CVE-2025-12921
BaseFortify
Publication date: 2025-11-10
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclinica | openclinica | 3.12.2 |
| openclinica | openclinica | 3.13 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-91 | The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClinica Community Edition up to versions 3.12.2/3.13, specifically in the CRF Data Import component's /ImportCRFData?action=confirm file. It involves manipulation of the xml_file argument, which leads to an XML injection vulnerability. This means an attacker can inject malicious XML content remotely through this parameter.
How can this vulnerability impact me? :
The vulnerability allows remote attackers to perform XML injection by manipulating the xml_file argument. This can potentially lead to unauthorized access or manipulation of data within the affected system, compromising the confidentiality of information. However, the impact is limited to confidentiality as integrity and availability are not affected.