CWE-643 13 個 CVE MITRE 定義 ↗

CWE-643:Improper Neutralization of Data within XPath Expressions ('XPath Injection')

概覽

CWE-643(Improper Neutralization of Data within XPath Expressions ('XPath Injection'))描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-44962 2026-05-29 Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allo…
CVE-2026-40699 2026-05-13 A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access to undisclosed sensitive information.  Note: Software vers…
CVE-2026-24343 2026-02-10 Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat: from 1.7.1 before 1.8.0. Users are recommended to…
CVE-2025-11844 2025-10-22 Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath qu…
CVE-2025-20218 2025-08-14 A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an authenticated, remote attacker to retrieve sensitive information from an …
CVE-2022-43840 2025-04-14 IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to an XPath injection vulnerability, which could allow an authenticated attacker to exfiltrate sensitive application data and/or determine the str…
CVE-2024-39565 2024-07-10 An Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in J-Web shipped with Juniper Networks Junos OS allows an unauthenticated, network-based attacker to execu…
CVE-2024-2648 2024-03-19 A vulnerability, which was classified as problematic, was found in Netentsec NS-ASG Application Security Gateway 6.3. Affected is an unknown function of the file /nac/naccheck.php. The manipulation of…
CVE-2024-2645 2024-03-19 A vulnerability classified as problematic has been found in Netentsec NS-ASG Application Security Gateway 6.3. This affects an unknown part of the file /vpnweb/resetpwd/resetpwd.php. The manipulation …
CVE-2023-36433 2023-10-10 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability
CVE-2023-36429 2023-10-10 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability
CVE-2023-24922 2023-03-14 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability
CVE-2020-25162 2022-04-14 A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to acces…

曾用名

  • Unsafe Treatment of XPath Input (2008-10-14)
  • Failure to Sanitize Data within XPath Expressions (aka 'XPath injection') (2009-05-27)
  • Failure to Sanitize Data within XPath Expressions ('XPath injection') (2010-04-05)

內容提交

名稱
Evgeny Lebanidze
組織
Cigital
日期
2008-01-30
版本
Draft 8

內容修訂

日期 名稱 版本 重要性 評論
2008-09-08 CWE Content Team 1.0 updated Common_Consequences, Relationships
2008-10-14 CWE Content Team 1.0.1 updated Description, Name, References, Relationship_Notes
2009-03-10 CWE Content Team 1.3 updated Demonstrative_Examples
2009-05-27 CWE Content Team 1.4 updated Name
2009-10-29 CWE Content Team 1.6 updated Common_Consequences
2010-02-16 CWE Content Team 1.8 updated Taxonomy_Mappings
2010-04-05 CWE Content Team 1.8.1 updated Description, Name
2010-06-21 CWE Content Team 1.9 updated Enabling_Factors_for_Exploitation
2010-12-13 CWE Content Team 1.11 updated Common_Consequences
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2012-05-11 CWE Content Team 2.2 updated References, Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2014-06-23 CWE Content Team 2.7 updated Relationships
2014-07-30 CWE Content Team 2.8 updated Relationships, Taxonomy_Mappings
2017-11-08 CWE Content Team 3.0 updated Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships
2018-03-27 CWE Content Team 3.1 updated Relationships
2020-02-24 CWE Content Team 4.0 updated Relationships
2020-08-20 CWE Content Team 4.2 updated Relationships
2020-12-10 CWE Content Team 4.3 updated Relationships
2021-10-28 CWE Content Team 4.6 updated Relationships
2023-01-31 CWE Content Team 4.10 updated Description
2023-04-27 CWE Content Team 4.11 updated Detection_Factors, References, Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2024-02-29 CWE Content Team 4.14 updated Demonstrative_Examples
2025-12-11 CWE Content Team 4.19 updated Relationships, Weakness_Ordinalities
cvelogic Threat Intelligence