Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-91 (XML注入(XPath盲注)) — Vulnerability Class 50

50 vulnerabilities classified as CWE-91 (XML注入(XPath盲注)). AI Chinese analysis included.

CWE-91, known as XML Injection or Blind XPath Injection, is a critical input validation weakness where applications fail to properly neutralize special characters within XML data. Attackers typically exploit this vulnerability by injecting malicious XPath queries into user-supplied input fields, manipulating the syntax of XML documents before they are processed. This allows adversaries to bypass authentication mechanisms, extract sensitive data, or alter application logic without receiving direct error feedback, hence the "blind" nature of the attack. To prevent such exploits, developers must rigorously sanitize all user inputs by escaping or removing dangerous characters like quotes and angle brackets. Additionally, employing parameterized queries or using secure XML parsing libraries that enforce strict schema validation ensures that user data is treated strictly as content rather than executable code, effectively neutralizing the injection vector.

MITRE CWE Description
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. Within XML, special elements could include reserved words or characters such as "<", ">", """, and "&", which could then be used to add new data or modify XML syntax.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityExecute Unauthorized Code or Commands, Read Application Data, Modify Application Data
Mitigations (1)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
CVE IDTitleCVSSSeverityPublished
CVE-2023-40612 Authenticated XXE Injection Via The File Editor — Horizon 5.3 Medium2023-08-23
CVE-2023-38207 Adobe Commerce XML Injection (aka Blind XPath Injection) Arbitrary file system read — Adobe Commerce 7.5 High2023-08-09
CVE-2023-29289 Adobe Commerce XML Injection Security feature bypass — Magento Commerce 6.5 Medium2023-06-15
CVE-2023-22247 Adobe Commerce XML Injection Arbitrary file system read — Magento Commerce 7.5 High2023-03-27
CVE-2022-35259 Ivanti Endpoint Manager 安全漏洞 — Ivanti Endpoint Manager 7.8 -2022-12-05
CVE-2022-22244 Junos OS: Unauthenticated XPath Injection vulnerability in J-Web — Junos OS 5.3 Medium2022-10-18
CVE-2022-34253 Adobe Commerce XML Injection Arbitrary code execution — Magento Commerce 7.2 -2022-08-16
CVE-2022-2458 Business-central 代码问题漏洞 — Red Hat Process Automation Manager 7 8.2 -2022-08-09
CVE-2021-27777 HCL Unica Platform is vulnerable to XML External Entity (XXE) injection — HCL Unica 7.5 High2022-05-12
CVE-2022-20729 Cisco Firepower Threat Defense Software XML Injection Vulnerability — Cisco Firepower Threat Defense Software 4.4 Medium2022-05-03
CVE-2021-22524 Denial of service vulnerability in NetIQ Access Manager versions prior to version 4.5.4 and 5.0.1 — NetIQ Access Manager 5.4 Medium2021-09-13
CVE-2021-39181 Unsafe Deserialization of User Data Using XStream — OpenOLAT 8.8 High2021-09-01
CVE-2021-36020 Magento Commerce XML Injection Vulnerability In The 'City' Field Could Lead To Remote Code Execution — Magento Commerce 8.2 High2021-09-01
CVE-2021-36028 Magento Commerce XML Injection Vulnerability Could Lead To Remote Code Execution — Magento Commerce 9.1 Critical2021-09-01
CVE-2021-36033 Magento Commerce Widgets Module XML Injection Vulnerability Could Lead To Remote Code Execution — Magento Commerce 9.1 Critical2021-09-01
CVE-2021-32758 Layout XML Arbitrary Code Fix — magento-lts 7.2 High2021-08-27
CVE-2021-21025 Magento Commerce XML Injection Could Lead To Arbitrary Code Execution — Magento Commerce 9.1 -2021-02-11
CVE-2021-21019 Magento Commerce XML Injection Could Lead To Remote Code Execution — Magento Commerce 9.1 -2021-02-11
CVE-2020-8479 ABB Central Licensing System - XML External Entity Injection — Central Licensing System 9.4 Critical2020-04-29
CVE-2019-17323 ClipSoft REXPERT 安全漏洞 — REXPERT 8.8 -2019-10-30

Vulnerabilities classified as CWE-91 (XML注入(XPath盲注)) represent 50 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.