Modes d'introduction
Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Plateformes applicables
Langue
Class: Not Language-Specific (Undetermined)
Conséquences courantes
Portée |
Impact |
Probabilité |
Confidentiality | Read Application Data
Note: An attacker might be able to read sensitive information from the XML database. | |
Mesures d’atténuation potentielles
Phases : Implementation
Use parameterized queries. This will help ensure separation between data plane and control plane.
Phases : Implementation
Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XQL queries is safe in that context.
Notes de cartographie des vulnérabilités
Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
NotesNotes
This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.
Soumission
Nom |
Organisation |
Date |
Date de publication |
Version |
Evgeny Lebanidze |
Cigital |
2008-01-30 +00:00 |
2008-01-30 +00:00 |
Draft 8 |
Modifications
Nom |
Organisation |
Date |
Commentaire |
CWE Content Team |
MITRE |
2008-09-08 +00:00 |
updated Common_Consequences, Relationships |
CWE Content Team |
MITRE |
2008-10-14 +00:00 |
updated Description, Name, Relationship_Notes |
CWE Content Team |
MITRE |
2009-05-27 +00:00 |
updated Name |
CWE Content Team |
MITRE |
2009-10-29 +00:00 |
updated Common_Consequences |
CWE Content Team |
MITRE |
2010-02-16 +00:00 |
updated Taxonomy_Mappings |
CWE Content Team |
MITRE |
2010-04-05 +00:00 |
updated Description, Name |
CWE Content Team |
MITRE |
2010-12-13 +00:00 |
updated Common_Consequences |
CWE Content Team |
MITRE |
2011-06-01 +00:00 |
updated Common_Consequences |
CWE Content Team |
MITRE |
2012-05-11 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2012-10-30 +00:00 |
updated Potential_Mitigations |
CWE Content Team |
MITRE |
2014-06-23 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2014-07-30 +00:00 |
updated Relationships, Taxonomy_Mappings |
CWE Content Team |
MITRE |
2017-11-08 +00:00 |
updated Applicable_Platforms, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships |
CWE Content Team |
MITRE |
2018-03-27 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2020-02-24 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2020-08-20 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2020-12-10 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2021-10-28 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2023-01-31 +00:00 |
updated Description |
CWE Content Team |
MITRE |
2023-04-27 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2023-06-29 +00:00 |
updated Mapping_Notes |