CWE-91
Allowed-with-ReviewXML Injection (aka Blind XPath Injection)
Abstraction: Base · Status: Draft
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
190 vulnerabilities reference this CWE, most recent first.
GHSA-JX9G-7QH9-QWJ2
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-06-01 00:00A heap-based buffer overflow vulnerability exists in the XML Decompression LabelDict::Load functionality of AT&T Labs’ Xmill 0.7. A specially crafted XMI file can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-21830"
],
"database_specific": {
"cwe_ids": [
"CWE-787",
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-13T19:15:00Z",
"severity": "CRITICAL"
},
"details": "A heap-based buffer overflow vulnerability exists in the XML Decompression LabelDict::Load functionality of AT\u0026T Labs\u2019 Xmill 0.7. A specially crafted XMI file can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.",
"id": "GHSA-jx9g-7qh9-qwj2",
"modified": "2022-06-01T00:00:25Z",
"published": "2022-05-24T22:28:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21830"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1293"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JXXQ-V434-PMG5
Vulnerability from github – Published: 2025-11-10 00:30 – Updated: 2025-11-10 00:30A vulnerability has been found in OpenClinica Community Edition up to 3.12.2/3.13. Affected by this issue is some unknown functionality of the file /ImportCRFData?action=confirm of the component CRF Data Import. Such manipulation of the argument xml_file leads to xml injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-12921"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-10T00:15:44Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in OpenClinica Community Edition up to 3.12.2/3.13. Affected by this issue is some unknown functionality of the file /ImportCRFData?action=confirm of the component CRF Data Import. Such manipulation of the argument xml_file leads to xml injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-jxxq-v434-pmg5",
"modified": "2025-11-10T00:30:24Z",
"published": "2025-11-10T00:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12921"
},
{
"type": "WEB",
"url": "https://github.com/mikecole-mg/security_findings/blob/main/openclinica/openclinica-xxe.md"
},
{
"type": "WEB",
"url": "https://github.com/mikecole-mg/security_findings/blob/main/openclinica/openclinica-xxe.md#poc"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.331641"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.331641"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.680872"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M3P3-XHRF-JXM7
Vulnerability from github – Published: 2023-05-18 09:30 – Updated: 2024-04-04 04:14Umbraco CMS 7.12.4 allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx.
{
"affected": [],
"aliases": [
"CVE-2019-25137"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-18T07:15:08Z",
"severity": "HIGH"
},
"details": "Umbraco CMS 7.12.4 allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx.",
"id": "GHSA-m3p3-xhrf-jxm7",
"modified": "2024-04-04T04:14:15Z",
"published": "2023-05-18T09:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25137"
},
{
"type": "WEB",
"url": "https://0xdf.gitlab.io/2020/09/05/htb-remote.html"
},
{
"type": "WEB",
"url": "https://github.com/Ickarah/CVE-2019-25137-Version-Research"
},
{
"type": "WEB",
"url": "https://github.com/noraj/Umbraco-RCE"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46153"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MF9J-RPWF-5XGF
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 211402.
{
"affected": [],
"aliases": [
"CVE-2021-38948"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-02T16:15:00Z",
"severity": "CRITICAL"
},
"details": "IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 211402.",
"id": "GHSA-mf9j-rpwf-5xgf",
"modified": "2022-05-24T19:19:27Z",
"published": "2022-05-24T19:19:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38948"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/211402"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6509632"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MH3M-QV7G-HJVV
Vulnerability from github – Published: 2023-03-18 00:30 – Updated: 2023-03-23 15:30A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml.
{
"affected": [],
"aliases": [
"CVE-2023-27253"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-17T22:15:00Z",
"severity": "HIGH"
},
"details": "A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml.",
"id": "GHSA-mh3m-qv7g-hjvv",
"modified": "2023-03-23T15:30:29Z",
"published": "2023-03-18T00:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27253"
},
{
"type": "WEB",
"url": "https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94"
},
{
"type": "WEB",
"url": "https://redmine.pfsense.org/issues/13935"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/173487/pfSense-Restore-RRD-Data-Command-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MPF7-M9X4-8PXW
Vulnerability from github – Published: 2022-05-17 02:25 – Updated: 2022-05-17 02:25Microsec e-Szigno before 3.2.7.12 allows remote attackers to perform XML signature wrapping attacks via an e-akta signed document with a ds:Object node with a crafted payload prepended to a valid ds:Object.
{
"affected": [],
"aliases": [
"CVE-2015-3931"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-21T14:29:00Z",
"severity": "HIGH"
},
"details": "Microsec e-Szigno before 3.2.7.12 allows remote attackers to perform XML signature wrapping attacks via an e-akta signed document with a ds:Object node with a crafted payload prepended to a valid ds:Object.",
"id": "GHSA-mpf7-m9x4-8pxw",
"modified": "2022-05-17T02:25:46Z",
"published": "2022-05-17T02:25:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3931"
},
{
"type": "WEB",
"url": "https://e-szigno.hu/letoltesek/programok-driverek.html"
},
{
"type": "WEB",
"url": "https://www.search-lab.hu/about-us/news/107-37-million-digitally-signed-documents-had-to-be-reverified"
},
{
"type": "WEB",
"url": "https://www.search-lab.hu/eakta"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/132473/Microsec-e-Szigno-Netlock-Mokka-XML-Signature-Wrapping.html"
},
{
"type": "WEB",
"url": "http://www.neih.gov.hu/?q=node/66"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/75487"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MR9X-R224-2F2X
Vulnerability from github – Published: 2022-05-14 02:00 – Updated: 2022-05-14 02:00DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "<file type='file' name='../" substring.
{
"affected": [],
"aliases": [
"CVE-2018-16784"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-21T15:29:00Z",
"severity": "HIGH"
},
"details": "DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a \"\u003cfile type=\u0027file\u0027 name=\u0027../\" substring.",
"id": "GHSA-mr9x-r224-2f2x",
"modified": "2022-05-14T02:00:54Z",
"published": "2022-05-14T02:00:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16784"
},
{
"type": "WEB",
"url": "https://github.com/ky-j/dedecms/issues/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MW95-GMW4-883P
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2024-01-10 20:09Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the Widgets module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.6-p1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.1-p1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21019"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-10T20:09:23Z",
"nvd_published_at": "2021-02-11T20:15:00Z",
"severity": "CRITICAL"
},
"details": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the Widgets module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.",
"id": "GHSA-mw95-gmw4-883p",
"modified": "2024-01-10T20:09:23Z",
"published": "2022-05-24T17:41:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21019"
},
{
"type": "PACKAGE",
"url": "https://github.com/magento/magento2"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Magento XML injection in the Widgets module"
}
GHSA-MWWQ-V92J-38XR
Vulnerability from github – Published: 2023-11-16 21:30 – Updated: 2023-11-16 21:30In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance.
{
"affected": [],
"aliases": [
"CVE-2023-46214"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-16T21:15:08Z",
"severity": "HIGH"
},
"details": "In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance.",
"id": "GHSA-mwwq-v92j-38xr",
"modified": "2023-11-16T21:30:46Z",
"published": "2023-11-16T21:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46214"
},
{
"type": "WEB",
"url": "https://advisory.splunk.com/advisories/SVD-2023-1104"
},
{
"type": "WEB",
"url": "https://research.splunk.com/application/6cb7e011-55fb-48e3-a98d-164fa854e37e"
},
{
"type": "WEB",
"url": "https://research.splunk.com/application/a053e6a6-2146-483a-9798-2d43652f3299"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/176154/Splunk-XSLT-Upload-Remote-Code-Execution.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P2VM-88RG-WFR2
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-06-03 15:51In Crafter CMS Crafter Studio 3.0 prior to 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.craftercms:crafter-core"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-15683"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-03T15:51:04Z",
"nvd_published_at": "2020-11-27T18:15:00Z",
"severity": "HIGH"
},
"details": "In Crafter CMS Crafter Studio 3.0 prior to 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.",
"id": "GHSA-p2vm-88rg-wfr2",
"modified": "2022-06-03T15:51:04Z",
"published": "2022-05-24T17:34:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15683"
},
{
"type": "WEB",
"url": "https://docs.craftercms.org/en/3.0/security/advisory.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "XML injection in Crafter CMS"
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
CAPEC-250: XML Injection
An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.
CAPEC-83: XPath Injection
An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.