Vulnerabilities > Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

DATE CVE VULNERABILITY TITLE RISK
2020-08-20 CVE-2020-15146 Expression Language Injection vulnerability in Sylius Syliusresourcebundle
In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, request parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly.
network
low complexity
sylius CWE-917
8.8
2020-08-20 CVE-2020-15143 Expression Language Injection vulnerability in Sylius Syliusresourcebundle
In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly.
network
low complexity
sylius CWE-917
8.8
2020-07-14 CVE-2020-9297 Expression Language Injection vulnerability in Netflix Titus
Netflix Titus, all versions prior to version v0.1.1-rc.274, uses Java Bean Validation (JSR 380) custom constraint validators.
network
low complexity
netflix CWE-917
critical
9.8
2020-06-16 CVE-2020-9296 Expression Language Injection vulnerability in Netflix Conductor
Netflix Titus uses Java Bean Validation (JSR 380) custom constraint validators.
network
low complexity
netflix CWE-917
critical
9.8
2020-05-20 CVE-2020-3956 Expression Language Injection vulnerability in VMWare Vcloud Director
VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading to a code injection vulnerability.
network
low complexity
vmware CWE-917
8.8
2020-05-04 CVE-2020-1959 Expression Language Injection vulnerability in Apache Syncope
A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability.
network
low complexity
apache CWE-917
critical
9.8
2020-04-01 CVE-2020-10199 Expression Language Injection vulnerability in Sonatype Nexus
Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).
network
low complexity
sonatype CWE-917
8.8
2020-01-28 CVE-2020-7799 Expression Language Injection vulnerability in Fusionauth
An issue was discovered in FusionAuth before 1.11.0.
network
low complexity
fusionauth CWE-917
7.2
2020-01-15 CVE-2019-16469 Expression Language Injection vulnerability in Adobe Experience Manager
Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have an expression language injection vulnerability.
network
low complexity
adobe CWE-917
7.5
2019-06-14 CVE-2019-12822 Expression Language Injection vulnerability in Embedthis Goahead
In http.c in Embedthis GoAhead before 4.1.1 and 5.x before 5.0.1, a header parsing vulnerability causes a memory assertion, out-of-bounds memory reference, and potential DoS, as demonstrated by a colon on a line by itself.
network
low complexity
embedthis CWE-917
7.5