Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (3.0)  

CWE CATEGORY: SFP Secondary Cluster: Tainted Input to Command

Category ID: 990
Status: Incomplete
+ Summary
This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster.
+ Membership
MemberOfCategoryCategory896SFP Primary Cluster: Tainted Input
HasMemberClassClass74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
HasMemberClassClass75Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
HasMemberBaseBase76Improper Neutralization of Equivalent Special Elements
HasMemberClassClass77Improper Neutralization of Special Elements used in a Command ('Command Injection')
HasMemberBaseBase78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
HasMemberBaseBase79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
HasMemberVariantVariant80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
HasMemberVariantVariant81Improper Neutralization of Script in an Error Message Web Page
HasMemberVariantVariant82Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
HasMemberVariantVariant83Improper Neutralization of Script in Attributes in a Web Page
HasMemberVariantVariant84Improper Neutralization of Encoded URI Schemes in a Web Page
HasMemberVariantVariant85Doubled Character XSS Manipulations
HasMemberVariantVariant86Improper Neutralization of Invalid Characters in Identifiers in Web Pages
HasMemberVariantVariant87Improper Neutralization of Alternate XSS Syntax
HasMemberBaseBase88Argument Injection or Modification
HasMemberBaseBase89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
HasMemberBaseBase90Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
HasMemberBaseBase91XML Injection (aka Blind XPath Injection)
HasMemberBaseBase93Improper Neutralization of CRLF Sequences ('CRLF Injection')
HasMemberBaseBase95Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
HasMemberBaseBase96Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
HasMemberVariantVariant97Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
HasMemberBaseBase99Improper Control of Resource Identifiers ('Resource Injection')
HasMemberVariantVariant102Struts: Duplicate Validation Forms
HasMemberVariantVariant103Struts: Incomplete validate() Method Definition
HasMemberVariantVariant104Struts: Form Bean Does Not Extend Validation Class
HasMemberVariantVariant105Struts: Form Field Without Validator
HasMemberVariantVariant106Struts: Plug-in Framework not in Use
HasMemberVariantVariant107Struts: Unused Validation Form
HasMemberVariantVariant108Struts: Unvalidated Action Form
HasMemberVariantVariant109Struts: Validator Turned Off
HasMemberVariantVariant110Struts: Validator Without Form Field
HasMemberBaseBase112Missing XML Validation
HasMemberBaseBase113Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
HasMemberBaseBase130Improper Handling of Length Parameter Inconsistency
HasMemberBaseBase134Use of Externally-Controlled Format String
HasMemberClassClass138Improper Neutralization of Special Elements
HasMemberBaseBase140Improper Neutralization of Delimiters
HasMemberVariantVariant141Improper Neutralization of Parameter/Argument Delimiters
HasMemberVariantVariant142Improper Neutralization of Value Delimiters
HasMemberVariantVariant143Improper Neutralization of Record Delimiters
HasMemberVariantVariant144Improper Neutralization of Line Delimiters
HasMemberVariantVariant145Improper Neutralization of Section Delimiters
HasMemberVariantVariant146Improper Neutralization of Expression/Command Delimiters
HasMemberVariantVariant147Improper Neutralization of Input Terminators
HasMemberVariantVariant148Improper Neutralization of Input Leaders
HasMemberVariantVariant149Improper Neutralization of Quoting Syntax
HasMemberVariantVariant150Improper Neutralization of Escape, Meta, or Control Sequences
HasMemberVariantVariant151Improper Neutralization of Comment Delimiters
HasMemberVariantVariant152Improper Neutralization of Macro Symbols
HasMemberVariantVariant153Improper Neutralization of Substitution Characters
HasMemberVariantVariant154Improper Neutralization of Variable Name Delimiters
HasMemberVariantVariant155Improper Neutralization of Wildcards or Matching Symbols
HasMemberVariantVariant156Improper Neutralization of Whitespace
HasMemberVariantVariant157Failure to Sanitize Paired Delimiters
HasMemberVariantVariant158Improper Neutralization of Null Byte or NUL Character
HasMemberClassClass159Failure to Sanitize Special Element
HasMemberVariantVariant160Improper Neutralization of Leading Special Elements
HasMemberVariantVariant161Improper Neutralization of Multiple Leading Special Elements
HasMemberVariantVariant162Improper Neutralization of Trailing Special Elements
HasMemberVariantVariant163Improper Neutralization of Multiple Trailing Special Elements
HasMemberVariantVariant164Improper Neutralization of Internal Special Elements
HasMemberVariantVariant165Improper Neutralization of Multiple Internal Special Elements
HasMemberBaseBase183Permissive Whitelist
HasMemberBaseBase184Incomplete Blacklist
HasMemberClassClass185Incorrect Regular Expression
HasMemberBaseBase186Overly Restrictive Regular Expression
HasMemberBaseBase444Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
HasMemberVariantVariant553Command Shell in Externally Accessible Directory
HasMemberVariantVariant554ASP.NET Misconfiguration: Not Using Input Validation Framework
HasMemberVariantVariant564SQL Injection: Hibernate
HasMemberVariantVariant601URL Redirection to Untrusted Site ('Open Redirect')
HasMemberVariantVariant611Improper Restriction of XML External Entity Reference ('XXE')
HasMemberBaseBase619Dangling Database Cursor ('Cursor Injection')
HasMemberBaseBase621Variable Extraction Error
HasMemberBaseBase624Executable Regular Expression Error
HasMemberBaseBase625Permissive Regular Expression
HasMemberVariantVariant626Null Byte Interaction Error (Poison Null Byte)
HasMemberBaseBase627Dynamic Variable Evaluation
HasMemberBaseBase641Improper Restriction of Names for Files and Other Resources
HasMemberBaseBase643Improper Neutralization of Data within XPath Expressions ('XPath Injection')
HasMemberVariantVariant644Improper Neutralization of HTTP Headers for Scripting Syntax
HasMemberVariantVariant646Reliance on File Name or Extension of Externally-Supplied File
HasMemberBaseBase652Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
HasMemberClassClass707Improper Enforcement of Message or Data Structure
+ Content History
Submission DateSubmitterOrganizationSource
2014-07-29CWE Content TeamMITRE
Modification DateModifierOrganizationSource
2017-11-08CWE Content TeamMITRE
updated Relationships

More information is available — Please select a different filter.
Page Last Updated: November 14, 2017