Vulnerabilities > XML Injection (aka Blind XPath Injection)
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-08-13 | CVE-2024-42374 | XML Injection (aka Blind XPath Injection) vulnerability in SAP BEX web Java Runtime Export web Service BEx Web Java Runtime Export Web Service does not sufficiently validate an XML document accepted from an untrusted source. | 8.2 |
| 2023-11-16 | CVE-2023-46214 | XML Injection (aka Blind XPath Injection) vulnerability in Splunk Cloud and Splunk In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. | 8.8 |
| 2023-09-27 | CVE-2023-43187 | XML Injection (aka Blind XPath Injection) vulnerability in Nodebb A remote code execution (RCE) vulnerability in the xmlrpc.php endpoint of NodeBB Inc NodeBB forum software prior to v1.18.6 allows attackers to execute arbitrary code via crafted XML-RPC requests. | 9.8 |
| 2023-09-20 | CVE-2019-19450 | XML Injection (aka Blind XPath Injection) vulnerability in multiple products paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626. | 9.8 |
| 2023-08-23 | CVE-2023-40612 | XML Injection (aka Blind XPath Injection) vulnerability in Opennms Horizon and Meridian In OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2, the file editor which is accessible to any user with ROLE_FILESYSTEM_EDITOR privileges is vulnerable to XXE injection attacks. | 8.0 |
| 2023-08-09 | CVE-2023-38207 | XML Injection (aka Blind XPath Injection) vulnerability in Adobe Commerce Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by a XML Injection (aka Blind XPath Injection) vulnerability that could lead in minor arbitrary file system read. | 7.5 |
| 2023-06-15 | CVE-2023-29289 | XML Injection (aka Blind XPath Injection) vulnerability in Adobe Commerce and Magento Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an XML Injection vulnerability. | 6.5 |
| 2023-05-18 | CVE-2019-25137 | XML Injection (aka Blind XPath Injection) vulnerability in Umbraco CMS Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx. | 7.2 |
| 2023-03-27 | CVE-2023-22247 | Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. | 7.5 |
| 2023-03-17 | CVE-2023-27253 | XML Injection (aka Blind XPath Injection) vulnerability in Netgate Pfsense 2.7.0 A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml. | 8.8 |