"type": "PACKAGE",
"url": "https://github.com/MrBitBucket/reportlab-mirror"
},
{
"type": "WEB",
"url": "https://bitbucket.org/rptlab/reportlab/src/default/CHANGES.md"
},
{
"type": "WEB",
"url": "https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2019-17626"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0230"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0201"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0197"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0195"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "XML Injection in ReportLab"
}
GHSA-QXQF-2MFX-X8JW
Vulnerability from github – Published: 2024-05-20 14:57 – Updated: 2026-05-14 20:45Impact
Executing policy checks using custom schematron files invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability.
Patches
This has been patched and users should upgrade to veraPDF v1.24.2
Workarounds
This doesn't affect the standard validation and policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust.
References
Original issue: https://github.com/veraPDF/veraPDF-library/issues/1415
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.verapdf:core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.24.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.verapdf:core-jakarta"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.24.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.verapdf:core-arlington"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.25.127"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.verapdf:verapdf-library-arlington"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.25.127"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.verapdf:verapdf-library"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.24.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.verapdf:verapdf-library-jakarta"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.24.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.verapdf:library-arlington"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.25.127"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.verapdf:library"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.24.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.verapdf:library-jakarta"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.24.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-28109"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-20T14:57:07Z",
"nvd_published_at": "2024-03-28T14:15:13Z",
"severity": "HIGH"
},
"details": "### Impact\n\nExecuting policy checks using custom schematron files invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability.\n\n### Patches\n\nThis has been patched and users should upgrade to veraPDF v1.24.2\n\n### Workarounds\n\nThis doesn\u0027t affect the standard validation and policy checks functionality, veraPDF\u0027s common use cases. Most veraPDF users don\u0027t insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust.\n\n### References\n\nOriginal issue: \u003chttps://github.com/veraPDF/veraPDF-library/issues/1415\u003e",
"id": "GHSA-qxqf-2mfx-x8jw",
"modified": "2026-05-14T20:45:29Z",
"published": "2024-05-20T14:57:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28109"
},
{
"type": "WEB",
"url": "https://github.com/veraPDF/veraPDF-library/issues/1415"
},
{
"type": "WEB",
"url": "https://github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb"
},
{
"type": "WEB",
"url": "https://github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9f"
},
{
"type": "WEB",
"url": "https://github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe"
},
{
"type": "PACKAGE",
"url": "https://github.com/veraPDF/veraPDF-library"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "veraPDF has potential XSLT injection vulnerability when using policy files"
}
GHSA-R2R5-8RMR-3PXJ
Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-05-24 17:47An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_parse_str() performs incorrect memory handling while parsing crafted XML files (writing outside a memory region created by mmap).
{
"affected": [],
"aliases": [
"CVE-2021-31347"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-16T18:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_parse_str() performs incorrect memory handling while parsing crafted XML files (writing outside a memory region created by mmap).",
"id": "GHSA-r2r5-8rmr-3pxj",
"modified": "2022-05-24T17:47:45Z",
"published": "2022-05-24T17:47:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31347"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00005.html"
},
{
"type": "WEB",
"url": "https://sourceforge.net/p/ezxml/bugs/27"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
CAPEC-250: XML Injection
An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.
CAPEC-83: XPath Injection
An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.