Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CAPEC-104:Cross Zone Scripting
Attack Pattern ID:104
Version:v3.9
Attack Pattern Name:Cross Zone Scripting
Abstraction:Standard
Status:Draft
Likelihood of Attack:Medium
Typical Severity:High
DetailsContent HistoryRelated WeaknessesReports
5Weaknesses found
CWE-116
Improper Encoding or Escaping of Output
ShareView Details
Improper Encoding or Escaping of Output
Likelihood of Exploit-High
Mapping-Allowed-with-Review
Abstraction-Class
Found in316CVEs

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Impacts-
Bypass Protection MechanismExecute Unauthorized Code or CommandsModify Application Data
Tags-
AI/MLWeb ServerDatabase ServerHigh exploitLibraries or FrameworksParameterizationExecute Unauthorized Code or Commands (impact)Bypass Protection Mechanism (impact)Modify Application Data (impact)
As Seen In-
Simplified Mapping of Published Vulnerabilities
CWE-20
Improper Input Validation
ShareView Details
Improper Input Validation
Likelihood of Exploit-High
Mapping-Discouraged
Abstraction-Class
Found in11448CVEs

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Impacts-
DoS: Crash, Exit, or RestartDoS: Resource Consumption (Memory)Execute Unauthorized Code or CommandsModify MemoryDoS: Resource Consumption (CPU)Read MemoryRead Files or Directories
Tags-
High exploitLibraries or FrameworksInput ValidationAttack Surface ReductionExecute Unauthorized Code or Commands (impact)DoS: Resource Consumption (CPU) (impact)Read Files or Directories (impact)Read Memory (impact)DoS: Crash, Exit, or Restart (impact)DoS: Resource Consumption (Memory) (impact)Modify Memory (impact)
As Seen In-
2019 CWE Top 25 Most Dangerous Software Errors2021 CWE Top 25 Most Dangerous Software2020 CWE Top 25 Most Dangerous Software2022 CWE Top 25 Most Dangerous Software2023 CWE Top 25 Most Dangerous Software2024 CWE Top 25 Most Dangerous SoftwareOriginally Used by NVD from 2008 to 2016Simplified Mapping of Published Vulnerabilities
CWE-250
Execution with Unnecessary Privileges
ShareView Details
Execution with Unnecessary Privileges
Likelihood of Exploit-Medium
Mapping-Allowed
Abstraction-Base
Found in219CVEs

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Impacts-
Read Application DataDoS: Crash, Exit, or RestartExecute Unauthorized Code or CommandsGain Privileges or Assume Identity
Tags-
Medium exploitEnvironment HardeningSeparation of PrivilegeAttack Surface ReductionMobile (technology class)Execute Unauthorized Code or Commands (impact)DoS: Crash, Exit, or Restart (impact)Read Application Data (impact)Gain Privileges or Assume Identity (impact)
As Seen In-
CWE Cross-section
CWE-285
Improper Authorization
ShareView Details
Improper Authorization
Likelihood of Exploit-High
Mapping-Discouraged
Abstraction-Class
Found in836CVEs

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Impacts-
Read Application DataGain Privileges or Assume IdentityRead Files or DirectoriesModify Files or DirectoriesModify Application Data
Tags-
Web ServerDatabase ServerHigh exploitLibraries or FrameworksModify Application Data (impact)Read Files or Directories (impact)Modify Files or Directories (impact)Read Application Data (impact)Gain Privileges or Assume Identity (impact)
As Seen In-
Not Available
CWE-638
Not Using Complete Mediation
ShareView Details
Not Using Complete Mediation
Likelihood of Exploit-Not Available
Mapping-Allowed-with-Review
Abstraction-Class
Found in1CVEs

The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.

Impacts-
Read Application DataOtherExecute Unauthorized Code or CommandsGain Privileges or Assume IdentityBypass Protection Mechanism
Tags-
Execute Unauthorized Code or Commands (impact)Other (impact)Bypass Protection Mechanism (impact)Read Application Data (impact)Gain Privileges or Assume Identity (impact)
As Seen In-
Not Available