CWE-91 - XML Injection (aka Blind XPath Injection)

CWE-91

Abstraction:
Base

Structure:
Simple

Status:
Draft

Weakness Name: XML Injection (aka Blind XPath Injection)

Description: The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
Within XML, special elements could include reserved words or characters such as "<", ">", """, and "&", which could then be used to add new data or modify XML syntax.

Common Consequences: Scope: Confidentiality, Integrity, Availability
Impact: Execute Unauthorized Code or Commands, Read Application Data, Modify Application Data

Related Weaknesses: CWE-74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')High

Related Alerts: XSLT InjectionMedium

Release Date:
2006-07-19

Latest Modification Date:
2023-06-29

Free security scan for your website

Don't show website scan report rating on the leaderboard