|
|
|
|
CWE-151 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Draft 151 (Weakness Variant) | | Description | Summary Comments injected into an application through input can be used to compromise a system.
As data is parsed, an injected/malformed comment may cause the process to take unexpected actions. | | Potential Mitigations | Developers should anticipate that comments will be injected/removed/manipulated in the
input vectors of their software system. Use an appropriate combination of black lists and
white lists to ensure only valid, expected and appropriate input is processed by the
system. | | Observed Examples | | Reference | Description |
|---|
| CVE-2002-0001 | Mail client command execution due to improperly terminated comment in address list. | | CVE-2004-0162 | MIE. RFC822 comment fields may be processed as other fields by clients. | | CVE-2004-1686 | Well-placed comment bypasses security warning. | | CVE-2005-1909 | Information hiding using a manipulation involving injection of comment code into
product. Note: these vulns are likely vulnerable to more general XSS problems, although a
regexp might allow ">!--" while denying most other tags. | | CVE-2005-1969 | Information hiding using a manipulation involving injection of comment code into
product. Note: these vulns are likely vulnerable to more general XSS problems, although a
regexp might allow "<!--" while denying most other tags. |
| | Relationships | | | Source Taxonomies | PLOVER - Comment Element | | Applicable Platforms | All |
|
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated
