CWE-698

BaseIncomplete

View on MITRE

Execution After Redirect (EAR)

The web application sends a redirect to another location, but instead of exiting, it executes additional code.

10 linked vulnerabilities

2 related weaknesses

OtherConfidentialityIntegrityAvailabilityAlter Execution LogicExecute Unauthorized Code or Commands

This weakness could affect the control flow of the application and allow execution of untrusted code.

Black Box

This issue might not be detected if testing is performed using a web browser, because the browser might obey the redirect and move the user to a different page before the application has produced outputs that indicate something is amiss.

Modes of Introduction

Implementation

Related Weaknesses

CWE-705ChildOf CWE-670ChildOf

Example CVEs (7)

CVE-2013-1402

Execution-after-redirect allows access to application configuration details.

CVE-2009-1936

chain: library file sends a redirect if it is directly requested but continues to execute, allowing remote file inclusion and path traversal.

CVE-2007-2713

Remote attackers can obtain access to administrator functionality through EAR.

CVE-2007-4932

Remote attackers can obtain access to administrator functionality through EAR.

CVE-2007-5578

Bypass of authentication step through EAR.

External Links

MITRE CWE Database