CWE-1336: CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
Description
View on MITREExtended Description
Extended Description
Technical Details
- Structure
- Simple
- Vulnerability Mapping
- ALLOWED
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
Phase
Description
Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands.
Phase
Description
Use the template engine's sandbox or restricted mode, if available.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
No examples or observed CVEs available for this CWE.
Frequently Asked Questions
What is CWE-1336: CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine?+
CWE-1336: CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description Extended Description
What are the security consequences of CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine?+
If exploited, CWE-1336 (CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine) it can compromise Execute Unauthorized Code or Commands, leading to outcomes such as Scope: Integrity.
How do you prevent or mitigate CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine?+
Recommended mitigations for CWE-1336 include: Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands. Use the template engine's sandbox or restricted mode, if available.
Which programming languages are affected by CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine?+
CWE-1336 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-1336 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.