CWE-652: Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')

CWE-652: Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query. The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication).

If exploited, CWE-652 (Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')) it can compromise Confidentiality, leading to outcomes such as Read Application Data.

Recommended mitigations for CWE-652 include: Use parameterized queries. This will help ensure separation between data plane and control plane. Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XQL queries is safe in that context.

CWE-652 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

A CWE (Common Weakness Enumeration) like CWE-652 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.