SFP Secondary Cluster: Tainted Input to Environment
A category in the Common Weakness Enumeration published by The MITRE Corporation.
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
The product does not prevent the definition of control spheres from external actors.
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutraliz...
The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities.
The software does not properly protect an assumed-immutable element from being modified by an attacker.
A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the appli...
Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) o...
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper clas...
CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).