Details
Alert Id 90017
Alert Type Active
Status release
Risk Medium
CWE 91
WASC 23
Technologies Targeted All
Tags OWASP_2017_A01
OWASP_2021_A03

Summary

Injection using XSL transformations may be possible, and may allow an attacker to read system information, read and write files, or execute arbitrary code.

Solution

Sanitize and analyze every user input coming from any client-side.

References

Code

org/zaproxy/zap/extension/ascanrules/XsltInjectionScanRule.java