Improper Restriction of Names for Files and Other Resources
This vulnerability occurs when an application creates file or resource names using unvalidated user input, failing to properly limit what characters or paths can be used.
When an application builds a resource name—like a filename, directory path, or URL—from external input without strict validation, it opens the door to multiple attack vectors. An attacker can inject special characters, path traversal sequences (like `../`), or even script code into the name. If the application later uses that name, say, to include a file on a web page or pass it to a system command, it can trigger unexpected and dangerous behavior. The specific risk depends entirely on how the malformed name is used. For example, if the tainted name is displayed in a web page, it could lead to Cross-Site Scripting (XSS) in a user's browser. If it's processed by a server-side parser or the operating system itself, it could allow path traversal to access sensitive files, cause denial-of-service, or in the worst case, lead to remote code execution by exploiting a vulnerability in the underlying processing component.
Impact: Execute Unauthorized Code or Commands
Execution of arbitrary code in the context of usage of the resources with dangerous names.
Impact: Read Application DataDoS: Crash, Exit, or Restart
Crash of the consumer code of these resources resulting in information leakage or denial of service.
Low
- Software Fault Patterns