CWE-98

Overview

CWE ID
98

CWE Name
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

CWE Abstraction
Variant

CWE structure
Simple

CWE Status
Draft

Description

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

Extended Description

In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the software will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local fi

Related CWEs

CWE ID	View ID	Nature	Ordinal
706	1000	ChildOf
829	1000	ChildOf	Primary
94	1000	CanPrecede
426	1000	CanAlsoBe

Related CVEs

CVE
CVE-2022-4606
CVE-2023-2551
CVE-2021-22968
CVE-2023-3452
CVE-2024-4315
CVE-2023-4195
CVE-2023-49084
CVE-2024-31459
CVE-2024-1600
CVE-2024-0315
CVE-2024-36415
CVE-2024-35629
CVE-2024-35650
CVE-2024-31459
CVE-2024-1600
CVE-2024-0315
CVE-2024-36415
CVE-2024-35629
CVE-2024-35650
CVE-2024-35629
CVE-2024-35650
CVE-2024-6589
CVE-2024-4359
CVE-2024-43261
CVE-2024-5762
CVE-2024-8252