In xmlseclibs, versions prior to version 3.0.2 are vulnerable against XPath injection. The vulnerability occurs when a user supply malformed information to construct a XPath query for XML data. 'src/XMLSecEnc.php' and 'src/XMLSecurityDSig.php' do not filter xpath query were the ID parameter takes place.
WS-2018-0181 - Medium Severity Vulnerability
A PHP library for XML Security
Dependency Hierarchy: - :x: **robrichards/xmlseclibs-3.0.1** (Vulnerable Library)
Found in HEAD commit: 9265509e6f8f33da6589d91be95eae590b521f37
Found in base branch: master
In xmlseclibs, versions prior to version 3.0.2 are vulnerable against XPath injection. The vulnerability occurs when a user supply malformed information to construct a XPath query for XML data. 'src/XMLSecEnc.php' and 'src/XMLSecurityDSig.php' do not filter xpath query were the ID parameter takes place.
Publish Date: 2018-02-15
URL: WS-2018-0181
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2018-02-15
Fix Resolution: 3.0.2