Common Weakness Enumeration

CWE-91

Allowed-with-Review

XML Injection (aka Blind XPath Injection)

Abstraction: Base · Status: Draft

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

190 vulnerabilities reference this CWE, most recent first.

GHSA-R3CJ-F3M2-C2XJ

Vulnerability from github – Published: 2022-05-17 02:25 – Updated: 2022-05-17 02:25
VLAI
Details

Netlock Mokka before 2.7.8.1204 allows remote attackers to perform XML signature wrapping attacks via an e-akta signed document with a ds:Object node with a crafted payload prepended to a valid ds:Object.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-3932"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-21T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "Netlock Mokka before 2.7.8.1204 allows remote attackers to perform XML signature wrapping attacks via an e-akta signed document with a ds:Object node with a crafted payload prepended to a valid ds:Object.",
  "id": "GHSA-r3cj-f3m2-c2xj",
  "modified": "2022-05-17T02:25:50Z",
  "published": "2022-05-17T02:25:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3932"
    },
    {
      "type": "WEB",
      "url": "https://www.search-lab.hu/about-us/news/107-37-million-digitally-signed-documents-had-to-be-reverified"
    },
    {
      "type": "WEB",
      "url": "https://www.search-lab.hu/eakta"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/132473/Microsec-e-Szigno-Netlock-Mokka-XML-Signature-Wrapping.html"
    },
    {
      "type": "WEB",
      "url": "http://www.neih.gov.hu/?q=node/66"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/75489"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R6HC-8GVG-GR72

Vulnerability from github – Published: 2022-05-17 02:44 – Updated: 2022-05-17 02:44
VLAI
Details

In Ambari 2.4.x (before 2.4.3) and Ambari 2.5.0, an authorized user of the Ambari Hive View may be able to gain unauthorized read access to files on the host where the Ambari server executes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-5654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-12T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Ambari 2.4.x (before 2.4.3) and Ambari 2.5.0, an authorized user of the Ambari Hive View may be able to gain unauthorized read access to files on the host where the Ambari server executes.",
  "id": "GHSA-r6hc-8gvg-gr72",
  "modified": "2022-05-17T02:44:21Z",
  "published": "2022-05-17T02:44:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5654"
    },
    {
      "type": "WEB",
      "url": "https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-FixedinAmbari2.4.3"
    },
    {
      "type": "WEB",
      "url": "https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-FixedinAmbari2.5.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R82Q-4998-95R2

Vulnerability from github – Published: 2024-08-13 06:30 – Updated: 2024-08-13 06:30
VLAI
Details

BEx Web Java Runtime Export Web Service does not sufficiently validate an XML document accepted from an untrusted source. An attacker can retrieve information from the SAP ADS system and exhaust the number of XMLForm service which makes the SAP ADS rendering (PDF creation) unavailable. This affects the confidentiality and availability of the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42374"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-13T04:15:10Z",
    "severity": "HIGH"
  },
  "details": "BEx Web Java Runtime Export Web Service does not\nsufficiently validate an XML document accepted from an untrusted source. An\nattacker can retrieve information from the SAP ADS system and exhaust the\nnumber of XMLForm service which makes the SAP ADS rendering (PDF creation)\nunavailable. This affects the confidentiality and availability of the\napplication.",
  "id": "GHSA-r82q-4998-95r2",
  "modified": "2024-08-13T06:30:47Z",
  "published": "2024-08-13T06:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42374"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3485284"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R9X5-WF23-5HH7

Vulnerability from github – Published: 2022-05-14 02:02 – Updated: 2022-05-14 02:02
VLAI
Details

Mozilla Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly escape quote characters used for XML processing, which allows remote attackers to conduct XML injection attacks via the default namespace in an E4X document.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-5024"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-11-13T11:30:00Z",
    "severity": "HIGH"
  },
  "details": "Mozilla Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly escape quote characters used for XML processing, which allows remote attackers to conduct XML injection attacks via the default namespace in an E4X document.",
  "id": "GHSA-r9x5-wf23-5hh7",
  "modified": "2022-05-14T02:02:32Z",
  "published": "2022-05-14T02:02:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5024"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=453915"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9063"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00366.html"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00385.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32684"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32693"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32694"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32695"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32713"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32714"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32715"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32721"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32778"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32798"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32845"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32853"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/33433"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/33434"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/34501"
    },
    {
      "type": "WEB",
      "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1"
    },
    {
      "type": "WEB",
      "url": "http://ubuntu.com/usn/usn-667-1"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2008/dsa-1669"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2008/dsa-1671"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2009/dsa-1696"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2009/dsa-1697"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:228"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:230"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:235"
    },
    {
      "type": "WEB",
      "url": "http://www.mozilla.org/security/announce/2008/mfsa2008-58.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0976.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0977.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0978.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/32281"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1021192"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA08-319A.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/3146"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2009/0977"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RGCM-M74W-VRFX

Vulnerability from github – Published: 2026-02-04 21:30 – Updated: 2026-02-05 18:30
VLAI
Details

XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1554"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-04T21:15:59Z",
    "severity": "MODERATE"
  },
  "details": "XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.",
  "id": "GHSA-rgcm-m74w-vrfx",
  "modified": "2026-02-05T18:30:30Z",
  "published": "2026-02-04T21:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1554"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2026-007"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RPV2-G4PC-WP72

Vulnerability from github – Published: 2023-08-09 09:30 – Updated: 2025-03-04 18:18
VLAI
Summary
Magento Open Source allows XML Injection
Details

Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by a XML Injection (aka Blind XPath Injection) vulnerability that could lead in minor arbitrary file system read. Exploitation of this issue does not require user interaction.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "versions": [
        "2.4.6"
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "versions": [
        "2.4.5"
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "versions": [
        "2.4.4"
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.6-p1"
            },
            {
              "fixed": "2.4.6-p2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.4.6-p1"
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.5-p1"
            },
            {
              "fixed": "2.4.5-p4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.4-p1"
            },
            {
              "fixed": "2.4.4-p5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/project-community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-38207"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-04T18:18:02Z",
    "nvd_published_at": "2023-08-09T08:15:09Z",
    "severity": "LOW"
  },
  "details": "Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by a XML Injection (aka Blind XPath Injection) vulnerability that could lead in minor arbitrary file system read. Exploitation of this issue does not require user interaction.",
  "id": "GHSA-rpv2-g4pc-wp72",
  "modified": "2025-03-04T18:18:03Z",
  "published": "2023-08-09T09:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38207"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/magento/magento2"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/magento/apsb23-42.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Magento Open Source allows XML Injection"
}

GHSA-RQVM-6HHW-247J

Vulnerability from github – Published: 2025-09-05 03:30 – Updated: 2025-09-05 03:30
VLAI
Details

XML Injection vulnerability in xmltodict allows Input Data Manipulation.This issue affects xmltodict: 0.14.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9375"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-01T17:15:33Z",
    "severity": "MODERATE"
  },
  "details": "XML Injection vulnerability in xmltodict allows Input Data Manipulation.This issue affects xmltodict: 0.14.2.",
  "id": "GHSA-rqvm-6hhw-247j",
  "modified": "2025-09-05T03:30:20Z",
  "published": "2025-09-05T03:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9375"
    },
    {
      "type": "WEB",
      "url": "https://github.com/martinblech/xmltodict/issues/377#issuecomment-3255691923"
    },
    {
      "type": "WEB",
      "url": "https://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.XMLGenerator"
    },
    {
      "type": "WEB",
      "url": "https://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.escape"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/mono"
    },
    {
      "type": "WEB",
      "url": "https://github.com/martinblech/xmltodict"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VC42-MGR2-W34R

Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2024-11-22 18:16
VLAI
Summary
Modoboa is vulnerable to an XML External Entity Injection (XXE)
Details

The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML documents that are emailed to the address in the rua field of the DMARC records of a domain.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "modoboa-dmarc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-19702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-29T10:19:54Z",
    "nvd_published_at": "2019-12-10T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML documents that are emailed to the address in the rua field of the DMARC records of a domain.",
  "id": "GHSA-vc42-mgr2-w34r",
  "modified": "2024-11-22T18:16:51Z",
  "published": "2022-05-24T17:03:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19702"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modoboa/modoboa-dmarc/issues/38"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modoboa/modoboa-dmarc/commit/14c29e0ad9487bdbe4cc0bd1f8bc711285bf9933"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/modoboa/modoboa-dmarc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/modoboa-dmarc/PYSEC-2019-105.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/modoboa/PYSEC-2019-251.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Modoboa is vulnerable to an XML External Entity Injection (XXE)"
}

GHSA-VMH6-VV2C-7HW5

Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2023-09-28 15:30
VLAI
Details

yWorks yEd Desktop before 3.20.1 allows code execution via an XSL Transformation when using an XML file in conjunction with a custom stylesheet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-25216"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-17T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "yWorks yEd Desktop before 3.20.1 allows code execution via an XSL Transformation when using an XML file in conjunction with a custom stylesheet.",
  "id": "GHSA-vmh6-vv2c-7hw5",
  "modified": "2023-09-28T15:30:15Z",
  "published": "2022-05-24T17:28:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25216"
    },
    {
      "type": "WEB",
      "url": "https://www.yworks.com/products/yed/download"
    },
    {
      "type": "WEB",
      "url": "https://zigrin.com/advisories/yworks-yed-graph-editor-xslt-remote-code-execution-in-xml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VPJ2-4H83-H98J

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2022-12-07 21:30
VLAI
Details

IBM Security Directory Server 6.4.0 does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. IBM X-Force ID: 165812.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-4539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-91"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-02T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Security Directory Server 6.4.0 does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. IBM X-Force ID: 165812.",
  "id": "GHSA-vpj2-4h83-h98j",
  "modified": "2022-12-07T21:30:30Z",
  "published": "2022-05-24T16:57:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4539"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/165812"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/1077045"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
CAPEC-250: XML Injection

An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.

CAPEC-83: XPath Injection

An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.