Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-472 (对假设不可变Web参数的外部可控制) — Vulnerability Class 79

79 vulnerabilities classified as CWE-472 (对假设不可变Web参数的外部可控制). AI Chinese analysis included.

CWE-472 represents a logic flaw where web applications incorrectly assume certain input parameters are immutable, such as hidden form fields, cookies, or URL arguments, despite being fully controllable by external users. Attackers typically exploit this weakness by manipulating these trusted values to bypass authorization checks, alter business logic, or escalate privileges, effectively tricking the server into processing unauthorized actions. To mitigate this risk, developers must avoid relying on client-side data for security-critical decisions. Instead, they should enforce server-side validation for all inputs, ensuring that any parameter influencing application state is rigorously verified against expected values. By treating all user-supplied data as untrusted, regardless of its origin or apparent immutability, developers can prevent attackers from subverting application logic through simple parameter tampering.

MITRE CWE Description
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. If a web product does not properly protect assumed-immutable values from modification in hidden form fields, parameters, cookies, or URLs, this can lead to modification of critical data. Web applications often mistakenly make the assumption that data passed to the client in hidden fields or cookies is not susceptible to tampering. Improper validation of data that are user-controllable can lead to the application processing incorrect, and often malicious, input. For example, custom cookies commonly store session data or persistent data across sessions. This kind of session data is normally involved in security related decisions on the server side, such as user authentication and access control. Thus, the cookies might contain sensitive data such as user credentials and privileges. This is a dangerous practice, as it can often lead to improper reliance on the value of the client-provided cookie by the server side application.
Common Consequences (1)
IntegrityModify Application Data
Without appropriate protection mechanisms, the client can easily tamper with cookies and similar web data. Reliance on the cookies without detailed validation can lead to problems such as SQL injection. If you use cookie values for security related decisions on the server side, manipulating the cook…
Mitigations (2)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Examples (2)
In this example, a web application uses the value of a hidden form field (accountID) without having done any input validation because it was assumed to be immutable.
String accountID = request.getParameter("accountID"); User user = getUserFromID(Long.parseLong(accountID));
Bad · Java
Hidden fields should not be trusted as secure parameters.
<input type="hidden"
Bad · HTML
CVE IDTitleCVSSSeverityPublished
CVE-2023-24373 WordPress Booking calendar, Appointment Booking System plugin <= 3.2.3 - Bypass vulnerability — Booking calendar, Appointment Booking System 3.7 Low2024-06-03
CVE-2024-3649 Contact Form by WPForms – Drag & Drop Form Builder for WordPress <= 1.8.7.2 - Unauthenticated Price Manipulation — WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More 5.3 Medium2024-05-02
CVE-2024-25153 Remote Code Execution in FileCatalyst Workflow 5.x prior to 5.1.6 Build 114 — FileCatalyst 9.8 Critical2024-03-13
CVE-2023-28512 IBM Watson CP4D Data Stores improper input validation — Watson CP4D Data Stores 5.9 Medium2024-03-03
CVE-2024-22049 httparty Multipart/Form-Data Request Tampering Vulnerability 6.5AIMediumAI2024-01-04
CVE-2022-30597 Moodle 安全漏洞 — moodle 5.3 -2022-05-18
CVE-2021-27770 HCL Sametime is vulnerable to arbitrary HTTP requests — Sametime 6.8 Medium2022-05-12
CVE-2021-27769 HCL Sametime is vulnerable to an information disclosure — Sametime 5.3 Medium2022-05-12
CVE-2021-1290 Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers Remote Code Execution Vulnerabilities — Cisco Small Business RV Series Router Firmware 9.8 Critical2021-02-04
CVE-2021-1291 Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers Remote Code Execution Vulnerabilities — Cisco Small Business RV Series Router Firmware 9.8 Critical2021-02-04
CVE-2021-1292 Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers Remote Code Execution Vulnerabilities — Cisco Small Business RV Series Router Firmware 9.8 Critical2021-02-04
CVE-2021-1293 Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers Remote Code Execution Vulnerabilities — Cisco Small Business RV Series Router Firmware 9.8 Critical2021-02-04
CVE-2021-1294 Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers Remote Code Execution Vulnerabilities — Cisco Small Business RV Series Router Firmware 9.8 Critical2021-02-04
CVE-2021-1295 Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers Remote Code Execution Vulnerabilities — Cisco Small Business RV Series Router Firmware 9.8 Critical2021-02-04
CVE-2021-1289 Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers Remote Code Execution Vulnerabilities — Cisco Small Business RV Series Router Firmware 9.8 Critical2021-02-04
CVE-2020-1765 Spoofing of From field in several screens — ((OTRS)) Community Edition 3.5 Low2020-01-10
CVE-2019-13927 Siemens Desigo PX 安全漏洞 — Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D with Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 8.2 -2019-12-12
CVE-2017-5260 Cambium Networks cnPilot 安全漏洞 — cnPilot 8.8 -2017-12-20
CVE-2017-5261 Cambium Networks cnPilot Web administrative console 路径遍历漏洞 — cnPilot 8.1 -2017-12-20

Vulnerabilities classified as CWE-472 (对假设不可变Web参数的外部可控制) represent 79 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.