VYPR

CWE-99

Improper Control of Resource Identifiers ('Resource Injection')

ClassDraftLikelihood: High

Description

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-240 · CAPEC-75

CVEs mapped to this weakness (30)

page 1 of 2
  • CVE-2017-5159CriFeb 13, 2017
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered on Phoenix Contact mGuard devices that have been updated to Version 8.4.0. When updating an mGuard device to Version 8.4.0 via the update-upload facility, the update will succeed, but it will reset the password of the admin user to its default value.

  • CVE-2025-2410CriMay 22, 2025
    risk 0.59cvss 9.1epss 0.00

    Port manipulation vulnerabilities in ASPECT provide attackers with the ability to con-trol TCP/IP port access if session administrator credentials become compromised. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through…

  • CVE-2025-0756CriApr 16, 2025
    risk 0.59cvss 9.1epss 0.01

    Overview   The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99)   Description   …

  • CVE-2024-5706HigFeb 19, 2025
    risk 0.58cvss 8.8epss 0.01

    The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99)  Hitachi Vantara Pentaho Data Integration &…

  • CVE-2024-57971CriFeb 16, 2025
    risk 0.52cvss 9.1epss 0.01

    DataSourceResource.java in the SpagoBI API support in Knowage Server in KNOWAGE before 8.1.30 does not ensure that java:comp/env/jdbc/ occurs at the beginning of a JNDI Name.

  • CVE-2020-8177HigDec 14, 2020
    risk 0.51cvss 7.8epss 0.01

    curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.

  • CVE-2026-3693HigMar 8, 2026
    risk 0.47cvss 7.3epss 0.00

    A flaw has been found in Shy2593666979 AgentChat up to 2.3.0. This issue affects the function get_user_info/update_user_info of the file /src/backend/agentchat/api/v1/user.py of the component User Endpoint. This manipulation of the argument user_id causes improper control of…

  • CVE-2026-33603MedMay 12, 2026
    risk 0.44cvss 6.8epss 0.00

    Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications…

  • CVE-2026-10168MedMay 31, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected is the function marks of the file application/controllers/Parents.php. The manipulation of the argument param1 leads…

  • CVE-2025-1645MedFeb 25, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability classified as critical was found in Benner Connecta 1.0.5330. Affected by this vulnerability is an unknown functionality of the file /Usuarios/Usuario/EditarLogado/. The manipulation of the argument Handle leads to improper control of resource identifiers. The…

  • CVE-2026-9438MedMay 25, 2026
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was found in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This impacts an unknown function of the file courseDel.php. The manipulation of the argument ID results in improper control of resource identifiers. The attack may be…

  • CVE-2025-9264MedAug 21, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was found in Xuxueli xxl-job up to 3.1.1. Affected by this issue is the function remove of the file /src/main/java/com/xxl/job/admin/controller/JobInfoController.java of the component Jobs Handler. Performing manipulation of the argument ID results in improper…

  • CVE-2016-8615MedAug 1, 2018
    risk 0.35cvss 5.3epss 0.04

    A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.

  • CVE-2026-5414MedApr 2, 2026
    risk 0.34cvss 5.3epss 0.00

    A security flaw has been discovered in Newgen OmniDocs up to 12.0.00. Affected by this issue is some unknown functionality of the file /omnidocs/WebApiRequestRedirection. The manipulation of the argument DocumentId results in improper control of resource identifiers. The attack…

  • CVE-2025-9619MedAug 29, 2025
    risk 0.34cvss 5.3epss 0.00

    A security flaw has been discovered in E4 Sistemas Mercatus ERP 2.00.019. The affected element is an unknown function of the file /basico/webservice/imprimir-danfe/id/. Performing manipulation results in improper control of resource identifiers. It is possible to initiate the…

  • CVE-2026-12207MedJun 15, 2026
    risk 0.28cvss 4.3epss 0.00

    A security flaw has been discovered in medkey-org medkey up to fc09b7ba9441ff590b72d428d5380834216b09ed. Impacted is the function actionGetPatientById of the file app\modules\medical\port\rest\controllers\PatientController.php of the component HTTP REST API. The manipulation of…

  • CVE-2026-10624MedJun 2, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability has been found in SourceCodester Human Resource Management 1.0. Affected by this vulnerability is an unknown functionality of the file /detailview.php of the component Employee View Page. Such manipulation of the argument employeeid leads to improper control of…

  • CVE-2026-5031MedMar 29, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was found in BichitroGan ISP Billing Software 2025.3.20. Impacted is an unknown function of the file /?_route=settings/users-view/ of the component Endpoint. The manipulation of the argument ID results in improper control of resource identifiers. The attack can…

  • CVE-2025-12270MedOct 27, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was determined in LearnHouse up to 98dfad76aad70711a8113f6c1fdabfccf10509ca. The impacted element is an unknown function of the file /api/v1/assignments/{assignment_id}/tasks/{task_id}/sub_file of the component Student Assignment Submission Handler. This…

  • CVE-2025-9263MedAug 20, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability has been found in Xuxueli xxl-job up to 3.1.1. Affected by this vulnerability is the function getJobsByGroup of the file /src/main/java/com/xxl/job/admin/controller/JobLogController.java. Such manipulation of the argument jobGroup leads to improper control of…