SYM_PY_0169 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
XML Injection
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-91: XML Injection |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description
Building TwiML (Twilio Markup Language) responses using user input or variable data without proper escaping can let attackers inject malicious XML commands. This happens when dynamic strings are used directly to create TwiML responses.
Impact
If exploited, attackers could manipulate the TwiML sent to Twilio, potentially making unauthorized calls, sending messages, or altering call behavior. This can lead to abuse of your Twilio account, data leakage, or disruption of communication services.