CWE-91
Allowed-with-ReviewXML Injection (aka Blind XPath Injection)
Abstraction: Base · Status: Draft
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
190 vulnerabilities reference this CWE, most recent first.
GHSA-37MH-M4CP-8V5P
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-10-28 12:00For the Central Licensing Server component used in ABB products ABB Ability™ System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability™ System 800xA/ Advant® OCS Control Builder A 1.3 and 1.4, Advant® OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, an XML External Entity Injection vulnerability exists that allows an attacker to read or call arbitrary files from the license server and/or from the network and also block the license handling.
{
"affected": [],
"aliases": [
"CVE-2020-8479"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-29T02:15:00Z",
"severity": "HIGH"
},
"details": "For the Central Licensing Server component used in ABB products ABB Ability\u2122 System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability\u2122 System 800xA/ Advant\u00ae OCS Control Builder A 1.3 and 1.4, Advant\u00ae OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, an XML External Entity Injection vulnerability exists that allows an attacker to read or call arbitrary files from the license server and/or from the network and also block the license handling.",
"id": "GHSA-37mh-m4cp-8v5p",
"modified": "2022-10-28T12:00:34Z",
"published": "2022-05-24T22:28:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8479"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=3CCA2020-003309\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-154-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-38CR-2PH5-FRR9
Vulnerability from github – Published: 2018-10-16 19:35 – Updated: 2024-01-05 16:06The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apache.org/plugins/rest/#custom-contenttypehandlers. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.struts:struts2-rest-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.1"
},
{
"fixed": "2.5.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1327"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T20:54:29Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apache.org/plugins/rest/#custom-contenttypehandlers. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16.",
"id": "GHSA-38cr-2ph5-frr9",
"modified": "2024-01-05T16:06:12Z",
"published": "2018-10-16T19:35:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1327"
},
{
"type": "WEB",
"url": "https://github.com/apache/struts/commit/4260bee634cb606be6071bce2383fddb510608aa"
},
{
"type": "WEB",
"url": "https://github.com/apache/struts/commit/67ecf3a21608e20449bcb7895b22204b400fecd4"
},
{
"type": "WEB",
"url": "https://github.com/apache/struts/commit/9260720568cee9e868d2899228eceed0c3359323"
},
{
"type": "WEB",
"url": "https://cwiki.apache.org/confluence/display/WW/S2-056"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/struts"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r02c2d634fa74209d941c90f9a4cd36a6f12366ca65f9b90446ff2de3@%3Cissues.struts.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf482c101a88445d73cc2e89dbf7f16ae00a4aa79a544a1e72b2326db@%3Cissues.struts.apache.org%3E"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20180330-0001"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200227124859/http://www.securityfocus.com/bid/103516"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200923124543/http://www.securitytracker.com/id/1040575"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Struts REST Plugin can potentially allow a DoS attack"
}
GHSA-3PQX-5G5H-696J
Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-05-24 17:47An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_parse_str() performs incorrect memory handling while parsing crafted XML files (out-of-bounds read after a certain strcspn failure).
{
"affected": [],
"aliases": [
"CVE-2021-31348"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-16T18:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_parse_str() performs incorrect memory handling while parsing crafted XML files (out-of-bounds read after a certain strcspn failure).",
"id": "GHSA-3pqx-5g5h-696j",
"modified": "2022-05-24T17:47:45Z",
"published": "2022-05-24T17:47:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31348"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00005.html"
},
{
"type": "WEB",
"url": "https://sourceforge.net/p/ezxml/bugs/27"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3Q59-H5WV-VGCG
Vulnerability from github – Published: 2022-05-14 01:38 – Updated: 2022-05-14 01:38XML injection vulnerability exists in the file of DedeCMS V5.7 SP2 version, which can be utilized by attackers to create script file to obtain webshell
{
"affected": [],
"aliases": [
"CVE-2018-16785"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-19T15:29:00Z",
"severity": "HIGH"
},
"details": "XML injection vulnerability exists in the file of DedeCMS V5.7 SP2 version, which can be utilized by attackers to create script file to obtain webshell",
"id": "GHSA-3q59-h5wv-vgcg",
"modified": "2022-05-14T01:38:48Z",
"published": "2022-05-14T01:38:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16785"
},
{
"type": "WEB",
"url": "https://github.com/ky-j/dedecms/issues/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3X55-3V35-WG88
Vulnerability from github – Published: 2025-01-18 18:30 – Updated: 2025-08-18 18:30IBM ICP - Voice Gateway 1.0.2, 1.0.2.4, 1.0.3, 1.0.4, 1.0.5, 1.0.6. 1.0.7, 1.0.7.1, and 1.0.8 could allow remote attacker to send specially crafted XML statements, which would allow them to attacker to view or modify information in the XML document.
{
"affected": [],
"aliases": [
"CVE-2024-47113"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-18T16:15:38Z",
"severity": "HIGH"
},
"details": "IBM ICP - Voice Gateway\u00a01.0.2, 1.0.2.4, 1.0.3, 1.0.4, 1.0.5, 1.0.6. 1.0.7, 1.0.7.1, and 1.0.8 could allow remote attacker to send specially crafted XML statements, which would allow them to attacker to view or modify information in the XML document.",
"id": "GHSA-3x55-3v35-wg88",
"modified": "2025-08-18T18:30:32Z",
"published": "2025-01-18T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47113"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7175791"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3X9X-VHQJ-CV27
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2025-11-06 23:37Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "magento/project-community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.7-p1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.3.7"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.2-p1"
},
{
"fixed": "2.4.2-p2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.2"
]
}
],
"aliases": [
"CVE-2021-36022"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-78",
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-06T23:37:58Z",
"nvd_published_at": "2021-09-01T15:15:00Z",
"severity": "HIGH"
},
"details": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.",
"id": "GHSA-3x9x-vhqj-cv27",
"modified": "2025-11-06T23:37:58Z",
"published": "2022-05-24T19:12:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36022"
},
{
"type": "PACKAGE",
"url": "https://github.com/magento/magento2"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Magento XML Injection vulnerability in the Widgets Update Layout"
}
GHSA-4452-V8JV-H496
Vulnerability from github – Published: 2024-02-16 03:30 – Updated: 2024-08-06 18:30A XSLT Server Side injection vulnerability in the Import Jobs function of FireBear Improved Import And Export v3.8.6 allows attackers to execute arbitrary commands via a crafted XSLT file.
{
"affected": [],
"aliases": [
"CVE-2024-25413"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-16T02:15:51Z",
"severity": "CRITICAL"
},
"details": "A XSLT Server Side injection vulnerability in the Import Jobs function of FireBear Improved Import And Export v3.8.6 allows attackers to execute arbitrary commands via a crafted XSLT file.",
"id": "GHSA-4452-v8jv-h496",
"modified": "2024-08-06T18:30:48Z",
"published": "2024-02-16T03:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25413"
},
{
"type": "WEB",
"url": "https://github.com/capture0x/Magento-ver.-2.4.6"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/175801/FireBear-Improved-Import-And-Export-3.8.6-XSLT-Server-Side-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-44R5-GGVF-F482
Vulnerability from github – Published: 2025-08-21 15:30 – Updated: 2025-08-21 18:31An XML external entities (XXE) injection vulnerability in the /init API endpoint in Exagid EX10 7.0.1p02 allows an authenticated, unprivileged attacker to achieve information disclosure and privilege escalation via a crafted ISys XML message.
{
"affected": [],
"aliases": [
"CVE-2025-47184"
],
"database_specific": {
"cwe_ids": [
"CWE-112",
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-21T13:15:36Z",
"severity": "MODERATE"
},
"details": "An XML external entities (XXE) injection vulnerability in the /init API endpoint in Exagid EX10 7.0.1p02 allows an authenticated, unprivileged attacker to achieve information disclosure and privilege escalation via a crafted ISys XML message.",
"id": "GHSA-44r5-ggvf-f482",
"modified": "2025-08-21T18:31:26Z",
"published": "2025-08-21T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47184"
},
{
"type": "WEB",
"url": "https://github.com/atredispartners/advisories/blob/master/2025/ATREDIS-2025-0004.md"
},
{
"type": "WEB",
"url": "https://www.exagrid.com/exagrid-products/exagrid-product-line"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-45C6-75P6-83CC
Vulnerability from github – Published: 2026-05-08 16:27 – Updated: 2026-05-14 20:37Summary
The fix for https://github.com/advisories/GHSA-gh4j-gqv2-49f6 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content.
Impact
Any application with comment property enabled allow attacker to inject malicious or unwanted code like JS script tag in the XML/HTML output.
Workarounds
Check for the presence of 3 consecutive dashes externally in the property value used for comment tag.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fast-xml-builder"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.5"
},
{
"fixed": "1.1.6"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.1.5"
]
}
],
"aliases": [
"CVE-2026-44664"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T16:27:28Z",
"nvd_published_at": "2026-05-13T16:16:58Z",
"severity": "MODERATE"
},
"details": "# Summary\nThe fix for https://github.com/advisories/GHSA-gh4j-gqv2-49f6 in fast-xml-parser sanitizes `--` sequences in XML comment content using .replace(/--/g, \u0027- -\u0027). This skip the values containing three consecutive dashes (e.g., ---\u003e...), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content.\n\n### Impact\nAny application with comment property enabled allow attacker to inject malicious or unwanted code like JS script tag in the XML/HTML output.\n\n### Workarounds\nCheck for the presence of 3 consecutive dashes externally in the property value used for comment tag.",
"id": "GHSA-45c6-75p6-83cc",
"modified": "2026-05-14T20:37:30Z",
"published": "2026-05-08T16:27:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-45c6-75p6-83cc"
},
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44664"
},
{
"type": "PACKAGE",
"url": "https://github.com/NaturalIntelligence/fast-xml-builder"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "fast-xml-builder Comment Value regex can be bypassed"
}
GHSA-45W3-2HVV-PFXQ
Vulnerability from github – Published: 2022-05-17 04:39 – Updated: 2024-03-05 00:06The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.solr:solr-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-6408"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-07T23:22:41Z",
"nvd_published_at": "2013-12-07T20:55:00Z",
"severity": "MODERATE"
},
"details": "The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.",
"id": "GHSA-45w3-2hvv-pfxq",
"modified": "2024-03-05T00:06:44Z",
"published": "2022-05-17T04:39:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6408"
},
{
"type": "WEB",
"url": "https://github.com/apache/lucene-solr/commit/7239a57a51ea0f4d05dd330ce5e15e4f72f72747"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/lucene-solr"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/SOLR-4881"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1844.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0029.html"
},
{
"type": "WEB",
"url": "http://svn.apache.org/viewvc/lucene/dev/branches/branch_4x/solr/CHANGES.txt?view=markup"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/11/29/2"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "XML Injection in Apache Solr"
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
CAPEC-250: XML Injection
An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.
CAPEC-83: XPath Injection
An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.