Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.
View on MITREDevelopers should anticipate that quotes will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.
No detection method information available for this CWE.
Database allows remote attackers to cause a denial of service (application crash) via a MATCH AGAINST query with an opening double quote but no closing double quote.
View DetailsMIE. MFV too? bypass AV/security with fields that should not be quoted, duplicate quotes, missing leading/trailing quotes.
View DetailsCWE-149: Improper Neutralization of Quoting Syntax is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.
If exploited, CWE-149 (Improper Neutralization of Quoting Syntax) it can compromise Integrity, leading to outcomes such as Unexpected State.
Recommended mitigations for CWE-149 include: Developers should anticipate that quotes will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.
MITRE documents real CVEs mapped to CWE-149, including CVE-2004-0956 and CVE-2003-1016. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-149 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.