CVE-2019-8158

CRITICAL Year: 2019
CVSS v3 Score
9.8
Critical
CVSS v2 Score
7.5
High
Weakness Type
CWE-91
View all →

Vulnerability Description

An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An attacker can craft a GET request to page cache block rendering module that gets passed to XML data processing engine without validation. The crafted key/value GET request data allows an attacker to limited access to underlying XML data.

Related Vulnerabilities

CVE-2013-4857

CRITICAL
CVSS:9.8(Critical)

D-Link DIR-865L has PHP File Inclusion in the router xml file.

CWE-912013

CVE-2013-7429

CRITICAL
CVSS:9.8(Critical)

The Googlemaps plugin before 3.1 for Joomla! allows remote attackers to conduct XML injection attacks via the url parameter to plugin_googlemap2_proxy.php.

CWE-912013

CVE-2015-6970

CRITICAL
CVSS:9.8(Critical)

The web interface in Bosch Security Systems NBN-498 Dinion2X Day/Night IP Cameras with H.264 Firmware 4.54.0026 allows remote attackers to conduct XML injection attacks via the idstring parameter to r...

CWE-912015

CVE-2019-14277

CRITICAL
CVSS:9.8(Critical)

Axway SecureTransport 5.x through 5.3 (or 5.x through 5.5 with certain API configuration) is vulnerable to unauthenticated blind XML injection (and XXE) in the resetPassword functionality via the REST...

CWE-912019

CVE-2019-16941

CRITICAL
CVSS:9.8(Critical)

NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document. This occurs in...

CWE-912019

CVE-2019-17626

CRITICAL
CVSS:9.8(Critical)

ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.

CWE-912019