By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2018-1000632

Command Injection
Affects
dom4j
in
Spring
No items found.
Versions
<= 1.6.1,< 2.0.3,= 2.1.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

The dom4j library, in versions prior to 2.1.1, is affected by a CWE-91: XML Injection vulnerability specifically within the Element class. The flaw resides in the addElement and addAttribute methods, which fail to properly sanitize or escape special XML characters in user-provided input. Consequently, an attacker can supply malicious strings containing XML tags or attributes to manipulate the structure of generated XML documents. This structural tampering can lead to data corruption, logic bypasses, or unauthorized information disclosure within applications that rely on dom4j for XML construction. The issue was addressed and resolved in version 2.1.1 and subsequent releases.

Details

Module Info

  • Product: dom4j
  • Affected packages: dom4j
  • Affected versions: 1.6.1
  • GitHub repository: https://github.com/dom4j/dom4j
  • Published packages: https://central.sonatype.com/artifact/dom4j/dom4j
  • Package manager: Maven
  • Fixed In: NES for dom4j v1.6.1-dom4j-1.6.2

Vulnerability Info

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

Note: This advisory applies to dom4j:dom4j version 1.x legacy artifacts.  To resolve this a change to the latest version of org.dom4j:dom4j is recommended.

Mitigation

  • Upgrade dom4j to versions 2.1.1 or 2.0.3 (or newer) to ensure that addElement and addAttribute methods correctly escape special characters.
  • Sanitize user-provided strings before passing them to XML construction methods to prevent structural manipulation of the document.
  • Implement XML Schema (XSD) validation for any generated or received XML to ensure the document structure remains within expected bounds.

Steps To Reproduce

  1. Use an application that depends on a vulnerable version of dom4j (e.g., 1.6.1 or 2.1.0) and uses Element.addElement() or Element.addAttribute() with user input.
  2. Identify a feature where a user-provided string is used to build an XML element or attribute (e.g., a profile name or description field).
  3. Submit a crafted payload containing XML meta-characters or structural elements, such as ">content<original attr=".
  4. Observe the generated XML output to verify that the injected characters were not escaped, resulting in unauthorized elements or broken document structure.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2026-2817
CVE-2026-2818
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2018-1000632
PROJECT Affected
dom4j
Versions Affected
<= 1.6.1,< 2.0.3,= 2.1.0
NES Versions Affected
Published date
August 20, 2018
≈ Fix date
September 1, 2018
Fixed in
NES for Spring
Category
Command Injection
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.