Vulnerabilities > XML Injection (aka Blind XPath Injection)

DATE CVE VULNERABILITY TITLE RISK
2019-10-25 CVE-2013-4857 XML Injection (aka Blind XPath Injection) vulnerability in Dlink Dir-865L Firmware
D-Link DIR-865L has PHP File Inclusion in the router xml file.
network
low complexity
dlink CWE-91
critical
9.8
2019-10-16 CVE-2019-17626 XML Injection (aka Blind XPath Injection) vulnerability in Reportlab
ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.
network
low complexity
reportlab CWE-91
critical
9.8
2019-10-08 CVE-2019-0370 XML Injection (aka Blind XPath Injection) vulnerability in SAP Financial Consolidation 10.0/10.1
Due to missing input validation, SAP Financial Consolidation, before versions 10.0 and 10.1, enables an attacker to use crafted input to interfere with the structure of the surrounding query leading to XPath Injection.
network
low complexity
sap CWE-91
6.5
2019-10-02 CVE-2019-4539 XML Injection (aka Blind XPath Injection) vulnerability in IBM Security Directory Server 6.4.0
IBM Security Directory Server 6.4.0 does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
network
low complexity
ibm CWE-91
7.1
2019-09-28 CVE-2019-16941 XML Injection (aka Blind XPath Injection) vulnerability in NSA Ghidra
NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document.
network
low complexity
nsa CWE-91
critical
9.8
2019-07-26 CVE-2019-14277 XML Injection (aka Blind XPath Injection) vulnerability in Axway Securetransport
Axway SecureTransport 5.x through 5.3 (or 5.x through 5.5 with certain API configuration) is vulnerable to unauthenticated blind XML injection (and XXE) in the resetPassword functionality via the REST API.
network
low complexity
axway CWE-91
critical
9.8
2019-07-15 CVE-2019-1010017 XML Injection (aka Blind XPath Injection) vulnerability in Libnmap
libnmap < v0.6.3 is affected by: XML Injection.
network
low complexity
libnmap CWE-91
7.5
2019-05-22 CVE-2019-9892 XML Injection (aka Blind XPath Injection) vulnerability in multiple products
An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6.
network
low complexity
otrs debian CWE-91
6.5
2019-03-12 CVE-2019-0268 XML Injection (aka Blind XPath Injection) vulnerability in SAP Businessobjects Business Intelligence 4.1/4.2/4.3
SAP BusinessObjects Business Intelligence Platform (CMC Module), versions 4.10, 4.20 and 4.30, does not sufficiently validate an XML document accepted from an untrusted source.
network
low complexity
sap CWE-91
8.1
2018-11-14 CVE-2018-19277 XML Injection (aka Blind XPath Injection) vulnerability in PHPoffice PHPspreadsheet
securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file
network
low complexity
phpoffice CWE-91
8.8