XML Injection (aka Blind XPath Injection) in dom4j:dom4j

CVE-2018-1000632

dom4j:dom4j
org.dom4j:dom4j

High

7.5/10

Summary

dom4j prior to 2.0.3 and 2.1.x prior to 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. To resolve this issue - upgrade to version 2.0.3 or 2.1.1. Please note: the package name was changed to org.dom4j:dom4j on version 2.0.0.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-91 - XML Injection (aka Blind XPath Injection)

The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

References

Advisory Timeline

Published Aug 20, 2018

XML Injection (aka Blind XPath Injection) in dom4j:dom4j

CVE-2018-1000632

Summary

CWE-91 - XML Injection (aka Blind XPath Injection)

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS