CWE-829—Inclusion of Functionality from Untrusted Control Sphere
PUBLISHEDweakness record
released 2010-12-13 · last modified 2026-01-21
Metadata
- CWE ID:
- CWE-829
- 摘要:
- Base
- 结构:
- Simple
- 状态:
- Incomplete
- 发布日期:
- 2010-12-13
- 更新日期:
- 2026-01-21
名称
Inclusion of Functionality from Untrusted Control Sphere
描述
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
常见后果
- 范围:
- Confidentiality, Integrity, Availability
- 影响:
- Execute Unauthorized Code or Commands
- 注释:
- An attacker could insert malicious functionality into the program by causing the program to download code that the attacker has placed into the untrusted control sphere, such as a malicious web site. This could enable the injection of malware, information exposure by granting excessive privileges or permissions to the untrusted functionality, DOM-based XSS vulnerabilities, stealing user's cookies, open redirect to malware (CWE-601), etc.