Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-707 (对消息或数据结构的处理不恰当) — Vulnerability Class 192

192 vulnerabilities classified as CWE-707 (对消息或数据结构的处理不恰当). AI Chinese analysis included.

CWE-707 represents a critical input validation weakness where software fails to properly sanitize structured data before processing or transmission. This flaw typically allows attackers to inject malicious payloads, such as SQL injection strings or cross-site scripting code, by exploiting the system’s inability to distinguish between legitimate data and executable commands. When malformed messages are misinterpreted, they can trigger unintended behaviors, leading to data breaches, system compromise, or denial of service. Developers mitigate this risk by implementing rigorous neutralization techniques, including strict input validation, output encoding, and parameterized queries. By ensuring that all structured messages are well-formed and adhere to expected security properties before being handled by downstream components, engineers can effectively prevent attackers from manipulating the application’s logic and maintain the integrity of the data flow.

MITRE CWE Description
The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. If a message is malformed, it may cause the message to be incorrectly interpreted. Neutralization is an abstract term for any technique that ensures that input (and output) conforms with expectations and is "safe." This can be done by: checking that the input/output is already "safe" (e.g. validation) transformation of the input/output to be "safe" using techniques such as filtering, encoding/decoding, escaping/unescaping, quoting/unquoting, or canonicalization preventing the input/output from being directly provided by an attacker (e.g. "indirect selection" that maps externally-provided values to internally-controlled values) preventing the input/output from being processed at all This weakness typically applies in cases where the product prepares a control message that another process must act on, such as a command or query, and malicious input that was intended as data, can enter the control plane instead. However, this weakness also applies to more general cases where there are not always control implications.
Common Consequences (1)
OtherOther
CVE IDTitleCVSSSeverityPublished
CVE-2022-3975 NukeViet CMS Data URL Request.php filterAttr cross site scripting — CMS 3.5 Low2022-11-13
CVE-2022-3963 gnuboard5 FAQ Key ID faq.php cross site scripting — gnuboard5 3.5 Low2022-11-12
CVE-2022-3941 Activity Log Plugin HTTP Header neutralization for logs — Activity Log Plugin 5.3 Medium2022-11-11
CVE-2022-3942 SourceCodester Sanitization Management System cross site scripting — Sanitization Management System 4.3 Medium2022-11-11
CVE-2022-3943 ForU CMS cms_chip.php cross site scripting — CMS 3.5 Low2022-11-11
CVE-2022-3947 eolinker goku_lite list sql injection — goku_lite 6.3 Medium2022-11-11
CVE-2022-3948 eolinker goku_lite getList sql injection — goku_lite 6.3 Medium2022-11-11
CVE-2022-3949 Sourcecodester Simple Cashiering System User Account cross site scripting — Simple Cashiering System 3.5 Low2022-11-11
CVE-2022-3950 sanluan PublicCMS Tab dwz.min.js initLink cross site scripting — PublicCMS 3.5 Low2022-11-11
CVE-2022-3955 tholum crm42 Login class.user.php sql injection — crm42 7.3 High2022-11-11
CVE-2022-3956 tsruban HHIMS Patient Portrait sql injection — HHIMS 6.3 Medium2022-11-11
CVE-2022-3878 Maxon ERP browse_data sql injection — ERP 7.3 High2022-11-07
CVE-2022-3868 SourceCodester Sanitization Management System sql injection — Sanitization Management System 4.7 Medium2022-11-05
CVE-2020-36608 Tribal Systems Zenario CMS Error Log Module admin_organizer.js cross site scripting — Zenario CMS 3.5 Low2022-11-02
CVE-2022-3825 Huaxia ERP User Management sql injection — ERP 6.3 Medium2022-11-02
CVE-2022-3827 centreon Contact Groups Form formContactGroup.php sql injection — centreon 6.3 Medium2022-11-02
CVE-2022-3845 phpipam Import Preview import-load-data.php cross site scripting — phpipam 2.4 Low2022-11-02
CVE-2022-3789 Tim Campus Confession Wall share.php sql injection — Confession Wall 5.5 Medium2022-11-01
CVE-2022-3798 IBAX go-ibax tablesInfo sql injection — go-ibax 6.3 Medium2022-11-01
CVE-2022-3799 IBAX go-ibax tablesInfo sql injection — go-ibax 6.3 Medium2022-11-01
CVE-2022-3800 IBAX go-ibax rowsInfo sql injection — go-ibax 6.3 Medium2022-11-01
CVE-2022-3801 IBAX go-ibax rowsInfo sql injection — go-ibax 6.3 Medium2022-11-01
CVE-2022-3802 IBAX go-ibax rowsInfo sql injection — go-ibax 6.3 Medium2022-11-01
CVE-2022-3803 eolinker apinto-dashboard cross site scripting — apinto-dashboard 3.5 Low2022-11-01
CVE-2022-3804 eolinker apinto-dashboard login cross site scripting — apinto-dashboard 4.3 Medium2022-11-01
CVE-2022-3783 node-red-dashboard ui_text Format ui-component-ctrl.js cross site scripting — node-red-dashboard 3.5 Low2022-10-31
CVE-2022-3729 seccome Ehoney attack sql injection — Ehoney 6.3 Medium2022-10-28
CVE-2022-3730 seccome Ehoney falco sql injection — Ehoney 6.3 Medium2022-10-28
CVE-2022-3731 seccome Ehoney token sql injection — Ehoney 6.3 Medium2022-10-28
CVE-2022-3732 seccome Ehoney set sql injection — Ehoney 6.3 Medium2022-10-28

Vulnerabilities classified as CWE-707 (对消息或数据结构的处理不恰当) represent 192 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.