CWE-150—Improper Neutralization of Escape, Meta, or Control Sequences
PUBLISHEDweakness record
released 2006-07-19 · last modified 2026-04-30
Metadata
- CWE ID:
- CWE-150
- 摘要:
- Variant
- 结构:
- Simple
- 状态:
- Incomplete
- 发布日期:
- 2006-07-19
- 更新日期:
- 2026-04-30
名称
Improper Neutralization of Escape, Meta, or Control Sequences
描述
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
常见后果
- 范围:
- Integrity
- 影响:
- Execute Unauthorized Code or Commands, Hide Activities, Unexpected State
- 注释:
- ANSI escape codes can be used for low-severity attacks such as changing the color of console output, but they can also be used to arbitrarily move the cursor, clear the screen, and make fake prompts inside the interactive CLI via malicious user input. In some contexts - depending on the functionality of the terminal in use - ANSI escape codes can be used to execute arbitrary code.