Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-74 (输出中的特殊元素转义处理不恰当(注入)) — Vulnerability Class 375

375 vulnerabilities classified as CWE-74 (输出中的特殊元素转义处理不恰当(注入)). AI Chinese analysis included.

CWE-74 represents a critical input validation weakness where software constructs commands, data structures, or records using externally influenced input without properly neutralizing special elements. This flaw allows attackers to inject malicious syntax that alters the intended interpretation of the downstream component, leading to severe consequences such as unauthorized command execution, data manipulation, or system compromise. Exploitation typically occurs when user-supplied data is directly concatenated into queries or system calls without sanitization. To prevent this, developers must implement rigorous input validation, ensuring all external data is strictly checked against expected formats. Furthermore, utilizing parameterized queries, safe APIs, and context-specific encoding techniques ensures that special characters are treated as literal data rather than executable instructions, effectively neutralizing potential injection vectors before they reach the downstream processor.

MITRE CWE Description
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Common Consequences (5)
ConfidentialityRead Application Data
Many injection attacks involve the disclosure of important information -- in terms of both data sensitivity and usefulness in further exploitation.
Access ControlBypass Protection Mechanism
In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
OtherAlter Execution Logic
Injection attacks are characterized by the ability to significantly change the flow of a given process, and in some cases, to the execution of arbitrary code.
Integrity, OtherOther
Data injection attacks lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing.
Non-RepudiationHide Activities
Often the actions performed by injected control code are unlogged.
Mitigations (2)
RequirementsProgramming languages and supporting technologies might be chosen which are not subject to these issues.
ImplementationUtilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.
Examples (2)
This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.
$userName = $_POST["user"]; $command = 'ls -l /home/' . $userName; system($command);
Bad · PHP
;rm -rf /
Attack
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.
String author = request.getParameter(AUTHOR_PARAM); ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie);
Bad · Java
HTTP/1.1 200 OK ... Set-Cookie: author=Jane Smith ...
Result
CVE IDTitleCVSSSeverityPublished
CVE-2023-25141 JNDI injection into Apache sling-org-apache-sling-jcr-base — Apache Sling JCR Base 9.1 -2023-02-14
CVE-2022-43756 Rancher/Wrangler: Denial of service when processing Git credentials — Rancher 5.9 Medium2023-02-07
CVE-2017-20174 bastianallgeier Kirby Webmentions Plugin injection — Kirby Webmentions Plugin 5.6 Medium2023-01-19
CVE-2015-10062 galaxy-data-resource Command Line Template injection — galaxy-data-resource 5.5 Medium2023-01-17
CVE-2022-43720 Apache Superset: Improper rendering of user input — Apache Superset 4.6 -2023-01-16
CVE-2015-10040 gitlearn Escape Sequence config.sh getOutOf injection — gitlearn 5.4 Medium2023-01-13
CVE-2022-42268 NVIDIA Omniverse Kit 代码注入漏洞 — Omniverse Audio2Face 7.8 High2023-01-12
CVE-2022-46180 Arbitrary HTML injection in discourse-mermaid-theme-component — discourse-mermaid-theme-component 5.0 Medium2023-01-04
CVE-2016-15007 Centralized-Salesforce-Dev-Framework SOQL SObjectService.cls SObjectService injection — Centralized-Salesforce-Dev-Framework 5.5 Medium2023-01-02
CVE-2017-20161 rofl0r MacGeiger ESSID macgeiger.c dump_wlan_at injection — MacGeiger 4.6 Medium2023-01-02
CVE-2022-4768 Dropbox merou SSH Public Key public_key.py add_public_key injection — merou 6.3 Medium2022-12-27
CVE-2022-40145 Apache Karaf: JDBC JAAS LDAP injection — Apache Karaf 9.8 -2022-12-21
CVE-2020-36618 Furqan node-whois index.coffee prototype pollution — node-whois 6.3 Medium2022-12-19
CVE-2021-4245 chbrown rfc6902 pointer.ts prototype pollution — rfc6902 5.5 Medium2022-12-15
CVE-2022-46265 Siemens Polarion 注入漏洞 — Polarion ALM 5.4 Medium2022-12-13
CVE-2022-4170 rxvt-unicode 安全漏洞 — rxvt-unicode 9.8 -2022-12-09
CVE-2022-46169 Unauthenticated Command Injection — cacti 9.8 Critical2022-12-05
CVE-2022-46162 Discourse BBCode plugin vulnerable to arbitrary CSS injection — discourse-bbcode 8.8 High2022-11-30
CVE-2022-41934 Improper Neutralization of Directives in Dynamically Evaluated Code in org.xwiki.platform:xwiki-platform-menu-ui — xwiki-platform 9.9 Critical2022-11-23
CVE-2022-4064 Dalli Meta Protocol request_formatter.rb self.meta_set injection — Dalli 3.7 Low2022-11-19
CVE-2022-41878 Parse Server Prototype pollution and Injection via Cloud Code Webhooks or Cloud Code Triggers — parse-server 7.2 High2022-11-10
CVE-2022-39382 NODE_ENV in Keystone defaults to development with esbuild — keystone 9.8 Critical2022-11-03
CVE-2022-31777 Apache Spark XSS vulnerability in log viewer UI Javascript — Apache Spark 5.4 -2022-11-01
CVE-2021-38395 Honeywell Experion PKS and ACE Controllers Injection — Experion PKS 9.1 Critical2022-10-28
CVE-2022-40248 An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4 — VINCE - The Vulnerability Information and Coordination Environment 5.4 -2022-10-10
CVE-2022-40257 An HTML injection vulnerability exists in CERT/CC VINCE software prior to version 1.50.4 — VINCE - The Vulnerability Information and Coordination Environment 5.4 -2022-10-10
CVE-2022-39265 Mail settings' command parameter injection in mybb — mybb 7.2 High2022-10-06
CVE-2022-39217 Improper Neutralization of Formula Elements in a CSV File in ghas-to-csv — ghas-to-csv 5.8 Medium2022-09-16
CVE-2022-38191 HTML injection vulnerability in Portal for ArcGIS — Portal for ArcGIS 6.1 Medium2022-08-15
CVE-2022-36323 Siemens SCALANCE 安全漏洞 — RUGGEDCOM RM1224 LTE(4G) EU 9.1 Critical2022-08-10

Vulnerabilities classified as CWE-74 (输出中的特殊元素转义处理不恰当(注入)) represent 375 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.