Detalle CWE-235

CWE-235

Improper Handling of Extra Parameters
Draft
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notificaciones para un CWE
Manténgase informado sobre cualquier cambio en un CWE específico.
Gestionar notificaciones

Nombre: Improper Handling of Extra Parameters

The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.

Informaciones generales

Modos de introducción

Implementation : This typically occurs in situations when only one element is expected to be specified.

Plataformas aplicables

Lenguaje

Class: Not Language-Specific (Undetermined)

Consecuencias comunes

Alcance Impacto Probabilidad
IntegrityUnexpected State

Ejemplos observados

Referencias Descripción

CVE-2003-1014

MIE. multiple gateway/security products allow restriction bypass using multiple MIME fields with the same name, which are interpreted differently by clients.

Notas de mapeo de vulnerabilidades

Justificación : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comentario : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Patrones de ataque relacionados

CAPEC-ID Nombre del patrón de ataque
CAPEC-460 HTTP Parameter Pollution (HPP)
An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.

Notas

This type of problem has a big role in multiple interpretation vulnerabilities and various HTTP attacks.

Envío

Nombre Organización Fecha Fecha de lanzamiento Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modificaciones

Nombre Organización Fecha Comentario
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Modes_of_Introduction, Relationships, Relationship_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2009-03-10 +00:00 updated Description, Name
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2011-06-27 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2013-07-17 +00:00 updated Description, Type
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Time_of_Introduction
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-12-11 +00:00 updated Relationships, Weakness_Ordinalities
La información presentada en CVE Find proviene de varias fuentes de referencia cuidadosamente seleccionadas. Los datos CVE son proporcionados por MITRE Corporation y la Base de Datos Nacional de Vulnerabilidades (NVD). El catálogo de Vulnerabilidades Explotadas Conocidas (KEV) proviene de la Agencia de Seguridad de Infraestructura y Ciberseguridad (CISA), mientras que las puntuaciones EPSS provienen de FIRST.org. Además, los datos sobre debilidades de software (CWE) y patrones de ataque comunes (CAPEC) son mantenidos por MITRE Corporation, y la información sobre configuraciones de hardware y software (CPE) es proporcionada por la NVD.