VYPR

CWE-178

Improper Handling of Case Sensitivity

BaseIncomplete

Description

The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (67)

page 1 of 4
  • CVE-2001-0766CriOct 18, 2001
    risk 0.67cvss 9.8epss 0.09

    Apache on MacOS X Client 10.0.3 with the HFS+ file system allows remote attackers to bypass access restrictions via a URL that contains some characters whose case is not matched by Apache's filters.

  • CVE-2026-47323CriMay 19, 2026
    risk 0.64cvss 9.8epss 0.01

    Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in…

  • CVE-2005-0269CriMay 2, 2005
    risk 0.64cvss 9.8epss 0.03

    The file extension check in GNUBoard 3.40 and earlier only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters.

  • CVE-2004-2154CriDec 31, 2004
    risk 0.64cvss 9.8epss 0.02

    CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are different from what is specified in the directive.

  • CVE-2004-2214CriDec 31, 2004
    risk 0.64cvss 9.8epss 0.03

    Mbedthis AppWeb HTTP server before 1.1.3 allows remote attackers to bypass access restrictions via a URI with mixed case characters.

  • CVE-2002-2119CriDec 31, 2002
    risk 0.64cvss 9.8epss 0.03

    Novell eDirectory 8.6.2 and 8.7 use case insensitive passwords, which makes it easier for remote attackers to conduct brute force password guessing.

  • CVE-2002-1820CriDec 31, 2002
    risk 0.64cvss 9.8epss 0.02

    register.php in Ultimate PHP Board (UPB) 1.0 and 1.0b uses an administrative account Admin with a capital "A," but allows a remote attacker to impersonate the administrator by registering an account name of admin with a lower case "a."

  • CVE-2026-46392HigJun 5, 2026
    risk 0.57cvss 8.7epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim, but the `.htaccess` rule that forces…

  • CVE-2026-40453CriApr 27, 2026
    risk 0.57cvss 9.9epss 0.01

    The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP…

  • CVE-2026-28292CriMar 10, 2026
    risk 0.57cvss 9.8epss 0.01

    `simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine.…

  • CVE-2003-0411HigJun 30, 2003
    risk 0.54cvss 7.5epss 0.27

    Sun ONE Application Server 7.0 for Windows 2000/XP allows remote attackers to obtain JSP source code via a request that uses the uppercase ".JSP" extension instead of the lowercase .jsp extension.

  • CVE-2007-3365HigJun 22, 2007
    risk 0.52cvss 7.5epss 0.06

    MyServer 0.8.9 and earlier does not properly handle uppercase characters in filename extensions, which allows remote attackers to obtain sensitive information (script source code) via a modified extension, as demonstrated by post.mscgI.

  • CVE-1999-0239HigJan 1, 1998
    risk 0.52cvss 7.5epss 0.07

    Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET.

  • CVE-2001-1238HigJul 16, 2001
    risk 0.51cvss 7.8epss 0.01

    Task Manager in Windows 2000 does not allow local users to end processes with uppercase letters named (1) winlogon.exe, (2) csrss.exe, (3) smss.exe and (4) services.exe via the Process tab which could allow local users to install Trojan horses that cannot be stopped with the…

  • CVE-2025-67718HigDec 11, 2025
    risk 0.50cvss epss 0.00

    Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or…

  • CVE-2004-1083HigDec 3, 2004
    risk 0.49cvss 7.5epss 0.02

    Apache for Apple Mac OS X 10.2.8 and 10.3.6 restricts access to files in a case sensitive manner, but the Apple HFS+ filesystem accesses files in a case insensitive manner, which allows remote attackers to read .DS_Store files and files beginning with ".ht" using alternate…

  • CVE-2002-0485HigAug 12, 2002
    risk 0.49cvss 7.5epss 0.01

    Norton Anti-Virus (NAV) allows remote attackers to bypass content filtering via attachments whose Content-Type and Content-Disposition headers are mixed upper and lower case, which is ignored by some mail clients.

  • CVE-2001-0795HigOct 18, 2001
    risk 0.49cvss 7.5epss 0.02

    Perception LiteServe 1.25 allows remote attackers to obtain source code of CGI scripts via URLs that contain MS-DOS conventions such as (1) upper case letters or (2) 8.3 file names.

  • CVE-2000-0498HigJun 8, 2000
    risk 0.49cvss 7.5epss 0.02

    Unify eWave ServletExec allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.

  • CVE-2000-0499HigJun 8, 2000
    risk 0.49cvss 7.5epss 0.03

    The default configuration of BEA WebLogic 3.1.8 through 4.5.1 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.