Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-74 (输出中的特殊元素转义处理不恰当(注入)) — Vulnerability Class 375

375 vulnerabilities classified as CWE-74 (输出中的特殊元素转义处理不恰当(注入)). AI Chinese analysis included.

CWE-74 represents a critical input validation weakness where software constructs commands, data structures, or records using externally influenced input without properly neutralizing special elements. This flaw allows attackers to inject malicious syntax that alters the intended interpretation of the downstream component, leading to severe consequences such as unauthorized command execution, data manipulation, or system compromise. Exploitation typically occurs when user-supplied data is directly concatenated into queries or system calls without sanitization. To prevent this, developers must implement rigorous input validation, ensuring all external data is strictly checked against expected formats. Furthermore, utilizing parameterized queries, safe APIs, and context-specific encoding techniques ensures that special characters are treated as literal data rather than executable instructions, effectively neutralizing potential injection vectors before they reach the downstream processor.

MITRE CWE Description
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Common Consequences (5)
ConfidentialityRead Application Data
Many injection attacks involve the disclosure of important information -- in terms of both data sensitivity and usefulness in further exploitation.
Access ControlBypass Protection Mechanism
In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
OtherAlter Execution Logic
Injection attacks are characterized by the ability to significantly change the flow of a given process, and in some cases, to the execution of arbitrary code.
Integrity, OtherOther
Data injection attacks lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing.
Non-RepudiationHide Activities
Often the actions performed by injected control code are unlogged.
Mitigations (2)
RequirementsProgramming languages and supporting technologies might be chosen which are not subject to these issues.
ImplementationUtilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.
Examples (2)
This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.
$userName = $_POST["user"]; $command = 'ls -l /home/' . $userName; system($command);
Bad · PHP
;rm -rf /
Attack
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.
String author = request.getParameter(AUTHOR_PARAM); ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie);
Bad · Java
HTTP/1.1 200 OK ... Set-Cookie: author=Jane Smith ...
Result
CVE IDTitleCVSSSeverityPublished
CVE-2022-35735 BIG-IP monitor configuration vulnerability CVE-2022-35735 — BIG-IP 7.2 High2022-08-04
CVE-2022-31179 Insufficient escaping of line feeds for CMD in shescape — shescape 8.1 High2022-08-01
CVE-2022-31180 Insufficient escaping of whitespace in shescape — shescape 9.8 Critical2022-08-01
CVE-2016-15004 InfiniteWP Client Plugin injection — InfiniteWP Client Plugin 7.3 High2022-07-23
CVE-2022-31593 SAP Business One client 注入漏洞 — SAP Business One 8.8 -2022-07-12
CVE-2022-34466 Siemens Mendix Applications using Mendix 9 注入漏洞 — Mendix Applications using Mendix 9 7.5 -2022-07-12
CVE-2022-31126 Unauthenticated Remote Code Execution in Roxy-wi — roxy-wi 10.0 Critical2022-07-06
CVE-2022-31014 SMTP Command Injection in iCalendar Attachments to emails via newlines in Nextcloud Server — security-advisories 5.4 Medium2022-07-05
CVE-2022-31108 Arbitrary `CSS` injection into the generated graph affecting the container HTML in mermaid.js — mermaid 4.1 Medium2022-06-28
CVE-2022-31086 Incorrect Regular Expressions in ldap-account-manager — lam 8.8 -2022-06-27
CVE-2022-31087 Incorrect Default Permissions in ldap-account-manager — lam 7.8 -2022-06-27
CVE-2022-31088 Unauthenticated LDAP Injection in ldap-account-manager — lam 5.3 -2022-06-27
CVE-2020-36531 SevOne Network Management System Device Manager Page injection — Network Management System 6.3 Medium2022-06-03
CVE-2022-30991 HTML injection via report name — Acronis Cyber Protect 15 7.2 -2022-05-18
CVE-2022-23068 ToolJet - HTML Injection in Invite New User — ToolJet 5.4 Medium2022-05-18
CVE-2022-29171 Remote Code Execution in sourcegraph — sourcegraph 6.6 Medium2022-05-05
CVE-2022-29166 Improper handling of multiline messages in matrix-appservice-irc — matrix-appservice-irc 8.0 High2022-05-05
CVE-2022-23064 Snipe-IT - Host Header Injection — snipe-it 8.8 High2022-05-02
CVE-2022-29816 Jetbrains JetBrains IntelliJ IDEA 跨站脚本漏洞 — IntelliJ IDEA 2.8 Low2022-04-28
CVE-2022-24888 Possible Injection in Nextcloud Server — security-advisories 4.3 Medium2022-04-27
CVE-2022-20693 Cisco IOS XE Software Web UI API Injection Vulnerability — Cisco IOS XE Software 4.7 Medium2022-04-15
CVE-2022-24838 Command Injection in Appointment Emails for Nextcloud Calendar — security-advisories 5.3 Medium2022-04-11
CVE-2022-24832 Bundled ldap-authentication-plugin fails to neutralise LDAP special elements in usernames — gocd 8.2 High2022-04-11
CVE-2022-1074 TEM FLEX-1085 injection — FLEX-1085 4.3 Medium2022-03-29
CVE-2022-20001 Injection in fish — fish-shell 7.8 High2022-03-14
CVE-2022-24760 Command Injection in Parse server — parse-server 10.0 Critical2022-03-11
CVE-2022-21705 Authenticated remote code execution in octobercms — october 7.2 High2022-02-23
CVE-2022-23616 Remote code execution in xwiki-platform — xwiki-platform 8.8 High2022-02-09
CVE-2022-0391 Python 注入漏洞 — python 7.5 -2022-02-09
CVE-2021-43929 Synology DiskStation Manager 跨站脚本漏洞 — DiskStation Manager (DSM) 6.5 Medium2022-02-07

Vulnerabilities classified as CWE-74 (输出中的特殊元素转义处理不恰当(注入)) represent 375 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.