CVEbaza.plSłownik CWECWE-149
Common Weakness Enumeration

CWE-149

Improper Neutralization of Quoting Syntax

Kategoria: VariantCVE: 5
Opis

Wstawione cudzysłowy mogą być wykorzystane do zagrożenia bezpieczeństwa systemu. Podczas parsowania danych wstrzyknięte, brakujące, zduplikowane lub zniekształcone użycie cudzysłowów może spowodować, że proces podejmie nieoczekiwane działania.

Description (EN)

Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.

Podatności CVE z CWE-149 (5)
9.3
CVSS
CRITICAL
CVE-2018-25135

Anviz AIM CrossChex Standard w wersji 4.3.6.0 zawiera podatność typu CSV injection, pozwalającą atakującemu na umieszczenie złośliwych formuł w polach importu użytkowników. Gdy plik z danymi zostanie otwarty w programie Excel, formuły mogą uruchomić makra i spowodować wykonanie dowolnych poleceń na stacji roboczej ofiary.

pub. 2025-12-24
8.3
CVSS
HIGH
CVE-2025-43878

When running in Appliance mode, an authenticated attacker assigned the Administrator or Resource Administrator role may be able to bypass Appliance mode restrictions utilizing system diagnostics tcpdump command utility on a F5OS-C/A system.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

pub. 2025-05-07
8.1
CVSS
HIGH
CVE-2026-42511

The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it. A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient.

pub. 2026-04-30
8.1
CVSS
HIGH
CVE-2025-1094

Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.

pub. 2025-02-13
3.5
CVSS
LOW
CVE-2023-36479

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.

pub. 2023-09-15
Informacje
ID: CWE-149
Typ: Variant
Podatności: 5
MITRE CWE ↗
← Słownik CWE