VYPR

CWE-436

Interpretation Conflict

ClassIncomplete

Description

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

This is generally found in proxies, firewalls, anti-virus software, and other intermediary devices that monitor, allow, deny, or modify traffic based on how the client or server is expected to behave.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-105 · CAPEC-273 · CAPEC-34

CVEs mapped to this weakness (69)

page 4 of 4
  • CVE-2019-25101Feb 4, 2023
    risk 0.00cvss epss 0.01

    A vulnerability classified as critical has been found in OnShift TurboGears 1.0.11.10. This affects an unknown part of the file turbogears/controllers.py of the component HTTP Header Handler. The manipulation leads to http response splitting. It is possible to initiate the…

  • CVE-2023-22602Jan 14, 2023
    risk 0.00cvss epss 0.02

    When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot <…

  • CVE-2022-41915Dec 13, 2022
    risk 0.00cvss epss 0.01

    Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header…

  • CVE-2021-33621Nov 18, 2022
    risk 0.00cvss epss 0.02

    The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.

  • CVE-2022-36051Aug 31, 2022
    risk 0.00cvss epss 0.01

    ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain…

  • CVE-2022-29254Jun 6, 2022
    risk 0.00cvss epss 0.01

    silverstripe-omnipay is a SilverStripe integration with Omnipay PHP payments library. For a subset of Omnipay gateways (those that use intermediary states like `isNotification()` or `isRedirect()`), if the payment identifier or success URL is exposed it is possible for payments…

  • CVE-2021-39137Aug 24, 2021
    risk 0.00cvss epss 0.02

    go-ethereum is the official Go implementation of the Ethereum protocol. In affected versions a consensus-vulnerability in go-ethereum (Geth) could cause a chain split, where vulnerable versions refuse to accept the canonical chain. Further details about the vulnerability will be…

  • CVE-2021-21366Mar 12, 2021
    risk 0.00cvss epss 0.01

    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This…

  • CVE-2018-6560HigFeb 2, 2018
    risk 0.00cvss 8.8epss 0.00

    In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon.