CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (3.0)  
ID

CWE VIEW: Weaknesses Introduced During Design

View ID: 701
Type: Implicit
Status: Incomplete
Downloads: Booklet | CSV | XML
+ Objective
This view (slice) lists weaknesses that can be introduced during design.
+ Filter
/Weakness_Catalog/Weaknesses/Weakness[./Modes_Of_Introduction/Introduction/Phase='Architecture and Design']
+ Membership
NatureTypeIDName
HasMemberVariantVariant6J2EE Misconfiguration: Insufficient Session-ID Length
HasMemberVariantVariant7J2EE Misconfiguration: Missing Custom Error Page
HasMemberVariantVariant8J2EE Misconfiguration: Entity Bean Declared Remote
HasMemberVariantVariant9J2EE Misconfiguration: Weak Access Permissions for EJB Methods
HasMemberVariantVariant13ASP.NET Misconfiguration: Password in Configuration File
HasMemberClassClass20Improper Input Validation
HasMemberClassClass22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
HasMemberVariantVariant24Path Traversal: '../filedir'
HasMemberBaseBase36Absolute Path Traversal
HasMemberBaseBase66Improper Handling of File Names that Identify Virtual Resources
HasMemberVariantVariant67Improper Handling of Windows Device Names
HasMemberVariantVariant69Improper Handling of Windows ::DATA Alternate Data Stream
HasMemberVariantVariant72Improper Handling of Apple HFS+ Alternate Data Stream Path
HasMemberClassClass73External Control of File Name or Path
HasMemberClassClass74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
HasMemberClassClass75Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
HasMemberBaseBase76Improper Neutralization of Equivalent Special Elements
HasMemberClassClass77Improper Neutralization of Special Elements used in a Command ('Command Injection')
HasMemberBaseBase78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
HasMemberBaseBase79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
HasMemberVariantVariant84Improper Neutralization of Encoded URI Schemes in a Web Page
HasMemberBaseBase88Argument Injection or Modification
HasMemberBaseBase89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
HasMemberBaseBase90Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
HasMemberBaseBase91XML Injection (aka Blind XPath Injection)
HasMemberBaseBase93Improper Neutralization of CRLF Sequences ('CRLF Injection')
HasMemberClassClass94Improper Control of Generation of Code ('Code Injection')
HasMemberBaseBase95Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
HasMemberBaseBase96Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
HasMemberVariantVariant97Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
HasMemberBaseBase98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
HasMemberBaseBase99Improper Control of Resource Identifiers ('Resource Injection')
HasMemberBaseBase115Misinterpretation of Input
HasMemberClassClass116Improper Encoding or Escaping of Output
HasMemberClassClass118Incorrect Access of Indexable Resource ('Range Error')
HasMemberClassClass119Improper Restriction of Operations within the Bounds of a Memory Buffer
HasMemberVariantVariant121Stack-based Buffer Overflow
HasMemberVariantVariant122Heap-based Buffer Overflow
HasMemberBaseBase124Buffer Underwrite ('Buffer Underflow')
HasMemberBaseBase130Improper Handling of Length Parameter Inconsistency
HasMemberBaseBase184Incomplete Blacklist
HasMemberBaseBase188Reliance on Data/Memory Layout
HasMemberBaseBase198Use of Incorrect Byte Ordering
HasMemberClassClass200Information Exposure
HasMemberVariantVariant202Exposure of Sensitive Data Through Data Queries
HasMemberClassClass203Information Exposure Through Discrepancy
HasMemberBaseBase204Response Discrepancy Information Exposure
HasMemberBaseBase205Information Exposure Through Behavioral Discrepancy
HasMemberVariantVariant206Information Exposure of Internal State Through Behavioral Inconsistency
HasMemberVariantVariant207Information Exposure Through an External Behavioral Inconsistency
HasMemberBaseBase208Information Exposure Through Timing Discrepancy
HasMemberBaseBase209Information Exposure Through an Error Message
HasMemberBaseBase210Information Exposure Through Self-generated Error Message
HasMemberBaseBase211Information Exposure Through Externally-Generated Error Message
HasMemberBaseBase212Improper Cross-boundary Removal of Sensitive Data
HasMemberBaseBase213Intentional Information Exposure
HasMemberVariantVariant214Information Exposure Through Process Environment
HasMemberVariantVariant215Information Exposure Through Debug Information
HasMemberClassClass216Containment Errors (Container Errors)
HasMemberVariantVariant220Sensitive Data Under FTP Root
HasMemberClassClass221Information Loss or Omission
HasMemberBaseBase222Truncation of Security-relevant Information
HasMemberBaseBase223Omission of Security-relevant Information
HasMemberBaseBase224Obscured Security-relevant Information by Alternate Name
HasMemberBaseBase226Sensitive Information Uncleared Before Release
HasMemberClassClass228Improper Handling of Syntactically Invalid Structure
HasMemberBaseBase229Improper Handling of Values
HasMemberVariantVariant232Improper Handling of Undefined Values
HasMemberBaseBase233Improper Handling of Parameters
HasMemberVariantVariant234Failure to Handle Missing Parameter
HasMemberVariantVariant236Improper Handling of Undefined Parameters
HasMemberVariantVariant238Improper Handling of Incomplete Structural Elements
HasMemberVariantVariant239Failure to Handle Incomplete Element
HasMemberBaseBase240Improper Handling of Inconsistent Structural Elements
HasMemberBaseBase241Improper Handling of Unexpected Data Type
HasMemberVariantVariant245J2EE Bad Practices: Direct Management of Connections
HasMemberVariantVariant246J2EE Bad Practices: Direct Use of Sockets
HasMemberClassClass250Execution with Unnecessary Privileges
HasMemberVariantVariant256Plaintext Storage of a Password
HasMemberBaseBase257Storing Passwords in a Recoverable Format
HasMemberVariantVariant258Empty Password in Configuration File
HasMemberBaseBase259Use of Hard-coded Password
HasMemberVariantVariant260Password in Configuration File
HasMemberVariantVariant261Weak Cryptography for Passwords
HasMemberVariantVariant262Not Using Password Aging
HasMemberBaseBase263Password Aging with Long Expiration
HasMemberBaseBase266Incorrect Privilege Assignment
HasMemberBaseBase267Privilege Defined With Unsafe Actions
HasMemberBaseBase268Privilege Chaining
HasMemberClassClass269Improper Privilege Management
HasMemberBaseBase270Privilege Context Switching Error
HasMemberClassClass271Privilege Dropping / Lowering Errors
HasMemberBaseBase272Least Privilege Violation
HasMemberBaseBase273Improper Check for Dropped Privileges
HasMemberBaseBase274Improper Handling of Insufficient Privileges
HasMemberVariantVariant276Incorrect Default Permissions
HasMemberVariantVariant277Insecure Inherited Permissions
HasMemberVariantVariant278Insecure Preserved Inherited Permissions
HasMemberVariantVariant279Incorrect Execution-Assigned Permissions
HasMemberBaseBase280Improper Handling of Insufficient Permissions or Privileges
HasMemberBaseBase281Improper Preservation of Permissions
HasMemberClassClass282Improper Ownership Management
HasMemberBaseBase283Unverified Ownership
HasMemberClassClass284Improper Access Control
HasMemberClassClass285Improper Authorization
HasMemberClassClass286Incorrect User Management
HasMemberClassClass287Improper Authentication
HasMemberBaseBase288Authentication Bypass Using an Alternate Path or Channel
HasMemberVariantVariant289Authentication Bypass by Alternate Name
HasMemberBaseBase290Authentication Bypass by Spoofing
HasMemberVariantVariant291Reliance on IP Address for Authentication
HasMemberVariantVariant293Using Referer Field for Authentication
HasMemberBaseBase294Authentication Bypass by Capture-replay
HasMemberBaseBase295Improper Certificate Validation
HasMemberBaseBase296Improper Following of a Certificate's Chain of Trust
HasMemberVariantVariant297Improper Validation of Certificate with Host Mismatch
HasMemberVariantVariant298Improper Validation of Certificate Expiration
HasMemberBaseBase299Improper Check for Certificate Revocation
HasMemberClassClass300Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
HasMemberVariantVariant301Reflection Attack in an Authentication Protocol
HasMemberVariantVariant302Authentication Bypass by Assumed-Immutable Data
HasMemberBaseBase304Missing Critical Step in Authentication
HasMemberBaseBase305Authentication Bypass by Primary Weakness
HasMemberVariantVariant306Missing Authentication for Critical Function
HasMemberBaseBase307Improper Restriction of Excessive Authentication Attempts
HasMemberBaseBase308Use of Single-factor Authentication
HasMemberBaseBase309Use of Password System for Primary Authentication
HasMemberBaseBase311Missing Encryption of Sensitive Data
HasMemberBaseBase312Cleartext Storage of Sensitive Information
HasMemberVariantVariant313Cleartext Storage in a File or on Disk
HasMemberVariantVariant314Cleartext Storage in the Registry
HasMemberVariantVariant315Cleartext Storage of Sensitive Information in a Cookie
HasMemberVariantVariant316Cleartext Storage of Sensitive Information in Memory
HasMemberVariantVariant317Cleartext Storage of Sensitive Information in GUI
HasMemberVariantVariant318Cleartext Storage of Sensitive Information in Executable
HasMemberBaseBase319Cleartext Transmission of Sensitive Information
HasMemberBaseBase321Use of Hard-coded Cryptographic Key
HasMemberBaseBase322Key Exchange without Entity Authentication
HasMemberBaseBase323Reusing a Nonce, Key Pair in Encryption
HasMemberBaseBase324Use of a Key Past its Expiration Date
HasMemberBaseBase325Missing Required Cryptographic Step
HasMemberClassClass326Inadequate Encryption Strength
HasMemberBaseBase327Use of a Broken or Risky Cryptographic Algorithm
HasMemberBaseBase328Reversible One-Way Hash
HasMemberVariantVariant329Not Using a Random IV with CBC Mode
HasMemberClassClass330Use of Insufficiently Random Values
HasMemberBaseBase331Insufficient Entropy
HasMemberVariantVariant332Insufficient Entropy in PRNG
HasMemberVariantVariant333Improper Handling of Insufficient Entropy in TRNG
HasMemberBaseBase334Small Space of Random Values
HasMemberBaseBase335Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
HasMemberBaseBase336Same Seed in Pseudo-Random Number Generator (PRNG)
HasMemberBaseBase337Predictable Seed in Pseudo-Random Number Generator (PRNG)
HasMemberBaseBase338Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
HasMemberBaseBase339Small Seed Space in PRNG
HasMemberClassClass340Predictability Problems
HasMemberBaseBase341Predictable from Observable State
HasMemberBaseBase342Predictable Exact Value from Previous Values
HasMemberBaseBase343Predictable Value Range from Previous Values
HasMemberBaseBase344Use of Invariant Value in Dynamically Changing Context
HasMemberClassClass345Insufficient Verification of Data Authenticity
HasMemberBaseBase346Origin Validation Error
HasMemberBaseBase347Improper Verification of Cryptographic Signature
HasMemberBaseBase348Use of Less Trusted Source
HasMemberBaseBase349Acceptance of Extraneous Untrusted Data With Trusted Data
HasMemberVariantVariant350Reliance on Reverse DNS Resolution for a Security-Critical Action
HasMemberCompositeComposite352Cross-Site Request Forgery (CSRF)
HasMemberBaseBase353Missing Support for Integrity Check
HasMemberBaseBase354Improper Validation of Integrity Check Value
HasMemberBaseBase356Product UI does not Warn User of Unsafe Actions
HasMemberBaseBase357Insufficient UI Warning of Dangerous Operations
HasMemberBaseBase358Improperly Implemented Security Check for Standard
HasMemberClassClass359Exposure of Private Information ('Privacy Violation')
HasMemberBaseBase360Trust of System Event Data
HasMemberClassClass362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
HasMemberBaseBase363Race Condition Enabling Link Following
HasMemberBaseBase364Signal Handler Race Condition
HasMemberBaseBase366Race Condition within a Thread
HasMemberBaseBase368Context Switching Race Condition
HasMemberVariantVariant370Missing Check for Certificate Revocation after Initial Check
HasMemberBaseBase372Incomplete Internal State Distinction
HasMemberBaseBase377Insecure Temporary File
HasMemberBaseBase378Creation of Temporary File With Insecure Permissions
HasMemberBaseBase379Creation of Temporary File in Directory with Incorrect Permissions
HasMemberVariantVariant383J2EE Bad Practices: Direct Use of Threads
HasMemberCompositeComposite384Session Fixation
HasMemberBaseBase385Covert Timing Channel
HasMemberBaseBase386Symbolic Name not Mapping to Correct Object
HasMemberClassClass390Detection of Error Condition Without Action
HasMemberBaseBase391Unchecked Error Condition
HasMemberBaseBase392Missing Report of Error Condition
HasMemberBaseBase393Return of Wrong Status Code
HasMemberBaseBase394Unexpected Status Code or Return Value
HasMemberBaseBase396Declaration of Catch for Generic Exception
HasMemberBaseBase397Declaration of Throws for Generic Exception
HasMemberBaseBase400Uncontrolled Resource Consumption ('Resource Exhaustion')
HasMemberBaseBase401Improper Release of Memory Before Removing Last Reference ('Memory Leak')
HasMemberClassClass402Transmission of Private Resources into a New Sphere ('Resource Leak')
HasMemberBaseBase403Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
HasMemberBaseBase404Improper Resource Shutdown or Release
HasMemberClassClass405Asymmetric Resource Consumption (Amplification)
HasMemberBaseBase406Insufficient Control of Network Message Volume (Network Amplification)
HasMemberBaseBase407Algorithmic Complexity
HasMemberBaseBase408Incorrect Behavior Order: Early Amplification
HasMemberBaseBase409Improper Handling of Highly Compressed Data (Data Amplification)
HasMemberBaseBase410Insufficient Resource Pool
HasMemberBaseBase412Unrestricted Externally Accessible Lock
HasMemberBaseBase413Improper Resource Locking
HasMemberBaseBase414Missing Lock Check
HasMemberVariantVariant415Double Free
HasMemberBaseBase416Use After Free
HasMemberBaseBase419Unprotected Primary Channel
HasMemberBaseBase420Unprotected Alternate Channel
HasMemberBaseBase421Race Condition During Access to Alternate Channel
HasMemberVariantVariant422Unprotected Windows Messaging Channel ('Shatter')
HasMemberClassClass424Improper Protection of Alternate Path
HasMemberBaseBase425Direct Request ('Forced Browsing')
HasMemberCompositeComposite426Untrusted Search Path
HasMemberBaseBase432Dangerous Signal Handler not Disabled During Sensitive Operations
HasMemberBaseBase434Unrestricted Upload of File with Dangerous Type
HasMemberClassClass435Improper Interaction Between Multiple Entities
HasMemberBaseBase436Interpretation Conflict
HasMemberBaseBase437Incomplete Model of Endpoint Features
HasMemberBaseBase439Behavioral Change in New Version or Environment
HasMemberBaseBase440Expected Behavior Violation
HasMemberClassClass441Unintended Proxy or Intermediary ('Confused Deputy')
HasMemberBaseBase444Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
HasMemberBaseBase446UI Discrepancy for Security Feature
HasMemberBaseBase447Unimplemented or Unsupported Feature in UI
HasMemberBaseBase450Multiple Interpretations of UI Input
HasMemberClassClass451User Interface (UI) Misrepresentation of Critical Information
HasMemberBaseBase453Insecure Default Variable Initialization
HasMemberBaseBase454External Initialization of Trusted Variables or Data Stores
HasMemberBaseBase455Non-exit on Failed Initialization
HasMemberBaseBase459Incomplete Cleanup
HasMemberBaseBase462Duplicate Key in Associative List (Alist)
HasMemberBaseBase463Deletion of Data Structure Sentinel
HasMemberBaseBase464Addition of Data Structure Sentinel
HasMemberBaseBase466Return of Pointer Value Outside of Expected Range
HasMemberBaseBase470Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
HasMemberBaseBase471Modification of Assumed-Immutable Data (MAID)
HasMemberBaseBase474Use of Function with Inconsistent Implementations
HasMemberBaseBase475Undefined Behavior for Input to API
HasMemberVariantVariant479Signal Handler Use of a Non-reentrant Function
HasMemberBaseBase494Download of Code Without Integrity Check
HasMemberBaseBase501Trust Boundary Violation
HasMemberVariantVariant502Deserialization of Untrusted Data
HasMemberBaseBase510Trapdoor
HasMemberBaseBase511Logic/Time Bomb
HasMemberBaseBase512Spyware
HasMemberVariantVariant520.NET Misconfiguration: Use of Impersonation
HasMemberBaseBase521Weak Password Requirements
HasMemberBaseBase522Insufficiently Protected Credentials
HasMemberVariantVariant523Unprotected Transport of Credentials
HasMemberVariantVariant526Information Exposure Through Environmental Variables
HasMemberVariantVariant532Information Exposure Through Log Files
HasMemberVariantVariant535Information Exposure Through Shell Error Message
HasMemberVariantVariant539Information Exposure Through Persistent Cookies
HasMemberVariantVariant542Information Exposure Through Cleanup Log Files
HasMemberBaseBase544Missing Standardized Error Handling Mechanism
HasMemberVariantVariant554ASP.NET Misconfiguration: Not Using Input Validation Framework
HasMemberVariantVariant555J2EE Misconfiguration: Plaintext Password in Configuration File
HasMemberVariantVariant564SQL Injection: Hibernate
HasMemberBaseBase565Reliance on Cookies without Validation and Integrity Checking
HasMemberVariantVariant566Authorization Bypass Through User-Controlled SQL Primary Key
HasMemberBaseBase567Unsynchronized Access to Shared Data in a Multithreaded Context
HasMemberVariantVariant574EJB Bad Practices: Use of Synchronization Primitives
HasMemberVariantVariant575EJB Bad Practices: Use of AWT Swing
HasMemberVariantVariant576EJB Bad Practices: Use of Java I/O
HasMemberVariantVariant577EJB Bad Practices: Use of Sockets
HasMemberVariantVariant578EJB Bad Practices: Use of Class Loader
HasMemberVariantVariant579J2EE Bad Practices: Non-serializable Object Stored in Session
HasMemberBaseBase587Assignment of a Fixed Address to a Pointer
HasMemberVariantVariant588Attempt to Access Child of a Non-structure Pointer
HasMemberVariantVariant589Call to Non-ubiquitous API
HasMemberVariantVariant593Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
HasMemberVariantVariant594J2EE Framework: Saving Unserializable Objects to Disk
HasMemberVariantVariant598Information Exposure Through Query Strings in GET Request
HasMemberVariantVariant599Missing Validation of OpenSSL Certificate
HasMemberVariantVariant601URL Redirection to Untrusted Site ('Open Redirect')
HasMemberBaseBase602Client-Side Enforcement of Server-Side Security
HasMemberBaseBase603Use of Client-Side Authentication
HasMemberBaseBase605Multiple Binds to the Same Port
HasMemberClassClass610Externally Controlled Reference to a Resource in Another Sphere
HasMemberVariantVariant612Information Exposure Through Indexing of Private Data
HasMemberBaseBase613Insufficient Session Expiration
HasMemberBaseBase618Exposed Unsafe ActiveX Method
HasMemberVariantVariant620Unverified Password Change
HasMemberVariantVariant623Unsafe ActiveX Control Marked Safe For Scripting
HasMemberClassClass636Not Failing Securely ('Failing Open')
HasMemberClassClass637Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
HasMemberClassClass638Not Using Complete Mediation
HasMemberBaseBase639Authorization Bypass Through User-Controlled Key
HasMemberBaseBase640Weak Password Recovery Mechanism for Forgotten Password
HasMemberBaseBase641Improper Restriction of Names for Files and Other Resources
HasMemberClassClass642External Control of Critical State Data
HasMemberVariantVariant644Improper Neutralization of HTTP Headers for Scripting Syntax
HasMemberBaseBase645Overly Restrictive Account Lockout Mechanism
HasMemberVariantVariant646Reliance on File Name or Extension of Externally-Supplied File
HasMemberVariantVariant647Use of Non-Canonical URL Paths for Authorization Decisions
HasMemberBaseBase648Incorrect Use of Privileged APIs
HasMemberBaseBase649Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
HasMemberVariantVariant650Trusting HTTP Permission Methods on the Server Side
HasMemberVariantVariant651Information Exposure Through WSDL File
HasMemberBaseBase653Insufficient Compartmentalization
HasMemberBaseBase654Reliance on a Single Factor in a Security Decision
HasMemberBaseBase655Insufficient Psychological Acceptability
HasMemberBaseBase656Reliance on Security Through Obscurity
HasMemberClassClass657Violation of Secure Design Principles
HasMemberBaseBase662Improper Synchronization
HasMemberBaseBase663Use of a Non-reentrant Function in a Concurrent Context
HasMemberBaseBase667Improper Locking
HasMemberClassClass668Exposure of Resource to Wrong Sphere
HasMemberClassClass669Incorrect Resource Transfer Between Spheres
HasMemberClassClass670Always-Incorrect Control Flow Implementation
HasMemberClassClass671Lack of Administrator Control over Security
HasMemberBaseBase672Operation on a Resource after Expiration or Release
HasMemberClassClass673External Influence of Sphere Definition
HasMemberBaseBase674Uncontrolled Recursion
HasMemberBaseBase676Use of Potentially Dangerous Function
HasMemberClassClass682Incorrect Calculation
HasMemberClassClass691Insufficient Control Flow Management
HasMemberClassClass693Protection Mechanism Failure
HasMemberBaseBase694Use of Multiple Resources with Duplicate Identifier
HasMemberBaseBase695Use of Low-Level Functionality
HasMemberClassClass696Incorrect Behavior Order
HasMemberClassClass703Improper Check or Handling of Exceptional Conditions
HasMemberClassClass704Incorrect Type Conversion or Cast
HasMemberClassClass705Incorrect Control Flow Scoping
HasMemberClassClass706Use of Incorrectly-Resolved Name or Reference
HasMemberClassClass707Improper Enforcement of Message or Data Structure
HasMemberBaseBase708Incorrect Ownership Assignment
HasMemberClassClass710Improper Adherence to Coding Standards
HasMemberClassClass732Incorrect Permission Assignment for Critical Resource
HasMemberBaseBase749Exposed Dangerous Method or Function
HasMemberClassClass757Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
HasMemberVariantVariant764Multiple Locks of a Critical Resource
HasMemberVariantVariant766Critical Variable Declared Public
HasMemberVariantVariant767Access to Critical Private Variable via Public Method
HasMemberBaseBase769Uncontrolled File Descriptor Consumption
HasMemberBaseBase770Allocation of Resources Without Limits or Throttling
HasMemberBaseBase771Missing Reference to Active Allocated Resource
HasMemberBaseBase772Missing Release of Resource after Effective Lifetime
HasMemberVariantVariant773Missing Reference to Active File Descriptor or Handle
HasMemberVariantVariant774Allocation of File Descriptors or Handles Without Limits or Throttling
HasMemberVariantVariant780Use of RSA Algorithm without OAEP
HasMemberVariantVariant781Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
HasMemberVariantVariant782Exposed IOCTL with Insufficient Access Control
HasMemberVariantVariant784Reliance on Cookies without Validation and Integrity Checking in a Security Decision
HasMemberVariantVariant789Uncontrolled Memory Allocation
HasMemberBaseBase798Use of Hard-coded Credentials
HasMemberClassClass799Improper Control of Interaction Frequency
HasMemberBaseBase804Guessable CAPTCHA
HasMemberBaseBase807Reliance on Untrusted Inputs in a Security Decision
HasMemberClassClass862Missing Authorization
HasMemberClassClass863Incorrect Authorization
HasMemberClassClass912Hidden Functionality
HasMemberClassClass913Improper Control of Dynamically-Managed Code Resources
HasMemberBaseBase914Improper Control of Dynamically-Identified Variables
HasMemberBaseBase915Improperly Controlled Modification of Dynamically-Determined Object Attributes
HasMemberBaseBase916Use of Password Hash With Insufficient Computational Effort
HasMemberBaseBase917Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
HasMemberBaseBase918Server-Side Request Forgery (SSRF)
HasMemberBaseBase920Improper Restriction of Power Consumption
HasMemberBaseBase921Storage of Sensitive Data in a Mechanism without Access Control
HasMemberClassClass922Insecure Storage of Sensitive Information
HasMemberClassClass923Improper Restriction of Communication Channel to Intended Endpoints
HasMemberClassClass924Improper Enforcement of Message Integrity During Transmission in a Communication Channel
HasMemberVariantVariant925Improper Verification of Intent by Broadcast Receiver
HasMemberVariantVariant926Improper Export of Android Application Components
HasMemberVariantVariant927Use of Implicit Intent for Sensitive Communication
HasMemberBaseBase940Improper Verification of Source of a Communication Channel
HasMemberBaseBase941Incorrectly Specified Destination in a Communication Channel
HasMemberVariantVariant942Overly Permissive Cross-domain Whitelist
HasMemberVariantVariant1004Sensitive Cookie Without 'HttpOnly' Flag
HasMemberBaseBase1007Insufficient Visual Distinction of Homoglyphs Presented to User
HasMemberVariantVariant1022Improper Restriction of Cross-Origin Permission to window.opener.location
+ View Metrics
CWEs in this viewTotal CWEs
Weaknesses377out of 714
Categories0out of 237
Views0out of 31
Total377out of982
+ Content History
Submissions
Submission DateSubmitterOrganization
2008-09-09CWE Content TeamMITRE
Modifications
Modification DateModifierOrganization
2009-02-10CWE Content TeamMITRE
Updated the View_Filter to reflect new structure in CWE Schema v4.2
2009-03-10CWE Content TeamMITRE
updated View_Filter
2017-01-19CWE Content TeamMITRE
updated Relationships

More information is available — Please select a different filter.
Page Last Updated: January 18, 2018