Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-76 (等价特殊元素的转义处理不恰当) — Vulnerability Class 9

9 vulnerabilities classified as CWE-76 (等价特殊元素的转义处理不恰当). AI Chinese analysis included.

CWE-76 represents a logic flaw where software filters specific special characters but fails to account for their equivalent representations, such as alternate encodings or case variations. Attackers exploit this oversight by substituting blocked characters with functionally identical alternatives, thereby bypassing input validation mechanisms. For instance, if a system blocks forward slashes to prevent path traversal but ignores double slashes or encoded variants, an adversary can inject malicious paths that the application interprets as valid. To mitigate this vulnerability, developers must implement comprehensive normalization strategies that resolve all equivalent forms before validation. This involves canonicalizing input data to a single standard representation and ensuring that filtering logic accounts for all possible encodings, including Unicode variations and URL encoding, rather than relying on static lists of prohibited characters.

MITRE CWE Description
The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements. The product may have a fixed list of special characters it believes is complete. However, there may be alternate encodings, or representations that also have the same meaning. For example, the product may filter out a leading slash (/) to prevent absolute path names, but does not account for a tilde (~) followed by a user name, which on some *nix systems could be expanded to an absolute pathname. Alternately, the product might filter a dangerous "-e" command-line switch when calling an external program, but it might not account for "--exec" or other switches that have the same semantics.
Common Consequences (1)
OtherOther
Mitigations (2)
RequirementsProgramming languages and supporting technologies might be chosen which are not subject to these issues.
ImplementationUtilize an appropriate mix of allowlist and denylist parsing to filter equivalent special element syntax from all input.
CVE IDTitleCVSSSeverityPublished
CVE-2024-4897 Remote Code Execution in parisneo/lollms-webui — parisneo/lollms-webui 9.8AICriticalAI2024-07-02
CVE-2024-34359 llama-cpp-python vulnerable to Remote Code Execution by Server-Side Template Injection in Model Metadata — llama-cpp-python 9.7 Critical2024-05-10
CVE-2024-2952 Server-Side Template Injection in BerriAI/litellm — berriai/litellm 9.8AICriticalAI2024-04-10
CVE-2024-1883 Reflected XSS in PaperCut NG/MF — PaperCut NG, PaperCut MF 6.3 Medium2024-03-14
CVE-2024-1882 Server-side resource injection in PaperCut NG/MF — PaperCut NG, PaperCut MF 7.2 High2024-03-14
CVE-2024-1221 Improper access controls on APIs on Linux and macOS in PaperCut NG/MF — PaperCut NG, PaperCut MF 3.1 Low2024-03-14
CVE-2024-21600 Junos OS: PTX Series: In an FTI scenario MPLS packets hitting reject next-hop will cause a host path wedge condition — Junos OS 6.5 Medium2024-01-12
CVE-2023-1149 Improper Neutralization of Equivalent Special Elements in btcpayserver/btcpayserver — btcpayserver/btcpayserver 8.2 -2023-03-02
CVE-2023-0493 Improper Neutralization of Equivalent Special Elements in btcpayserver/btcpayserver — btcpayserver/btcpayserver 5.3 Medium2023-01-26

Vulnerabilities classified as CWE-76 (等价特殊元素的转义处理不恰当) represent 9 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.