Property
Languagejava
Severityhigh
CWECWE-643: Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)
OWASPA03:2021 - Injection
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelHigh

Description#

User input from HTTP requests is being used directly in XPath queries without proper sanitization. This allows attackers to inject malicious XPath expressions, potentially manipulating or accessing XML data in unintended ways.

Impact#

If exploited, attackers can bypass authentication checks, retrieve sensitive information, or modify XML-based data by injecting crafted input. This can lead to unauthorized data exposure, data manipulation, and compromise of application integrity.