CWE-652 2 个 CVE MITRE 定义 ↗

CWE-652:Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')

概览

CWE-652(Improper Neutralization of Data within XQuery Expressions ('XQuery Injection'))描述一种在漏洞数据库与安全评估中使用的弱点类型;定义、背景与映射 CVE 见下方各节。

安全影响
安全影响:因产品与场景而异;请结合 CVE 记录、严重度评分与 MITRE 说明进行优先级判断。

描述

The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

适用平台

类型 名称 普遍性 OS / CPE
language Not Language-Specific Undetermined

本库相关 CVE

下列 CVE 在本库中映射到该弱点,并保留以便追溯与检索。

CVE 公开时间 摘要
CVE-2023-28676 2023-04-02 A cross-site request forgery (CSRF) vulnerability in Jenkins Convert To Pipeline Plugin 1.0 and earlier allows attackers to create a Pipeline based on a Freestyle project, potentially leading to remot…
CVE-2023-25015 2023-02-01 Clockwork Web before 0.1.2, when Rails before 5.2 is used, allows CSRF.

曾用名

  • Unsafe Treatment of XQuery Input (2008-10-14)
  • Failure to Sanitize Data within XQuery Expressions (aka 'XQuery Injection') (2009-05-27)
  • Failure to Sanitize Data within XQuery Expressions ('XQuery Injection') (2010-04-05)

内容提交

名称
Evgeny Lebanidze
组织
Cigital
日期
2008-01-30
版本
Draft 8

内容修订

日期 名称 版本 重要性 评论
2008-09-08 CWE Content Team 1.0 updated Common_Consequences, Relationships
2008-10-14 CWE Content Team 1.0.1 updated Description, Name, Relationship_Notes
2009-05-27 CWE Content Team 1.4 updated Name
2009-10-29 CWE Content Team 1.6 updated Common_Consequences
2010-02-16 CWE Content Team 1.8 updated Taxonomy_Mappings
2010-04-05 CWE Content Team 1.8.1 updated Description, Name
2010-12-13 CWE Content Team 1.11 updated Common_Consequences
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2012-05-11 CWE Content Team 2.2 updated Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2014-06-23 CWE Content Team 2.7 updated Relationships
2014-07-30 CWE Content Team 2.8 updated Relationships, Taxonomy_Mappings
2017-11-08 CWE Content Team 3.0 updated Applicable_Platforms, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships
2018-03-27 CWE Content Team 3.1 updated Relationships
2020-02-24 CWE Content Team 4.0 updated Relationships
2020-08-20 CWE Content Team 4.2 updated Relationships
2020-12-10 CWE Content Team 4.3 updated Relationships
2021-10-28 CWE Content Team 4.6 updated Relationships
2023-01-31 CWE Content Team 4.10 updated Description
2023-04-27 CWE Content Team 4.11 updated Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2025-12-11 CWE Content Team 4.19 updated Weakness_Ordinalities
cvelogic Threat Intelligence