CWE-99
Allowed-with-ReviewImproper Control of Resource Identifiers ('Resource Injection')
Abstraction: Class · Status: Draft
The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
112 vulnerabilities reference this CWE, most recent first.
GHSA-QXC5-J6GP-6G2H
Vulnerability from github – Published: 2026-05-31 06:31 – Updated: 2026-05-31 06:31A security vulnerability has been detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected is the function marks of the file application/controllers/Parents.php. The manipulation of the argument param1 leads to improper control of resource identifiers. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
{
"affected": [],
"aliases": [
"CVE-2026-10168"
],
"database_specific": {
"cwe_ids": [
"CWE-99"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-31T05:16:24Z",
"severity": "LOW"
},
"details": "A security vulnerability has been detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected is the function marks of the file application/controllers/Parents.php. The manipulation of the argument param1 leads to improper control of resource identifiers. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.",
"id": "GHSA-qxc5-j6gp-6g2h",
"modified": "2026-05-31T06:31:49Z",
"published": "2026-05-31T06:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10168"
},
{
"type": "WEB",
"url": "https://github.com/OUSL-GROUP-BrinaryBrains/School-Student-Management-System/issues/25"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/819161"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/367422"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/367422/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RC68-W6QC-CFHF
Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30A vulnerability was found in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This impacts an unknown function of the file courseDel.php. The manipulation of the argument ID results in improper control of resource identifiers. The attack may be performed from remote. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
{
"affected": [],
"aliases": [
"CVE-2026-9438"
],
"database_specific": {
"cwe_ids": [
"CWE-99"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-25T08:16:25Z",
"severity": "LOW"
},
"details": "A vulnerability was found in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This impacts an unknown function of the file courseDel.php. The manipulation of the argument ID results in improper control of resource identifiers. The attack may be performed from remote. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.",
"id": "GHSA-rc68-w6qc-cfhf",
"modified": "2026-05-26T13:30:40Z",
"published": "2026-05-26T13:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9438"
},
{
"type": "WEB",
"url": "https://github.com/yashpokharna2555/StudentManagementSystem/issues/1"
},
{
"type": "WEB",
"url": "https://github.com/yashpokharna2555/StudentManagementSystem"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/813961"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/365419"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/365419/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-V793-W449-37R3
Vulnerability from github – Published: 2025-02-16 06:31 – Updated: 2025-03-21 15:31DataSourceResource.java in the SpagoBI API support in Knowage Server in KNOWAGE before 8.1.30 does not ensure that java:comp/env/jdbc/ occurs at the beginning of a JNDI Name.
{
"affected": [],
"aliases": [
"CVE-2024-57971"
],
"database_specific": {
"cwe_ids": [
"CWE-99"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-16T04:15:23Z",
"severity": "CRITICAL"
},
"details": "DataSourceResource.java in the SpagoBI API support in Knowage Server in KNOWAGE before 8.1.30 does not ensure that java:comp/env/jdbc/ occurs at the beginning of a JNDI Name.",
"id": "GHSA-v793-w449-37r3",
"modified": "2025-03-21T15:31:11Z",
"published": "2025-02-16T06:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57971"
},
{
"type": "WEB",
"url": "https://github.com/KnowageLabs/Knowage-Server/commit/f7d0362f737e1b0db1cc9cc95b1236d62d83dd0c"
},
{
"type": "WEB",
"url": "https://github.com/KnowageLabs/Knowage-Server/compare/v8.1.29...v8.1.30"
},
{
"type": "WEB",
"url": "https://github.com/darumaseye/CVEs/blob/ec2de9f7ecffde466e687745bfdfc672e86241d7/CVE-2024-57971.md"
},
{
"type": "WEB",
"url": "https://spagobi.readthedocs.io"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V849-3G95-8HQQ
Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2025-06-26 21:31A vulnerability, which was classified as problematic, was found in xxyopen/201206030 novel-plus up to 5.1.3. This affects the function remove of the file novel-admin/src/main/java/com/java2nb/common/controller/FileController.java of the component File Handler. The manipulation leads to improper control of resource identifiers. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-6534"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-99"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-24T01:15:25Z",
"severity": "LOW"
},
"details": "A vulnerability, which was classified as problematic, was found in xxyopen/201206030 novel-plus up to 5.1.3. This affects the function remove of the file novel-admin/src/main/java/com/java2nb/common/controller/FileController.java of the component File Handler. The manipulation leads to improper control of resource identifiers. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-v849-3g95-8hqq",
"modified": "2025-06-26T21:31:03Z",
"published": "2025-06-26T21:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6534"
},
{
"type": "WEB",
"url": "https://blog.0xd00.com/blog/missing-authorization-leads-to-arbitrary-file-deletion"
},
{
"type": "WEB",
"url": "https://blog.0xd00.com/blog/missing-authorization-leads-to-arbitrary-file-deletion#poc"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.313653"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.313653"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.596505"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-W29M-FJP4-QHMQ
Vulnerability from github – Published: 2020-01-30 21:21 – Updated: 2021-01-14 17:45Impact
Opencast allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directories and write files to other locations.
In addition, Opencast's Id.toString(…) vs Id.compact(…) behavior, the latter trying to mitigate some of the file system problems, can cause errors due to identifier mismatch since an identifier may unintentionally change.
Patches
This issue is fixed in Opencast 7.6 and 8.1.
Workarounds
There is no workaround for this.
For more information
If you have any questions or comments about this advisory:
- Open an issue in opencast/opencast
- For security-relevant information, email us at security@opencast.org
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.opencastproject:base"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.opencastproject:base"
},
"ranges": [
{
"events": [
{
"introduced": "8.0"
},
{
"fixed": "8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5230"
],
"database_specific": {
"cwe_ids": [
"CWE-99"
],
"github_reviewed": true,
"github_reviewed_at": "2020-01-30T20:35:35Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nOpencast allows almost arbitrary identifiers for media packages and\nelements to be used. This can be problematic for operation and security\nsince such identifiers are sometimes used for file system operations\nwhich may lead to an attacker being able to escape working directories and\nwrite files to other locations.\n\nIn addition, Opencast\u0027s Id.toString(\u2026) vs Id.compact(\u2026) behavior,\nthe latter trying to mitigate some of the file system problems, can\ncause errors due to identifier mismatch since an identifier may\nunintentionally change.\n\n### Patches\n\nThis issue is fixed in Opencast 7.6 and 8.1.\n\n### Workarounds\n\nThere is no workaround for this.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [opencast/opencast](https://github.com/opencast/opencast/issues)\n- For security-relevant information, email us at security@opencast.org",
"id": "GHSA-w29m-fjp4-qhmq",
"modified": "2021-01-14T17:45:47Z",
"published": "2020-01-30T21:21:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5230"
},
{
"type": "WEB",
"url": "https://github.com/opencast/opencast/commit/bbb473f34ab95497d6c432c81285efb0c739f317"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Unsafe Identifiers in Opencast"
}
GHSA-W7PV-HCJH-P9W4
Vulnerability from github – Published: 2023-07-13 03:30 – Updated: 2024-04-04 06:06An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to inject HTML in an email address field.
{
"affected": [],
"aliases": [
"CVE-2023-2200"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-79",
"CWE-99"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-13T03:15:09Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to inject HTML in an email address field.",
"id": "GHSA-w7pv-hcjh-p9w4",
"modified": "2024-04-04T06:06:03Z",
"published": "2023-07-13T03:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2200"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1935628"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/408281"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WJ7R-CV36-MXR3
Vulnerability from github – Published: 2025-01-06 18:31 – Updated: 2025-11-03 21:32A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows bypassing unsafe file extension checks and triggering arbitrary demuxers via base64-encoded data URIs appended with specific file extensions.
{
"affected": [],
"aliases": [
"CVE-2023-6601"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-99"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-06T17:15:14Z",
"severity": "MODERATE"
},
"details": "A flaw was found in FFmpeg\u0027s HLS demuxer. This vulnerability allows bypassing unsafe file extension checks and triggering arbitrary demuxers via base64-encoded data URIs appended with specific file extensions.",
"id": "GHSA-wj7r-cv36-mxr3",
"modified": "2025-11-03T21:32:03Z",
"published": "2025-01-06T18:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6601"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253172"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00004.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WQC8-JPFX-W9G4
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.
{
"affected": [],
"aliases": [
"CVE-2020-8177"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-99"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-14T20:15:00Z",
"severity": "HIGH"
},
"details": "curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.",
"id": "GHSA-wqc8-jpfx-w9g4",
"modified": "2022-05-24T17:36:21Z",
"published": "2022-05-24T17:36:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8177"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/887462"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"type": "WEB",
"url": "https://curl.se/docs/CVE-2020-8177.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4881"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X2QM-672H-5482
Vulnerability from github – Published: 2024-08-03 15:30 – Updated: 2024-08-03 15:30A vulnerability, which was classified as critical, was found in SimpleMachines SMF 2.1.4. Affected is an unknown function of the file /index.php?action=profile;u=2;area=showalerts;do=remove of the component Delete User Handler. The manipulation of the argument aid leads to improper control of resource identifiers. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-273522 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-7437"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-99"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-03T15:15:58Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as critical, was found in SimpleMachines SMF 2.1.4. Affected is an unknown function of the file /index.php?action=profile;u=2;area=showalerts;do=remove of the component Delete User Handler. The manipulation of the argument aid leads to improper control of resource identifiers. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-273522 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-x2qm-672h-5482",
"modified": "2024-08-03T15:30:34Z",
"published": "2024-08-03T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7437"
},
{
"type": "WEB",
"url": "https://github.com/Fewword/Poc/blob/main/smf/smf-poc1.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.273522"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.273522"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.380189"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-X5P5-CX32-RPPV
Vulnerability from github – Published: 2025-02-25 03:32 – Updated: 2025-02-25 03:32A vulnerability classified as critical was found in Benner Connecta 1.0.5330. Affected by this vulnerability is an unknown functionality of the file /Usuarios/Usuario/EditarLogado/. The manipulation of the argument Handle leads to improper control of resource identifiers. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-1645"
],
"database_specific": {
"cwe_ids": [
"CWE-99"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-25T02:15:16Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as critical was found in Benner Connecta 1.0.5330. Affected by this vulnerability is an unknown functionality of the file /Usuarios/Usuario/EditarLogado/. The manipulation of the argument Handle leads to improper control of resource identifiers. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-x5p5-cx32-rppv",
"modified": "2025-02-25T03:32:12Z",
"published": "2025-02-25T03:32:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1645"
},
{
"type": "WEB",
"url": "https://github.com/yago3008/cves"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.296695"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.296695"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.501406"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, it can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
CAPEC-10: Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
CAPEC-240: Resource Injection
An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource.
CAPEC-75: Manipulating Writeable Configuration Files
Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.