Vulnerabilities > XML Injection (aka Blind XPath Injection)
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-27 | CVE-2017-15683 | XML Injection (aka Blind XPath Injection) vulnerability in Craftercms Crafter CMS 3.0.0 In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band. | 8.6 |
| 2020-11-26 | CVE-2020-29128 | XML Injection (aka Blind XPath Injection) vulnerability in Petl Project Petl petl before 1.68, in some configurations, allows resolution of entities in an XML document. | 9.8 |
| 2020-10-12 | CVE-2020-4774 | XML Injection (aka Blind XPath Injection) vulnerability in IBM Curam Social Program Management 7.0.10.0/7.0.9.0 An XPath vulnerability may impact IBM Curam Social Program Management 7.0.9 and 7.0.10, caused by the improper handling of user-supplied input. | 5.4 |
| 2020-09-17 | CVE-2020-25216 | XML Injection (aka Blind XPath Injection) vulnerability in Yworks YED yWorks yEd Desktop before 3.20.1 allows code execution via an XSL Transformation when using an XML file in conjunction with a custom stylesheet. | 9.8 |
| 2020-06-10 | CVE-2020-6271 | XML Injection (aka Blind XPath Injection) vulnerability in SAP Solution Manager 7.2 SAP Solution Manager (Problem Context Manager), version 7.2, does not perform the necessary authentication, allowing an attacker to consume large amounts of memory, causing the system to crash and read restricted data (files visible for technical administration users of the diagnostics agent). | 8.2 |
| 2020-06-10 | CVE-2020-6260 | XML Injection (aka Blind XPath Injection) vulnerability in SAP Solution Manager 7.20 SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to inject superflous data that can be displayed by the application, due to Incomplete XML Validation. | 5.3 |
| 2020-04-29 | CVE-2020-8479 | XML Injection (aka Blind XPath Injection) vulnerability in ABB 800Xa System, Compact HMI and Control Builder Safe For the Central Licensing Server component used in ABB products ABB Ability™ System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability™ System 800xA/ Advant® OCS Control Builder A 1.3 and 1.4, Advant® OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, ABB AbilityTM SCADAvantage versions 5.1 to 5.6.5. | 9.8 |
| 2020-04-15 | CVE-2020-11535 | XML Injection (aka Blind XPath Injection) vulnerability in Onlyoffice Document Server 5.5.0 An issue was discovered in ONLYOFFICE Document Server 5.5.0. | 9.8 |
| 2020-02-18 | CVE-2015-6970 | XML Injection (aka Blind XPath Injection) vulnerability in Boschsecurity Nbn-498 Dinion2X Day/Night IP Cameras Firmware 4.54.0026 The web interface in Bosch Security Systems NBN-498 Dinion2X Day/Night IP Cameras with H.264 Firmware 4.54.0026 allows remote attackers to conduct XML injection attacks via the idstring parameter to rcp.xml. | 9.8 |
| 2020-01-14 | CVE-2020-0646 | XML Injection (aka Blind XPath Injection) vulnerability in Microsoft .Net Framework A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka '.NET Framework Remote Code Execution Injection Vulnerability'. | 9.8 |