Vulnerabilities > XML Injection (aka Blind XPath Injection)
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-01-18 | CVE-2024-47113 | IBM ICP - Voice Gateway 1.0.2, 1.0.2.4, 1.0.3, 1.0.4, 1.0.5, 1.0.6. | 8.1 |
| 2024-08-13 | CVE-2024-42374 | XML Injection (aka Blind XPath Injection) vulnerability in SAP BEX web Java Runtime Export web Service BEx Web Java Runtime Export Web Service does not sufficiently validate an XML document accepted from an untrusted source. | 8.2 |
| 2024-02-16 | CVE-2024-25413 | XML Injection (aka Blind XPath Injection) vulnerability in Firebearstudio Improved Import & Export 3.8.6 A XSLT Server Side injection vulnerability in the Import Jobs function of FireBear Improved Import And Export v3.8.6 allows attackers to execute arbitrary commands via a crafted XSLT file. | 7.2 |
| 2023-11-16 | CVE-2023-46214 | XML Injection (aka Blind XPath Injection) vulnerability in Splunk Cloud and Splunk In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. | 8.8 |
| 2023-09-27 | CVE-2023-43187 | XML Injection (aka Blind XPath Injection) vulnerability in Nodebb A remote code execution (RCE) vulnerability in the xmlrpc.php endpoint of NodeBB Inc NodeBB forum software prior to v1.18.6 allows attackers to execute arbitrary code via crafted XML-RPC requests. | 9.8 |
| 2023-09-20 | CVE-2019-19450 | XML Injection (aka Blind XPath Injection) vulnerability in multiple products paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626. | 9.8 |
| 2023-08-23 | CVE-2023-40612 | XML Injection (aka Blind XPath Injection) vulnerability in Opennms Horizon and Meridian In OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2, the file editor which is accessible to any user with ROLE_FILESYSTEM_EDITOR privileges is vulnerable to XXE injection attacks. | 8.0 |
| 2023-05-18 | CVE-2019-25137 | XML Injection (aka Blind XPath Injection) vulnerability in Umbraco CMS Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx. | 7.2 |
| 2023-03-17 | CVE-2023-27253 | XML Injection (aka Blind XPath Injection) vulnerability in Netgate Pfsense 2.7.0 A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml. | 8.8 |
| 2023-01-24 | CVE-2023-22485 | XML Injection (aka Blind XPath Injection) vulnerability in Github Cmark-Gfm cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. | 5.3 |