CWE-150Improper Neutralization of Escape, Meta, or Control Sequences

PUBLISHEDweakness record
released 2006-07-19 · last modified 2026-04-30

Metadata

CWE ID:
CWE-150
摘要:
Variant
结构:
Simple
状态:
Incomplete
发布日期:
2006-07-19
更新日期:
2026-04-30

名称

Improper Neutralization of Escape, Meta, or Control Sequences

描述

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

常见后果

范围:
Integrity
影响:
Execute Unauthorized Code or Commands, Hide Activities, Unexpected State
注释:
ANSI escape codes can be used for low-severity attacks such as changing the color of console output, but they can also be used to arbitrarily move the cursor, clear the screen, and make fake prompts inside the interactive CLI via malicious user input. In some contexts - depending on the functionality of the terminal in use - ANSI escape codes can be used to execute arbitrary code.

相关 CWE