CWE-91
Allowed-with-ReviewXML Injection (aka Blind XPath Injection)
Abstraction: Base · Status: Draft
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
190 vulnerabilities reference this CWE, most recent first.
GHSA-R3CJ-F3M2-C2XJ
Vulnerability from github – Published: 2022-05-17 02:25 – Updated: 2022-05-17 02:25Netlock Mokka before 2.7.8.1204 allows remote attackers to perform XML signature wrapping attacks via an e-akta signed document with a ds:Object node with a crafted payload prepended to a valid ds:Object.
{
"affected": [],
"aliases": [
"CVE-2015-3932"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-21T14:29:00Z",
"severity": "HIGH"
},
"details": "Netlock Mokka before 2.7.8.1204 allows remote attackers to perform XML signature wrapping attacks via an e-akta signed document with a ds:Object node with a crafted payload prepended to a valid ds:Object.",
"id": "GHSA-r3cj-f3m2-c2xj",
"modified": "2022-05-17T02:25:50Z",
"published": "2022-05-17T02:25:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3932"
},
{
"type": "WEB",
"url": "https://www.search-lab.hu/about-us/news/107-37-million-digitally-signed-documents-had-to-be-reverified"
},
{
"type": "WEB",
"url": "https://www.search-lab.hu/eakta"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/132473/Microsec-e-Szigno-Netlock-Mokka-XML-Signature-Wrapping.html"
},
{
"type": "WEB",
"url": "http://www.neih.gov.hu/?q=node/66"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/75489"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R6HC-8GVG-GR72
Vulnerability from github – Published: 2022-05-17 02:44 – Updated: 2022-05-17 02:44In Ambari 2.4.x (before 2.4.3) and Ambari 2.5.0, an authorized user of the Ambari Hive View may be able to gain unauthorized read access to files on the host where the Ambari server executes.
{
"affected": [],
"aliases": [
"CVE-2017-5654"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-12T21:29:00Z",
"severity": "HIGH"
},
"details": "In Ambari 2.4.x (before 2.4.3) and Ambari 2.5.0, an authorized user of the Ambari Hive View may be able to gain unauthorized read access to files on the host where the Ambari server executes.",
"id": "GHSA-r6hc-8gvg-gr72",
"modified": "2022-05-17T02:44:21Z",
"published": "2022-05-17T02:44:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5654"
},
{
"type": "WEB",
"url": "https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-FixedinAmbari2.4.3"
},
{
"type": "WEB",
"url": "https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-FixedinAmbari2.5.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R82Q-4998-95R2
Vulnerability from github – Published: 2024-08-13 06:30 – Updated: 2024-08-13 06:30BEx Web Java Runtime Export Web Service does not sufficiently validate an XML document accepted from an untrusted source. An attacker can retrieve information from the SAP ADS system and exhaust the number of XMLForm service which makes the SAP ADS rendering (PDF creation) unavailable. This affects the confidentiality and availability of the application.
{
"affected": [],
"aliases": [
"CVE-2024-42374"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-13T04:15:10Z",
"severity": "HIGH"
},
"details": "BEx Web Java Runtime Export Web Service does not\nsufficiently validate an XML document accepted from an untrusted source. An\nattacker can retrieve information from the SAP ADS system and exhaust the\nnumber of XMLForm service which makes the SAP ADS rendering (PDF creation)\nunavailable. This affects the confidentiality and availability of the\napplication.",
"id": "GHSA-r82q-4998-95r2",
"modified": "2024-08-13T06:30:47Z",
"published": "2024-08-13T06:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42374"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3485284"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R9X5-WF23-5HH7
Vulnerability from github – Published: 2022-05-14 02:02 – Updated: 2022-05-14 02:02Mozilla Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly escape quote characters used for XML processing, which allows remote attackers to conduct XML injection attacks via the default namespace in an E4X document.
{
"affected": [],
"aliases": [
"CVE-2008-5024"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-13T11:30:00Z",
"severity": "HIGH"
},
"details": "Mozilla Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly escape quote characters used for XML processing, which allows remote attackers to conduct XML injection attacks via the default namespace in an E4X document.",
"id": "GHSA-r9x5-wf23-5hh7",
"modified": "2022-05-14T02:02:32Z",
"published": "2022-05-14T02:02:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5024"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=453915"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9063"
},
{
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00366.html"
},
{
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00385.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00004.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32684"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32693"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32694"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32695"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32713"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32714"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32715"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32721"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32778"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32798"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32845"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32853"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/33433"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/33434"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/34501"
},
{
"type": "WEB",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1"
},
{
"type": "WEB",
"url": "http://ubuntu.com/usn/usn-667-1"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2008/dsa-1669"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2008/dsa-1671"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2009/dsa-1696"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2009/dsa-1697"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:228"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:230"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:235"
},
{
"type": "WEB",
"url": "http://www.mozilla.org/security/announce/2008/mfsa2008-58.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0976.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0977.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0978.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/32281"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1021192"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA08-319A.html"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/3146"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2009/0977"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RGCM-M74W-VRFX
Vulnerability from github – Published: 2026-02-04 21:30 – Updated: 2026-02-05 18:30XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.
{
"affected": [],
"aliases": [
"CVE-2026-1554"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-04T21:15:59Z",
"severity": "MODERATE"
},
"details": "XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.",
"id": "GHSA-rgcm-m74w-vrfx",
"modified": "2026-02-05T18:30:30Z",
"published": "2026-02-04T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1554"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2026-007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RPV2-G4PC-WP72
Vulnerability from github – Published: 2023-08-09 09:30 – Updated: 2025-03-04 18:18Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by a XML Injection (aka Blind XPath Injection) vulnerability that could lead in minor arbitrary file system read. Exploitation of this issue does not require user interaction.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.6"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.5"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.4"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.6-p1"
},
{
"fixed": "2.4.6-p2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.4.6-p1"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.5-p1"
},
{
"fixed": "2.4.5-p4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.4-p1"
},
{
"fixed": "2.4.4-p5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/project-community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-38207"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-04T18:18:02Z",
"nvd_published_at": "2023-08-09T08:15:09Z",
"severity": "LOW"
},
"details": "Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by a XML Injection (aka Blind XPath Injection) vulnerability that could lead in minor arbitrary file system read. Exploitation of this issue does not require user interaction.",
"id": "GHSA-rpv2-g4pc-wp72",
"modified": "2025-03-04T18:18:03Z",
"published": "2023-08-09T09:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38207"
},
{
"type": "PACKAGE",
"url": "https://github.com/magento/magento2"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb23-42.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Magento Open Source allows XML Injection"
}
GHSA-RQVM-6HHW-247J
Vulnerability from github – Published: 2025-09-05 03:30 – Updated: 2025-09-05 03:30XML Injection vulnerability in xmltodict allows Input Data Manipulation.This issue affects xmltodict: 0.14.2.
{
"affected": [],
"aliases": [
"CVE-2025-9375"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-01T17:15:33Z",
"severity": "MODERATE"
},
"details": "XML Injection vulnerability in xmltodict allows Input Data Manipulation.This issue affects xmltodict: 0.14.2.",
"id": "GHSA-rqvm-6hhw-247j",
"modified": "2025-09-05T03:30:20Z",
"published": "2025-09-05T03:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9375"
},
{
"type": "WEB",
"url": "https://github.com/martinblech/xmltodict/issues/377#issuecomment-3255691923"
},
{
"type": "WEB",
"url": "https://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.XMLGenerator"
},
{
"type": "WEB",
"url": "https://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.escape"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/advisories/mono"
},
{
"type": "WEB",
"url": "https://github.com/martinblech/xmltodict"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VC42-MGR2-W34R
Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2024-11-22 18:16The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML documents that are emailed to the address in the rua field of the DMARC records of a domain.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "modoboa-dmarc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-19702"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-29T10:19:54Z",
"nvd_published_at": "2019-12-10T20:15:00Z",
"severity": "HIGH"
},
"details": "The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML documents that are emailed to the address in the rua field of the DMARC records of a domain.",
"id": "GHSA-vc42-mgr2-w34r",
"modified": "2024-11-22T18:16:51Z",
"published": "2022-05-24T17:03:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19702"
},
{
"type": "WEB",
"url": "https://github.com/modoboa/modoboa-dmarc/issues/38"
},
{
"type": "WEB",
"url": "https://github.com/modoboa/modoboa-dmarc/commit/14c29e0ad9487bdbe4cc0bd1f8bc711285bf9933"
},
{
"type": "PACKAGE",
"url": "https://github.com/modoboa/modoboa-dmarc"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/modoboa-dmarc/PYSEC-2019-105.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/modoboa/PYSEC-2019-251.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Modoboa is vulnerable to an XML External Entity Injection (XXE)"
}
GHSA-VMH6-VV2C-7HW5
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2023-09-28 15:30yWorks yEd Desktop before 3.20.1 allows code execution via an XSL Transformation when using an XML file in conjunction with a custom stylesheet.
{
"affected": [],
"aliases": [
"CVE-2020-25216"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-17T19:15:00Z",
"severity": "CRITICAL"
},
"details": "yWorks yEd Desktop before 3.20.1 allows code execution via an XSL Transformation when using an XML file in conjunction with a custom stylesheet.",
"id": "GHSA-vmh6-vv2c-7hw5",
"modified": "2023-09-28T15:30:15Z",
"published": "2022-05-24T17:28:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25216"
},
{
"type": "WEB",
"url": "https://www.yworks.com/products/yed/download"
},
{
"type": "WEB",
"url": "https://zigrin.com/advisories/yworks-yed-graph-editor-xslt-remote-code-execution-in-xml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VPJ2-4H83-H98J
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2022-12-07 21:30IBM Security Directory Server 6.4.0 does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. IBM X-Force ID: 165812.
{
"affected": [],
"aliases": [
"CVE-2019-4539"
],
"database_specific": {
"cwe_ids": [
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-02T15:15:00Z",
"severity": "HIGH"
},
"details": "IBM Security Directory Server 6.4.0 does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. IBM X-Force ID: 165812.",
"id": "GHSA-vpj2-4h83-h98j",
"modified": "2022-12-07T21:30:30Z",
"published": "2022-05-24T16:57:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4539"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/165812"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/1077045"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
CAPEC-250: XML Injection
An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.
CAPEC-83: XPath Injection
An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.