Category: Comprehensive Categorization: Injection
Incomplete
Summary
Weaknesses in this category are related to injection.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-102 | Struts: Duplicate Validation Forms | This vulnerability occurs when an application defines multiple Struts validation forms with identical names. The framework then unpredictably selects only one form for validation, potentially bypassing intended security checks. |
| CWE-113 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') | This vulnerability occurs when an application accepts user-supplied data and includes it directly in HTTP headers without properly filtering out carriage return (CR) and line feed (LF) characters. This allows an attacker to inject new headers or split a single HTTP response into two separate responses, corrupting the intended communication flow. |
| CWE-1236 | Improper Neutralization of Formula Elements in a CSV File | This vulnerability occurs when an application writes user-supplied data into a CSV file without properly sanitizing special characters. Spreadsheet programs like Excel or Google Sheets interpret entries starting with '=' as executable formulas, which can lead to malicious command execution when the file is opened. |
| CWE-1336 | Improper Neutralization of Special Elements Used in a Template Engine | This vulnerability occurs when an application uses a template engine to process user-controlled input but fails to properly sanitize special syntax characters. Attackers can inject template expressions or directives that the engine executes, leading to unintended code execution. |
| CWE-1426 | Improper Validation of Generative AI Output | This vulnerability occurs when an application uses a generative AI model (like an LLM) but fails to properly check the AI's output before using it. Without this validation, the AI's responses might contain security flaws, harmful content, or data leaks that violate the application's intended policies. |
| CWE-1427 | Improper Neutralization of Input Used for LLM Prompting | This vulnerability occurs when an application builds prompts for a Large Language Model (LLM) using external data, but does so in a way that the LLM cannot tell the difference between the developer's intended instructions and the user's potentially malicious input. This allows an attacker to 'hijack' the prompt and make the model ignore its original guidelines. |
| CWE-564 | SQL Injection: Hibernate | This vulnerability occurs when an application uses Hibernate to construct dynamic SQL queries with unsanitized user input, allowing an attacker to alter the query's logic or execute unauthorized SQL commands. |
| CWE-621 | Variable Extraction Error | This vulnerability occurs when an application uses unvalidated external input to dynamically select which variables to populate with data. Without proper checks, this can allow an attacker to overwrite critical internal variables, leading to unexpected behavior or security breaches. |
| CWE-624 | Executable Regular Expression Error | This vulnerability occurs when an application uses a regular expression that can execute code, either because it directly contains executable logic with unsafe user input, or because an attacker can inject pattern modifiers that enable code execution. |
| CWE-627 | Dynamic Variable Evaluation | This vulnerability occurs when an application allows user input to directly determine which variable or function name is used at runtime. Without strict validation, an attacker can manipulate these names to access or modify sensitive data, execute unauthorized functions, or disrupt the application's logic. |
| CWE-641 | Improper Restriction of Names for Files and Other Resources | This vulnerability occurs when an application creates file or resource names using unvalidated user input, failing to properly limit what characters or paths can be used. |
| CWE-643 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') | XPath Injection occurs when an application uses unvalidated user input to build an XPath query for an XML database. Without proper sanitization, attackers can manipulate the query's structure. |
| CWE-652 | Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') | XQuery Injection occurs when an application uses unvalidated user input to build an XQuery expression for querying an XML database. Without proper neutralization, an attacker can manipulate the query's structure. |
| CWE-692 | Incomplete Denylist to Cross-Site Scripting | This vulnerability occurs when an application relies on an incomplete denylist to block cross-site scripting (XSS) attacks, leaving the door open for attackers to craft payloads that bypass the filter. |
| CWE-694 | Use of Multiple Resources with Duplicate Identifier | This vulnerability occurs when a system uses multiple resources that can share the same identifier, even though the application logic requires each identifier to be unique. |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another component, but fails to properly sanitize special characters or syntax. This allows the input to alter the intended meaning or behavior when the downstream component processes it. |
| CWE-75 | Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) | This vulnerability occurs when an application fails to properly filter or encode user-supplied data containing special characters or commands that can be interpreted in a different context, such as a command shell, file system, or data format. |
| CWE-76 | Improper Neutralization of Equivalent Special Elements | This vulnerability occurs when an application successfully blocks or sanitizes a known set of dangerous inputs but fails to recognize and handle alternative forms that have the same meaning or effect. |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | This vulnerability occurs when an application builds a system command using untrusted user input without properly sanitizing it. An attacker can inject their own commands by inserting special characters or code, tricking the application into executing unintended and potentially harmful actions on the underlying system. |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | OS Command Injection occurs when an application builds a system command using untrusted, external input without properly sanitizing it. This allows an attacker to inject and execute arbitrary commands on the underlying operating system. |
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | This vulnerability occurs when a web application fails to properly sanitize or encode user-supplied input before displaying it on a webpage viewed by other users. |
| CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | This vulnerability, commonly known as Basic Cross-Site Scripting (XSS), occurs when a web application fails to properly sanitize user input containing HTML and JavaScript tags. When untrusted data containing characters like <, >, and & is rendered directly into a webpage, a browser may execute it as active code, not just display it as text. |
| CWE-81 | Improper Neutralization of Script in an Error Message Web Page | This vulnerability occurs when an application fails to properly sanitize user-supplied input before displaying it within an error message web page. If special characters used in web scripts are not neutralized, an attacker can inject malicious code that executes in a user's browser. |
| CWE-82 | Improper Neutralization of Script in Attributes of IMG Tags in a Web Page | This vulnerability occurs when a web application fails to properly sanitize or escape script code within the attributes of HTML IMG tags, such as the 'src' attribute. |
| CWE-83 | Improper Neutralization of Script in Attributes in a Web Page | This vulnerability occurs when a web application fails to properly sanitize or block JavaScript URIs (like 'javascript:') within HTML tag attributes. Attackers can inject malicious code into attributes such as onmouseover, onload, onerror, or style, leading to cross-site scripting (XSS) attacks when the page renders. |
| CWE-84 | Improper Neutralization of Encoded URI Schemes in a Web Page | This vulnerability occurs when a web application fails to properly sanitize user-supplied input that contains malicious scripts disguised using encoded URI schemes like `javascript:` or `data:`. |
| CWE-85 | Doubled Character XSS Manipulations | This vulnerability occurs when a web application fails to properly sanitize user input that contains doubled characters, allowing attackers to bypass filters and inject malicious scripts. |
| CWE-86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages | This vulnerability occurs when an application fails to properly filter or escape invalid characters within web identifiers like HTML tag names or URI schemes, allowing malicious sequences to pass through. |
| CWE-87 | Improper Neutralization of Alternate XSS Syntax | This vulnerability occurs when an application fails to properly sanitize user-supplied input that uses alternative methods to execute cross-site scripting (XSS) attacks. |
| CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | This vulnerability occurs when an application builds a command string for execution by another component, but fails to properly separate or 'neutralize' the intended arguments. This allows an attacker to inject additional command-line arguments, options, or switches by including argument-separating characters (like spaces or dashes) in untrusted input. |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | SQL Injection occurs when an application builds a database query using untrusted user input without properly sanitizing it. This allows an attacker to insert malicious SQL code that the database executes, potentially letting them view, modify, or delete sensitive data. |
| CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | This vulnerability occurs when an application builds an LDAP query using untrusted user input without properly sanitizing it. An attacker can inject special characters or commands to alter the query's logic, potentially gaining unauthorized access to, modifying, or extracting sensitive directory information. |
| CWE-91 | XML Injection (aka Blind XPath Injection) | XML Injection occurs when an application fails to properly validate or escape user-controlled input before including it in XML documents or queries. This allows attackers to inject malicious XML elements or syntax, potentially altering the document's structure, extracting sensitive data, or disrupting processing logic. |
| CWE-914 | Improper Control of Dynamically-Identified Variables | This vulnerability occurs when an application fails to properly secure access to variables whose names are determined at runtime, allowing attackers to read or modify data they shouldn't have access to. |
| CWE-917 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') | Expression Language Injection occurs when an application uses untrusted, external input to build an expression language statement—common in frameworks like Java Server Pages (JSP)—without properly sanitizing it. This allows an attacker to inject malicious expressions that alter the intended logic and execute arbitrary code when the statement is processed. |
| CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') | This vulnerability occurs when an application uses carriage return and line feed characters (CRLF) to structure data, like separating lines or records, but fails to properly sanitize these sequences from user-supplied input before processing. |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') | This vulnerability occurs when an application builds executable code using unvalidated external input, such as user data. Because the application fails to properly filter or escape this input, an attacker can inject special characters or commands that alter the intended code's logic or syntax. |
| CWE-943 | Improper Neutralization of Special Elements in Data Query Logic | This vulnerability occurs when an application builds a query for a data store (like a database) but fails to properly sanitize user-controlled input. This allows an attacker to inject special elements that change the query's intended logic, potentially accessing or manipulating data in unauthorized ways. |
| CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | This vulnerability occurs when an application takes user input and passes it directly into a dynamic code execution function, like eval(), without properly sanitizing it. This allows an attacker to inject and execute arbitrary code within the application's context. |
| CWE-96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') | Static Code Injection occurs when an application incorporates unvalidated or improperly sanitized user input directly into a static, executable resource like a configuration file, template, or library. Because this input is saved and later executed, it allows an attacker to inject malicious code that becomes a permanent part of the application's logic. |
| CWE-97 | Improper Neutralization of Server-Side Includes (SSI) Within a Web Page | This vulnerability occurs when a web application dynamically generates pages but fails to properly sanitize user-supplied input that could be interpreted as server-side include (SSI) commands, allowing an attacker to inject malicious directives. |
| CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') | This vulnerability occurs when an application accepts user input as a resource identifier (like a file path or port number) without proper validation, allowing an attacker to access or manipulate resources outside the intended scope. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.