CWE WEAKNESSES / CWE-610
CWE-610
Externally Controlled Reference to a Resource in Another Sphere
Class
What it is
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Impact
| Confidentiality, Integrity | Read Application Data, Modify Application Data |
| Access Control | Gain Privileges or Assume Identity |
Real-world CVE examples
- CVE-2022-3032 — An email client does not block loading of remote objects in a nested document.
- CVE-2022-45918 — Chain: a learning management tool debugger uses external input to locate previous session logs (CWE-73) and does not properly validate the given path (CWE-20),
- CVE-2018-1000613 — Cryptography API uses unsafe reflection when deserializing a private key
- CVE-2020-11053 — Chain: Go-based Oauth2 reverse proxy can send the authenticated user to another site at the end of the authentication flow. A redirect URL with HTML-encoded whi
- CVE-2022-42745 — Recruiter software allows reading arbitrary files using XXE
- CVE-2004-2331 — Database system allows attackers to bypass sandbox restrictions by using the Reflection API.
Related weaknesses
Test & detect
Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.
Source: MITRE CWE. View on cwe.mitre.org →