Currently, CWE-1007 is a child of UI misrepresentation. However, source code can be maliciously injected using bidi and Unicode homoglyphs as well (see https://www.swatips.com/articles/20211129.html and https://arxiv.org/abs/2111.00169 and the examples under https://github.com/nickboucher/trojan-source/tree/main/C%2B%2B). Would it be appropriate to modify CWE-1007 so that it doesn’t just apply to reflected Unicode attacks against a user, or would it be more appropriate to create a new CWE as a child of CWE-506 to reflect injecting source code using Unicode representations?
Thanks! Jon
smime.p7s
Description: S/MIME cryptographic signature
