Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

WS-2018-0181

Good to know:

icon

Date: February 15, 2018

In xmlseclibs, versions prior to version 3.0.2 are vulnerable against XPath injection. The vulnerability occurs when a user supply malformed information to construct a XPath query for XML data. 'src/XMLSecEnc.php' and 'src/XMLSecurityDSig.php' do not filter xpath query were the ID parameter takes place.

Language: PHP

Severity Score

Related Resources (2)

https://github.com/robrichards/xmlseclibs/commit/649032643f7aac493e91ca318da0339aec72aa4a
https://www.mend.io/vulnerability-database/WS-2018-0181

Severity Score

Weakness Type (CWE)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Top Fix

icon

Upgrade Version

Upgrade to version robrichards/xmlseclibs - 251.x-dev;robrichards/xmlseclibs - 3.0.x-dev;robrichards/xmlseclibs - 2.1.0;robrichards/xmlseclibs - 1.4.3;robrichards/xmlseclibs - 1.4.x-dev;robrichards/xmlseclibs - 3.0.2;simplesamlphp/xmlseclibs - dev-bugfix/xpath;simplesamlphp/xmlseclibs - no_fix;ninosimeon/xmlseclibs_sunat - no_fix;ninosimeon/xmlseclibs_sunat - 1.3.x-dev;redbus-peru/xmlseclibs - dev-delete_decrypt;redbus-peru/xmlseclibs - 1.3.x-dev;redbus-peru/xmlseclibs - no_fix;draganmorty/xmlseclibs - no_fix;craigowendavis/fuel-sdk-php - v1.0.0;tomasz-kusy/xmlseclibs - 1.4.3;tomasz-kusy/xmlseclibs - 1.4.x-dev;tomasz-kusy/xmlseclibs - 2.1.0;tomasz-kusy/xmlseclibs - no_fix;tomasz-kusy/xmlseclibs - 3.0.2;kouinkouin/xmlseclibs - 1.4.1;kouinkouin/xmlseclibs - 2.0.1;pfortin/fuel-sdk-php - v1.0.0;callbiruk/xmlseclibs - 1.4.x-dev;callbiruk/xmlseclibs - 2.1.0;callbiruk/xmlseclibs - 3.0.2;callbiruk/xmlseclibs - 3.0.x-dev;callbiruk/xmlseclibs - 1.4.3;callbiruk/xmlseclibs - no_fix;mohitjangra/xmlseclibs - 3.0.x-dev;mohitjangra/xmlseclibs - no_fix;mohitjangra/xmlseclibs - 2.1.0;mohitjangra/xmlseclibs - 1.4.x-dev;mohitjangra/xmlseclibs - 1.4.3;mohitjangra/xmlseclibs - 3.0.2;vertex-it/xmlseclibs - 2.1.0;vertex-it/xmlseclibs - 3.0.x-dev;vertex-it/xmlseclibs - 1.4.x-dev;vertex-it/xmlseclibs - 3.0.2;vertex-it/xmlseclibs - 1.4.3;vertex-it/xmlseclibs - no_fix;dragos/php-sdk2 - v1.0.0;salesforce-mc/fuel-sdk-php - v1.0.0;dragos/php-sdk - v1.0.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us