CWE-97: Improper Neutralization of Server-Side Includes (SSI) Within a Web Page

Description

The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.

Extended Description

N/A

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

No observed examples available.

Related Attack Patterns (CAPEC)

Attack TTPs

T1027.009 — Embedded Payloads (defense-evasion)
T1564.009 — Resource Forking (defense-evasion)
T1027.006 — HTML Smuggling (defense-evasion)

Malware

APTs (Intrusion Sets)

Modes of Introduction

Phase	Note
Implementation	REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Common Consequences

Impact: Execute Unauthorized Code or Commands — Notes:

Potential Mitigations

None listed.

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

N/A

Notes

Relationship: This can be resultant from XSS/HTML injection because the same special characters can be involved. However, this is server-side code execution, not client-side.

← Back to CWE list