CWE-428: Unquoted Search Path or Element

BaseDraft

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

View on MITRE

Back to CWE Lookup

Extended Description

If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as "C:\Program.exe" to be run by a privileged program making use of WinExec.

Technical Details

Structure: Simple

Applicable To

Languages

Not Language-Specific

Platforms

Windows NTmacOS

Learn More

Find Related CVEs

Search for vulnerabilities that exploit CWE-428

CVE vs CWE: What's the Difference?

Understanding vulnerabilities vs weaknesses

Understanding CVSS Scoring

How vulnerability severity is measured

View Full MITRE Entry

Complete technical details and references