Vulnerabilities > XML Injection (aka Blind XPath Injection)

DATE CVE VULNERABILITY TITLE RISK
2020-06-10 CVE-2020-6271 XML Injection (aka Blind XPath Injection) vulnerability in SAP Solution Manager 7.2
SAP Solution Manager (Problem Context Manager), version 7.2, does not perform the necessary authentication, allowing an attacker to consume large amounts of memory, causing the system to crash and read restricted data (files visible for technical administration users of the diagnostics agent).
network
low complexity
sap CWE-91
8.2
2020-06-10 CVE-2020-6260 XML Injection (aka Blind XPath Injection) vulnerability in SAP Solution Manager 7.20
SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to inject superflous data that can be displayed by the application, due to Incomplete XML Validation.
network
low complexity
sap CWE-91
5.3
2020-04-29 CVE-2020-8479 XML Injection (aka Blind XPath Injection) vulnerability in ABB 800Xa System, Compact HMI and Control Builder Safe
For the Central Licensing Server component used in ABB products ABB Ability™ System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability™ System 800xA/ Advant® OCS Control Builder A 1.3 and 1.4, Advant® OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, ABB AbilityTM SCADAvantage versions 5.1 to 5.6.5.
network
low complexity
abb CWE-91
critical
9.8
2020-04-15 CVE-2020-11535 XML Injection (aka Blind XPath Injection) vulnerability in Onlyoffice Document Server 5.5.0
An issue was discovered in ONLYOFFICE Document Server 5.5.0.
network
low complexity
onlyoffice CWE-91
critical
9.8
2020-02-18 CVE-2015-6970 XML Injection (aka Blind XPath Injection) vulnerability in Boschsecurity Nbn-498 Dinion2X Day/Night IP Cameras Firmware 4.54.0026
The web interface in Bosch Security Systems NBN-498 Dinion2X Day/Night IP Cameras with H.264 Firmware 4.54.0026 allows remote attackers to conduct XML injection attacks via the idstring parameter to rcp.xml.
network
low complexity
boschsecurity CWE-91
critical
9.8
2020-01-14 CVE-2020-0646 XML Injection (aka Blind XPath Injection) vulnerability in Microsoft .Net Framework
A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka '.NET Framework Remote Code Execution Injection Vulnerability'.
network
low complexity
microsoft CWE-91
critical
9.8
2020-01-08 CVE-2014-1409 XML Injection (aka Blind XPath Injection) vulnerability in Mobileiron Sentry and Virtual Smartphone Platform
MobileIron VSP versions prior to 5.9.1 and Sentry versions prior to 5.0 have an authentication bypass vulnerability due to an XML file with obfuscated passwords
network
low complexity
mobileiron CWE-91
critical
9.1
2019-11-09 CVE-2018-1721 XML Injection (aka Blind XPath Injection) vulnerability in IBM Cognos Analytics 11.0.0/11.1.0
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data.
network
low complexity
ibm CWE-91
8.8
2019-11-06 CVE-2019-8158 XML Injection (aka Blind XPath Injection) vulnerability in Magento
An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1.
network
low complexity
magento CWE-91
critical
9.8
2019-10-30 CVE-2019-17323 XML Injection (aka Blind XPath Injection) vulnerability in Clipsoft Rexpert 1.0.0.527
ClipSoft REXPERT 1.0.0.527 and earlier version allows arbitrary file creation and execution via report print function of rexpert viewer with modified XML document.
network
low complexity
clipsoft CWE-91
8.8