logo

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

CWE-829

  • Abstraction:
  • Base
  • Structure:
  • Simple
  • Status:
  • Incomplete
Weakness Name

Inclusion of Functionality from Untrusted Control Sphere

Description

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

When including third-party functionality, such as a web widget, library, or other source of functionality, the product must effectively trust that functionality. Without sufficient protection mechanisms, the functionality could be malicious in nature (either by coming from an untrusted source, being spoofed, or being modified in transit from a trusted source). The functionality might also contain its own weaknesses, or grant access to additional functionality and state information that should be kept private to the base system, such as system state information, sensitive application data, or the DOM of a web application. This might lead to many different consequences depending on the included functionality, but some examples include injection of malware, information exposure by granting excessive privileges or permissions to the untrusted functionality, DOM-based XSS vulnerabilities, stealing user's cookies, or open redirect to malware (CWE-601).

Common Consequences

Scope: Confidentiality, Integrity, Availability

Impact: Execute Unauthorized Code or Commands

Notes: An attacker could insert malicious functionality into the program by causing the program to download code that the attacker has placed into the untrusted control sphere, such as a malicious web site.

Related Weaknesses
Related Alerts
  • Release Date:
  • 2010-12-13
  • Latest Modification Date:
  • 2023-06-29

Free security scan for your website