CWE-349
Acceptance of Extraneous Untrusted Data With Trusted Data
Description
The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-141 · CAPEC-142 · CAPEC-75
CVEs mapped to this weakness (26)
page 2 of 2| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-46982 | 0.00 | — | 0.61 | Sep 17, 2024 | Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent… | |||
| CVE-2023-46446 | — | 0.00 | — | 0.01 | Nov 14, 2023 | An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a "Rogue Session Attack." | ||
| CVE-2023-46445 | — | 0.00 | — | 0.01 | Nov 14, 2023 | An issue in AsyncSSH before 2.14.1 allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack, aka a "Rogue Extension Negotiation." | ||
| CVE-2023-5548 | 0.00 | — | 0.00 | Nov 9, 2023 | Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection. | |||
| CVE-2014-1418 | 0.00 | — | 0.03 | May 16, 2014 | Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from… | |||
| CVE-2011-4139 | 0.00 | — | 0.02 | Oct 19, 2011 | Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request. |
- CVE-2024-46982Sep 17, 2024risk 0.00cvss —epss 0.61
Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent…
- CVE-2023-46446Nov 14, 2023risk 0.00cvss —epss 0.01
An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a "Rogue Session Attack."
- CVE-2023-46445Nov 14, 2023risk 0.00cvss —epss 0.01
An issue in AsyncSSH before 2.14.1 allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack, aka a "Rogue Extension Negotiation."
- CVE-2023-5548Nov 9, 2023risk 0.00cvss —epss 0.00
Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.
- CVE-2014-1418May 16, 2014risk 0.00cvss —epss 0.03
Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from…
- CVE-2011-4139Oct 19, 2011risk 0.00cvss —epss 0.02
Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.