SYM_CS_0012 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki

Improper Neutralization of Data within XPath Expressions ('XPath Injection')

Property Value
Language csharp
Severity medium
CWE CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')
OWASP A03:2021 - Injection
Confidence Level Medium
Impact Level Medium
Likelihood Level Medium

Description

The code builds XPath queries using user input without proper validation or sanitization. This allows attackers to inject malicious data into the query, potentially altering its logic or accessing unauthorized XML data.

Impact

If exploited, an attacker could bypass authentication, extract sensitive information, or manipulate XML data by injecting crafted input. This can lead to data breaches, unauthorized access, or compromise of application integrity.