/alerttags/cwe-917/ Recent content in CWE-917 on ZAP Hugo en-us /docs/alerts/90025/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/90025/ <p>The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration.</p>