CWE-200 refers to a software flaw where sensitive information—such as personal data, proprietary business details, or system configurations—is unintentionally exposed to individuals or entities without proper authorisation. This weakness typically results from poor implementation of access controls, inadequate data masking, or flawed logic in data-handling processes.
Deserialisation refers to the process of converting serialised data (a compact format of an object or data structure) back into its original form. While this operation is indispensable in modern software, it becomes a vulnerability when the deserialised data originates from an untrusted source.
When untrusted data is deserialised without validation, attackers can exploit the process to execute arbitrary code, manipulate application logic, or inject malicious payloads. CWE-502 encapsulates this weakness, highlighting its potential to compromise data integrity, confidentiality, and availability.
CWE-77 refers to the improper neutralisation of special elements used in a command. These special elements, when inadequately sanitised, allow attackers to inject malicious commands that the system interprets and executes. This vulnerability commonly appears in applications that dynamically construct system commands based on user inputs.
At its core, CWE-434 occurs when an application fails to restrict file uploads to safe and intended file types. This weakness allows attackers to upload malicious files, potentially executing arbitrary code, accessing sensitive data, or gaining unauthorised access to the system.
OS Command Injection occurs when an application dynamically constructs operating system (OS) commands using untrusted inputs, enabling an attacker to execute arbitrary commands on the host system. These commands often run with the same privileges as the application, amplifying the potential impact.