Vulnerabilities > XML Injection (aka Blind XPath Injection)

DATE CVE VULNERABILITY TITLE RISK
2021-08-30 CVE-2021-36359 XML Injection (aka Blind XPath Injection) vulnerability in Bscw Classic
OrbiTeam BSCW Classic before 7.4.3 allows exportpdf authenticated remote code execution (RCE) via XML tag injection because reportlab\platypus\paraparser.py (reached via bscw.cgi op=_editfolder.EditFolder) calls eval on attacker-supplied Python code.
network
low complexity
bscw CWE-91
8.8
2021-08-25 CVE-2021-37154 XML Injection (aka Blind XPath Injection) vulnerability in Forgerock Access Management
In ForgeRock Access Management (AM) before 7.0.2, the SAML2 implementation allows XML injection, potentially enabling a fraudulent SAML 2.0 assertion.
network
low complexity
forgerock CWE-91
critical
9.8
2021-07-27 CVE-2021-32796 XML Injection (aka Blind XPath Injection) vulnerability in Xmldom Project Xmldom
xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.
network
low complexity
xmldom-project CWE-91
5.3
2021-04-16 CVE-2021-31347 XML Injection (aka Blind XPath Injection) vulnerability in multiple products
An issue was discovered in libezxml.a in ezXML 0.8.6.
network
low complexity
ezxml-project debian CWE-91
6.5
2020-12-07 CVE-2020-29599 XML Injection (aka Blind XPath Injection) vulnerability in multiple products
ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files.
local
low complexity
imagemagick debian CWE-91
7.8
2020-11-27 CVE-2017-15685 XML Injection (aka Blind XPath Injection) vulnerability in Craftercms Crafter CMS 3.0.0
Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE).
network
low complexity
craftercms CWE-91
8.6
2020-11-27 CVE-2017-15683 XML Injection (aka Blind XPath Injection) vulnerability in Craftercms Crafter CMS 3.0.0
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
network
low complexity
craftercms CWE-91
8.6
2020-11-26 CVE-2020-29128 XML Injection (aka Blind XPath Injection) vulnerability in Petl Project Petl
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
network
low complexity
petl-project CWE-91
critical
9.8
2020-10-12 CVE-2020-4774 XML Injection (aka Blind XPath Injection) vulnerability in IBM Curam Social Program Management 7.0.10.0/7.0.9.0
An XPath vulnerability may impact IBM Curam Social Program Management 7.0.9 and 7.0.10, caused by the improper handling of user-supplied input.
network
low complexity
ibm CWE-91
5.4
2020-09-17 CVE-2020-25216 XML Injection (aka Blind XPath Injection) vulnerability in Yworks YED
yWorks yEd Desktop before 3.20.1 allows code execution via an XSL Transformation when using an XML file in conjunction with a custom stylesheet.
network
low complexity
yworks CWE-91
critical
9.8