BaseDraft
CWE-472External Control of Assumed-Immutable Web Parameter
Category: other
Description
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
Common consequences· 1
- Integrity — Modify Application DataWithout appropriate protection mechanisms, the client can easily tamper with cookies and similar web data. Reliance on the cookies without detailed validation can lead to problems such as SQL injection. If you use cookie values for security related decisions on the server side, manipulating the cookies might lead to violations of security policies such as authentication bypassing, user impersonation and privilege escalation. In addition, storing sensitive data in the cookie without appropriate protection can also lead to disclosure of sensitive user data, especially data stored in persistent cookies.
Potential mitigations· 2
- [Implementation]
- [Implementation]Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Related CAPEC attack patterns· 4
References
Exploits (incoming)4
| Type | Target | Confidence | Tier |
|---|---|---|---|
| AttackPattern | Session Credential Falsification through Manipulationcapec-226 | 100% | live |
| AttackPattern | Accessing/Intercepting/Modifying HTTP Cookiescapec-31 | 100% | live |
| AttackPattern | XML Schema Poisoningcapec-146 | 100% | live |
| AttackPattern | Manipulating Opaque Client-based Data Tokenscapec-39 | 100% | live |
(incoming)36
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Vulnerability | CVE-2025-0436cve-2025-0436 | 0% | live |
| Vulnerability | CVE-2025-10891cve-2025-10891 | 0% | live |
| Vulnerability | CVE-2025-10892cve-2025-10892 | 0% | live |
| Vulnerability | CVE-2025-30236cve-2025-30236 | 0% | live |
| Vulnerability | Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerabilitycve-2025-35939 | 0% | live |
| Vulnerability | CVE-2025-43930cve-2025-43930 | 0% | live |
| Vulnerability | CVE-2025-43933cve-2025-43933 | 0% | live |
| Vulnerability | CVE-2025-47245cve-2025-47245 | 0% | live |
| Vulnerability | CVE-2025-47817cve-2025-47817 | 0% | live |
| Vulnerability | CVE-2025-6191cve-2025-6191 | 0% | live |
| Vulnerability | CVE-2025-7656cve-2025-7656 | 0% | live |
| Vulnerability | CVE-2026-2649cve-2026-2649 | 0% | live |
| Vulnerability | CVE-2026-34751cve-2026-34751 | 0% | live |
| Vulnerability | CVE-2026-3536cve-2026-3536 | 0% | live |
| Vulnerability | CVE-2026-3538cve-2026-3538 | 0% | live |
| Vulnerability | CVE-2026-3914cve-2026-3914 | 0% | live |
| Vulnerability | CVE-2026-41353cve-2026-41353 | 0% | live |
| Vulnerability | CVE-2026-4452cve-2026-4452 | 0% | live |
| Vulnerability | CVE-2026-4464cve-2026-4464 | 0% | live |
| Vulnerability | CVE-2026-4679cve-2026-4679 | 0% | live |
| Vulnerability | CVE-2026-5274cve-2026-5274 | 0% | live |
| Vulnerability | CVE-2026-5859cve-2026-5859 | 0% | live |
| Vulnerability | CVE-2026-5870cve-2026-5870 | 0% | live |
| Vulnerability | CVE-2026-5908cve-2026-5908 | 0% | live |
| Vulnerability | CVE-2026-5909cve-2026-5909 | 0% | live |
| Vulnerability | CVE-2026-5910cve-2026-5910 | 0% | live |
| Vulnerability | CVE-2026-5912cve-2026-5912 | 0% | live |
| Vulnerability | CVE-2026-7896cve-2026-7896 | 0% | live |
| Vulnerability | CVE-2026-7903cve-2026-7903 | 0% | live |
| Vulnerability | CVE-2026-7973cve-2026-7973 | 0% | live |
Showing top 30 of 36 by confidence. Click any target to see the full neighbourhood.
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.