CVE-2018-1000632: dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an…

high7.5CVSS 3.1

AVNACLPRNUINSUCNIHAN

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

Affected

33 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	dom4j	< dom4j 2.1.1-1 (bookworm)	dom4j 2.1.1-1 (bookworm)
dom4j_project	dom4j	>= 0 < 2.1.1-1	2.1.1-1
dom4j_project	dom4j	>= 0 < 2.1.1-1	2.1.1-1
dom4j_project	dom4j	>= 0 < 2.1.1-1	2.1.1-1
dom4j_project	dom4j	>= 0 < 2.1.1-1	2.1.1-1
dom4j_project	dom4j	>= 0 < 1.6.1+dfsg.3-2ubuntu1.2	1.6.1+dfsg.3-2ubuntu1.2
dom4j_project	dom4j	>= 2.0.0 < 2.0.3	2.0.3
dom4j_project	dom4j	>= 2.1.0 < 2.1.1	2.1.1
oracle	flexcube_investor_servicing	—	—
oracle	flexcube_investor_servicing	—	—
oracle	flexcube_investor_servicing	—	—
oracle	flexcube_investor_servicing	—	—
oracle	flexcube_investor_servicing	—	—
oracle	primavera_p6_enterprise_project_portfolio_management	16.1.0.0 – 16.2.20.1	—
oracle	primavera_p6_enterprise_project_portfolio_management	17.1.0.0 – 17.12.17.1	—
oracle	primavera_p6_enterprise_project_portfolio_management	18.1.0.0 – 18.8.19.0	—
oracle	primavera_p6_enterprise_project_portfolio_management	19.12.0.0 – 19.12.6.0	—
oracle	rapid_planning	—	—
oracle	rapid_planning	—	—
oracle	retail_integration_bus	—	—
oracle	retail_integration_bus	—	—
oracle	utilities_framework	—	—
oracle	utilities_framework	—	—
oracle	utilities_framework	—	—

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

osv7.5HIGH