Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-99 (对资源描述符的控制不恰当(资源注入)) — Vulnerability Class 47

47 vulnerabilities classified as CWE-99 (对资源描述符的控制不恰当(资源注入)). AI Chinese analysis included.

CWE-99 represents a critical input validation weakness where applications fail to restrict user-supplied data before using it as an identifier for external resources. Attackers typically exploit this vulnerability by injecting malicious payloads, such as directory traversal sequences or remote resource references, into input fields. This allows them to bypass intended access controls, potentially reading sensitive local files, accessing restricted network services, or executing arbitrary code on the server. To mitigate this risk, developers must implement strict allow-listing strategies for all resource identifiers, ensuring only predefined, safe values are accepted. Additionally, employing robust input sanitization techniques and validating data types can prevent attackers from manipulating resource paths. By rigorously controlling how user input interacts with system resources, organizations can effectively neutralize injection attacks and maintain the integrity and confidentiality of their applications.

MITRE CWE Description
The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. A resource injection issue occurs when the following two conditions are met: An attacker can specify the identifier used to access a system resource. For example, an attacker might be able to specify part of the name of a file to be opened or a port number to be used. By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file, run with a configuration controlled by the attacker, or transmit sensitive information to a third-party server. This may enable an attacker to access or modify otherwise protected system resources.
Common Consequences (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data, Read Files or Directories, Modify Files or Directories
An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information.
Mitigations (1)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Examples (2)
The following Java code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files.
String rName = request.getParameter("reportName"); File rFile = new File("/usr/local/apfr/reports/" + rName); ... rFile.delete();
Bad · Java
The following code uses input from the command line to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can create soft links to the file, they can use the program to read the first part of any file on the system.
ifstream ifs(argv[0]); string s; ifs >> s; cout << s;
Bad · C++
CVE IDTitleCVSSSeverityPublished
CVE-2026-7303 Xuxueli xxl-job Execution Log JobLogController.java logDetailCat resource injection — xxl-job 3.7 Low2026-04-28
CVE-2026-5414 Newgen OmniDocs WebApiRequestRedirection resource injection — OmniDocs 5.3 Medium2026-04-02
CVE-2026-5031 BichitroGan ISP Billing Software Endpoint users-view resource injection — ISP Billing Software 4.3 Medium2026-03-29
CVE-2026-3693 Shy2593666979 AgentChat User Endpoint user.py update_user_info resource injection — AgentChat 7.3 High2026-03-08
CVE-2025-12919 EverShop Order Order.resolvers.js resource injection — EverShop 3.7 Low2025-11-09
CVE-2025-12918 yungifez Skuul School Management System View Fee Invoice fee-invoices resource injection — Skuul School Management System 3.1 Low2025-11-09
CVE-2025-12270 LearnHouse Student Assignment Submission sub_file resource injection — LearnHouse 4.3 Medium2025-10-27
CVE-2025-43491 Poly Lens Desktop Application – Privilege Escalation — Poly Lens 6.7AIMediumAI2025-09-09
CVE-2025-9619 E4 Sistemas Mercatus ERP id resource injection — Mercatus ERP 5.3 Medium2025-08-29
CVE-2025-9264 Xuxueli xxl-job Jobs JobInfoController.java remove resource injection — xxl-job 5.4 Medium2025-08-20
CVE-2025-9263 Xuxueli xxl-job JobLogController.java getJobsByGroup resource injection — xxl-job 4.3 Medium2025-08-20
CVE-2025-8793 LitmusChaos Litmus resource injection — Litmus 4.3 Medium2025-08-10
CVE-2025-6534 xxyopen/201206030 novel-plus File FileController.java remove resource injection — novel-plus 4.2 Medium2025-06-24
CVE-2025-2410 Admin Authorized Port (iptables) manipulation (open/close/disable ports) — ASPECT-Enterprise 9.1 Critical2025-05-22
CVE-2025-3855 CodeCanyon RISE Ultimate Project Manager Profile Picture save_profile_image resource injection — RISE Ultimate Project Manager 4.3 Medium2025-04-22
CVE-2025-0756 Hitachi Vantara Pentaho Data Integration & Analytics - Improper Control of Resource Identifiers ('Resource Injection') — Pentaho Data Integration & Analytics 9.1 Critical2025-04-16
CVE-2025-3405 FCJ Venture Builder appclientefiel HTTP GET Request ObterPedido resource injection — appclientefiel 4.3 Medium2025-04-08
CVE-2025-2125 Control iD RH iD PDF Document companyId resource injection — RH iD 4.3 Medium2025-03-09
CVE-2025-1645 Benner Connecta EditarLogado resource injection — Connecta 6.3 Medium2025-02-25
CVE-2025-1642 Benner ModernaNet GetImageMedico resource injection — ModernaNet 4.3 Medium2025-02-25
CVE-2025-1575 Harpia DiagSystem atualatendimento_jpeg.php resource injection — DiagSystem 4.3 Medium2025-02-23
CVE-2024-5706 Hitachi Vantara Pentaho Data Integration & Analytics - Improper Control of Resource Identifiers ('Resource Injection') — Pentaho Data Integration & Analytics 8.8 High2025-02-19
CVE-2024-57971 Knowage 安全漏洞 — KNOWAGE 9.1 Critical2025-02-16
CVE-2025-0625 CampCodes School Management Software Attachment resource injection — School Management Software 3.1 Low2025-01-22
CVE-2023-6605 Ffmpeg: dash playlist ssrf vulnerability in ffmpeg 7.2 High2025-01-06
CVE-2023-6604 Ffmpeg: hls xbin demuxer dos amplification in ffmpeg 5.3 Medium2025-01-06
CVE-2023-6601 Ffmpeg: hls unsafe file extension bypass in ffmpeg 4.7 Medium2025-01-06
CVE-2023-6602 Ffmpeg: improper handling of input format in tty demuxer of ffmpeg 5.3 Medium2024-12-31
CVE-2024-7658 projectsend process.php get_preview resource injection — projectsend 5.3 Medium2024-08-11
CVE-2024-7438 SimpleMachines SMF User Alert Read Status index.php resource injection — SMF 4.3 Medium2024-08-03

Vulnerabilities classified as CWE-99 (对资源描述符的控制不恰当(资源注入)) represent 47 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.