Knowledge Base - Issues
Our knowledge-base provides a comprehensive collection of information on vulnerabilities related to cyber security.Apache Solr local parameter injection is an input validation vulnerability (CWE-20) which occurs when user input is not properly sanitized and validated. This vulnerability can be exploited to inject local parameters into the application, which can then be used to execute malicious code on the server. This vulnerability is most...
When a web application is accessible using arbitrary HTTP Host headers, it can be vulnerable to a security issue known as Host Header Injection. This vulnerability occurs when an attacker can manipulate the Host header in an HTTP request to trick the server into processing the request as if it...
CSS Injection (reflected) is an input validation vulnerability that occurs when an application does not properly validate input from a web or API user. This type of attack allows malicious code to be injected into a web page such that it is reflected back to the user when it is...
CSS injection (stored) is a type of input validation vulnerability which occurs when a web application stores user-supplied data in a web page without properly validating or encoding it, which allows malicious users to inject arbitrary CSS code into the page. This type of vulnerability is classified in the Common...
CSV injection, also known as Formula Injection, is an attack technique used to exploit web and API applications that use comma-separated values (CSV) to store or exchange data. It is an input validation vulnerability, which is categorized as CWE-1236 according to the Common Weakness Enumeration (CWE). CSV injection is a...
DLL Hijacking is a type of vulnerability where an attacker is able to gain control of a system by exploiting a DLL file. DLLs are dynamic link library files, which are executable files used by applications to perform certain tasks. A DLL hijacking attack involves a malicious actor crafting a...
Expression Language (EL) injection is a type of vulnerability that occurs when an attacker is able to inject malicious code into an application's expression language interpreter (ELI). EL injection attacks can be used to gain access to sensitive data, modify existing data, and execute arbitrary commands. EL injection is also...
File path manipulation is a type of input validation vulnerability that occurs when user input is not properly sanitized, allowing malicious users to modify the file paths used by a web application or API. This vulnerability is classified in the Common Weakness Enumeration (CWE) directory as CWE-22, and is considered...
File path traversal is a type of input validation vulnerability that is categorized under the CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) in the CWE Top 25 (2022). This vulnerability occurs when an application receives input from an external source, such as a user, and does not...
Form action hijacking (reflected) is a type of input validation vulnerability in web and API applications that occurs when user-supplied input is not properly validated or sanitized. This type of attack occurs when an attacker uses malicious user input to modify the action attribute of a form element. This allows...
Form action hijacking (stored) is a type of input validation vulnerability that occurs when user-supplied data is used to dynamically construct a URL or form action without proper validation or sanitization. This type of attack is also referred to as an open redirect attack. This vulnerability is classified as CWE-601...
HTTP Request Smuggling is a type of web application vulnerability that allows an attacker to exploit an application's trust in a client by sending multiple HTTP requests as part of a single original request to a web server. There are two types of vulnerabilities where additional requests may be injected.
-...
HTTP Response Header Injection, also known as HTTP Response Splitting, is an input validation vulnerability that occurs when an attacker is able to inject a malicious payload into an HTTP response header. This type of attack is categorized as an Input Validation vulnerability (CWE-20) and is covered under the OWASP...
Improper input validation occurs when an application does not adequately verify or sanitize the input it receives from users. This can lead to various security issues, such as injection attacks, buffer overflows, and cross-site scripting (XSS). When inputs are not properly validated, malicious actors can manipulate the input to execute...
Input returned in response is a weakness in web and API applications that occurs when user input is returned in the response to a web or API request without first being validated or filtered. This weakness is classified under CWE-20, Improper Input Validation. It can be identified by testing for...
LDAP Injection (CWE-90) is a type of injection attack in which malicious code is inserted into LDAP statements via web form input. It occurs when user input is not sufficiently validated and is then used to construct LDAP statements that are passed to an LDAP server for execution. This type...
Link manipulation is an input validation vulnerability that occurs within web or API applications. It is categorized by the Common Weakness Enumeration (CWE) directory as CWE-23 and is defined as “the failure to properly validate input passed through a link, allowing an attacker to manipulate the destination of the link”....
No plausibility check, also known as input validation, is a vulnerability that occurs in web and API applications. This type of vulnerability occurs when application inputs are not verified and validated before being used by the application. This can lead to attackers being able to input malicious code into the...
Open redirection is an input validation vulnerability which is defined in the CWE directory as a type of 'CWE-601: URL Redirection to Untrusted Site (Open Redirection)'. It occurs when an application that accepts a user-controlled input redirects the user to an external untrusted website. This vulnerability is commonly found in...
OS command injection (CWE-78) is an injection attack technique used to execute arbitrary system commands on a vulnerable web or API application. It occurs when a user is able to inject malicious code into an input field of a web application or API in order to execute system commands on...
Perl Code Injection is a type of vulnerability that occurs when user input is not properly validated and is then used as part of a command or a programming language statement. This vulnerability is classified as CWE-94 Input Validation and is described in the OWASP Testing Guide, V4 as an...
PHP code injection is an input validation vulnerability that allows an attacker to inject malicious code into web applications or APIs written in PHP. This vulnerability can be found in the CWE directory under CWE-94: Improper Control of Generation of Code ('Code Injection'). It is also covered in the OWASP...
Clickjacking (UI Redressing) is a type of attack that occurs when an attacker uses multiple transparent or opaque layers to deceive a user into clicking on a button or link on another page when they were expecting to click on the top level page. This attack can be used to...
Python code injection, also known as Python injection, is a type of vulnerability that occurs when user-supplied input is not properly validated or is used without proper sanitization or encoding. Python code injection is classified as an input validation vulnerability and is listed in the Common Weakness Enumeration (CWE) directory...
Reflected Cross-Site Scripting (XSS) is a type of computer security vulnerability typically found in web applications. It occurs when user input is not properly sanitized and is reflected back to the user in the application’s response. This type of attack can be used to inject malicious client-side scripts into a...
Reliance on Untrusted Inputs in a Security Decision is a vulnerability in the Common Weakness Enumeration (CWE) directory with the ID CWE-327. This vulnerability is a type of input validation vulnerability that occurs when an application uses externally-supplied input to make a security decision. It occurs when a security decision...
Remote Code Execution (RCE) is a type of security vulnerability that allows an attacker to execute arbitrary code on a targeted system or application remotely. This means that an attacker can exploit this vulnerability without having physical access to the system. RCE vulnerabilities are considered highly critical and pose significant...
Resource Injection (CWE-99) is an input validation vulnerability that occurs when untrusted data is used to control a web or API resource in an unsafe manner. This vulnerability is defined in the Common Weakness Enumeration (CWE) directory as an input validation problem where the application does not properly validate or...
Ruby code injection is a type of input validation vulnerability, which is listed in the Common Weakness Enumeration directory as CWE-94. This type of vulnerability occurs when data entered by a user is not validated or sanitized and is executed as a Ruby code within the application. This type of...
Server-Side Includes (SSI) Injection is a type of vulnerability that exists in Web and API applications. This vulnerability occurs when user-supplied data is not properly validated before being used in dynamic page generation, allowing attackers to inject malicious code into the page that is generated. According to the Common Weakness...
Server-side JavaScript code injection is a type of security vulnerability that occurs when a malicious entity is able to inject malicious code into a web or API server that is then executed on the server side. The vulnerability is categorized in the Common Weakness Enumeration (CWE) directory as CWE-95, Improper...
Server-Side Request Forgery (SSRF) is a type of input validation vulnerability that occurs when an attacker is able to manipulate a request from a vulnerable server-side application to access resources that are not intended to be accessed by the attacker, such as internal services and files. This vulnerability is classified...
Server-side template injection (SSTI) is a type of vulnerability that occurs when user-supplied data is passed to a web application template engine (CWE-943). It occurs when an application takes user input and uses it to generate and execute a template. This vulnerability can be used to inject malicious code and...
SMTP Header Injection (CWE-113) is an input validation vulnerability that occurs when an application or system fails to properly validate user input contained in the header of an email message. This can result in the injection of malicious code into the header of a legitimate email message. This vulnerability is...
SQL Injection (CWE-89) is a type of input validation vulnerability where the attacker submits malicious code to a web application or API through the user interface. This malicious code is then used to execute arbitrary code or modify the application's data. According to the CWE directory, SQL Injection is categorized...
SQL statement in request parameter is a type of web and API vulnerability that can occur when user-supplied input is not properly filtered, validated, or sanitized before it is used in an SQL query. This allows attackers to modify the structure of the query, potentially leading to a SQL injection...
Suspicious Input Transformation is an input validation weakness that occurs in web and API applications when an attacker is able to alter an application's expected behaviour by submitting dangerous inputs. This type of attack is particularly dangerous as it allows an attacker to potentially bypass validations.
## Risk
An attacker could potentially...
Unidentified code injection (CWE-94) is a type of input validation vulnerability that occurs when a web or API application fails to properly validate user input before sending it to a web server or database. This type of vulnerability allows malicious users to inject arbitrary code into the application, potentially allowing...
The application allows the attacker to upload or transfer malicious files that can be automatically processed within the product's environment. The application should be able to fend off bogus and malicious files in a way to keep the application and the users safe.
## Risk
An attacker could be able to upload...
User controllable serialized object is a type of input validation vulnerability, which is listed in the CWE directory as CWE-502. It occurs when user-controlled input is deserialized by an application and can be used to manipulate the application’s behavior. This vulnerability can be found in web and API applications, and...
VxWorks WDB Debug Service is an input validation vulnerability that can occur in infrastructure systems. It occurs when an attacker is able to exploit a vulnerability in the WDB Debug Service of VxWorks, allowing them to execute arbitrary code remotely on the target system. This vulnerability is classified as CWE-20,...
Web Cache Poisoning (CWE-444) is a type of attack where malicious data is injected into a web server's cache, resulting in a compromised response being returned to the user. This type of attack is often used to gain access to sensitive information or to inject malicious code into a web...
XML external entity injection (XXE) is a type of computer security vulnerability typically found in web applications that parse XML input. This can allow an attacker to gain access to sensitive data, perform denial of service attacks, port scanning, and even server-side request forgery (SSRF). The vulnerability is categorized by...
XML Injection, also known as XPath Injection, is an attack technique used to exploit web and application programming interfaces (APIs) that parse XML input. It is an input validation vulnerability in which XML code is injected into an XML document, usually through the input fields of a web application, in...
XPath injection is a type of injection attack that targets applications that use web-based XML data sources. It occurs when an application uses untrusted user input to construct an XPath query for XML data. If the application does not properly sanitize input, an attacker can execute XPath queries to view,...
Showing entries 1 to 45 of 45 entries.