XSLT Injection

high Web App Scanning Plugin ID 114162

Language:

Synopsis

XSLT Injection

Description

An XSLT Injection is when an attacker tries to inject XSLT documents to the application.

This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.

See Also

https://owasp.org/www-pdf-archive/OWASP_Switzerland_Meeting_2015-06-17_XSLT_SSRF_ENG.pdf

Plugin Details

Severity: High

ID: 114162

Type: remote

Family: Injection

Published: 1/26/2024

Updated: 1/26/2024

Scan Template: api, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS Score Source: Tenable

CVSS v4

Risk Factor: High

Base Score: 8.8

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 91

OWASP: 2010-A1, 2013-A1, 2017-A1, 2021-A3

WASC: XPath Injection

CAPEC: 250, 83

DISA STIG: APSC-DV-002550

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-SI-10

OWASP API: 2019-API8

OWASP ASVS: 4.0.2-5.3.10

PCI-DSS: 3.2-6.5.1