CAPEC-134

Email Injection
Moyen
Draft
2014-06-23
00h00 +00:00
2022-02-22
00h00 +00:00
CAPEC Mitre.org
Alerte pour un CAPEC
Restez informé de toutes modifications pour un CAPEC spécifique.
Gestion des notifications

Descriptions du CAPEC

An adversary manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol.

Informations du CAPEC

Conditions préalables

The target application must allow the user to send email to some recipient, to specify the content at least one header field in the message, and must fail to sanitize against the injection of command separators.
The adversary must have the ability to access the target mail application.

Ressources nécessaires

None: No specialized resources are required to execute this type of attack.

Faiblesses connexes

CWE-ID Nom de la faiblesse

CWE-150

 Improper Neutralization of Escape, Meta, or Control Sequences
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

Soumission

Nom Organisation Date Date de publication
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Nom Organisation Date Commentaire
CAPEC Content Team The MITRE Corporation 2017-08-04 +00:00 Updated Attack_Prerequisites, Related_Attack_Patterns, Resources_Required
CAPEC Content Team The MITRE Corporation 2019-04-04 +00:00 Updated Related_Weaknesses
CAPEC Content Team The MITRE Corporation 2019-09-30 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2020-12-17 +00:00 Updated Taxonomy_Mappings
CAPEC Content Team The MITRE Corporation 2022-02-22 +00:00 Updated Description, Extended_Description