 Weakness Base Absolute Path Traversal - (36) |
| Weakness Base Acceptance of Extraneous Untrusted Data With Trusted Data - (349) |
| Weakness Base Access of Memory Location After End of Buffer - (788) |
| Weakness Base Access of Memory Location Before Start of Buffer - (786) |
| Weakness Base Access of Resource Using Incompatible Type ('Type Confusion') - (843) |
| Weakness Base Access of Uninitialized Pointer - (824) |
 Weakness Variant Access to Critical Private Variable via Public Method - (767) |
| Weakness Base Addition of Data Structure Sentinel - (464) |
| Weakness Base Algorithmic Complexity - (407) |
| Weakness Variant Allocation of File Descriptors or Handles Without Limits or Throttling - (774) |
| Weakness Base Allocation of Resources Without Limits or Throttling - (770) |
| Weakness Variant Apple '.DS_Store' - (71) |
| Weakness Base Argument Injection or Modification - (88) |
| Weakness Variant Array Declared Public, Final, and Static - (582) |
 Category ASP.NET Environment Issues - (10) |
| Weakness Variant ASP.NET Misconfiguration: Creating Debug Binary - (11) |
| Weakness Variant ASP.NET Misconfiguration: Missing Custom Error Page - (12) |
| Weakness Variant ASP.NET Misconfiguration: Not Using Input Validation Framework - (554) |
| Weakness Variant ASP.NET Misconfiguration: Password in Configuration File - (13) |
| Weakness Variant ASP.NET Misconfiguration: Use of Identity Impersonation - (556) |
| Weakness Variant Assigning instead of Comparing - (481) |
| Weakness Base Assignment of a Fixed Address to a Pointer - (587) |
 Weakness Class Asymmetric Resource Consumption (Amplification) - (405) |
| Weakness Variant Attempt to Access Child of a Non-structure Pointer - (588) |
| Weakness Variant Authentication Bypass by Alternate Name - (289) |
| Weakness Variant Authentication Bypass by Assumed-Immutable Data - (302) |
| Weakness Base Authentication Bypass by Capture-replay - (294) |
| Weakness Base Authentication Bypass by Primary Weakness - (305) |
| Weakness Base Authentication Bypass by Spoofing - (290) |
| Weakness Class Authentication Bypass Issues - (592) |
| Weakness Base Authentication Bypass Using an Alternate Path or Channel - (288) |
| Weakness Variant Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created - (593) |
| Weakness Base Authorization Bypass Through User-Controlled Key - (639) |
| Weakness Variant Authorization Bypass Through User-Controlled SQL Primary Key - (566) |
| Weakness Base Behavioral Change in New Version or Environment - (439) |
| Category Behavioral Problems - (438) |
| Weakness Variant Buffer Access Using Size of Source Buffer - (806) |
| Weakness Base Buffer Access with Incorrect Length Value - (805) |
| Weakness Base Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120) |
| Weakness Variant Buffer Over-read - (126) |
| Weakness Variant Buffer Under-read - (127) |
| Weakness Base Buffer Underwrite ('Buffer Underflow') - (124) |
| Category Business Logic Errors - (840) |
| Category Byte/Object Code - (503) |
| Weakness Variant Call to Non-ubiquitous API - (589) |
| Weakness Variant Call to Thread run() instead of start() - (572) |
| Weakness Class Channel Accessible by Non-Endpoint ('Man-in-the-Middle') - (300) |
| Category Channel and Path Errors - (417) |
| Category Channel Errors - (418) |
| Category Cleansing, Canonicalization, and Comparison Errors - (171) |
| Weakness Base Cleartext Storage of Sensitive Information - (312) |
| Weakness Base Cleartext Transmission of Sensitive Information - (319) |
| Weakness Base Client-Side Enforcement of Server-Side Security - (602) |
| Weakness Variant clone() Method Without super.clone() - (580) |
| Weakness Variant Cloneable Class Containing Sensitive Information - (498) |
| Category Code - (17) |
| Weakness Base Collapse of Data into Unsafe Value - (182) |
| Weakness Variant Command Shell in Externally Accessible Directory - (553) |
| Weakness Variant Comparing instead of Assigning - (482) |
| Weakness Variant Comparison of Classes by Name - (486) |
| Weakness Base Comparison of Object References Instead of Object Contents - (595) |
| Weakness Base Compiler Removal of Code to Clear Buffers - (14) |
| Category Concurrency Issues - (557) |
| Weakness Class Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - (362) |
| Category Configuration - (16) |
| Weakness Class Containment Errors (Container Errors) - (216) |
| Weakness Base Context Switching Race Condition - (368) |
| Weakness Class Covert Channel - (514) |
| Weakness Base Covert Storage Channel - (515) |
| Weakness Base Covert Timing Channel - (385) |
| Weakness Variant Creation of chroot Jail Without Changing Working Directory - (243) |
| Weakness Base Creation of Temporary File in Directory with Incorrect Permissions - (379) |
| Weakness Base Creation of Temporary File With Insecure Permissions - (378) |
| Category Credentials Management - (255) |
| Weakness Variant Critical Public Variable Without Final Modifier - (493) |
| Weakness Variant Critical Variable Declared Public - (766) |
 Compound Element: Composite Cross-Site Request Forgery (CSRF) - (352) |
| Category Cryptographic Issues - (310) |
| Weakness Base Dangerous Signal Handler not Disabled During Sensitive Operations - (432) |
| Weakness Base Dangling Database Cursor ('Cursor Injection') - (619) |
| Category Data Handling - (19) |
| Category Data Structure Issues - (461) |
| Weakness Variant Dead Code - (561) |
| Weakness Base Deadlock - (833) |
| Weakness Base Declaration of Catch for Generic Exception - (396) |
| Weakness Base Declaration of Throws for Generic Exception - (397) |
| Weakness Base Deletion of Data Structure Sentinel - (463) |
| Weakness Base Deployment of Wrong Handler - (430) |
| Weakness Variant Deserialization of Untrusted Data - (502) |
| Weakness Class Detection of Error Condition Without Action - (390) |
| Weakness Base Direct Request ('Forced Browsing') - (425) |
| Weakness Base Direct Use of Unsafe JNI - (111) |
| Weakness Base Divide By Zero - (369) |
| Weakness Variant Double Decoding of the Same Data - (174) |
| Weakness Variant Double Free - (415) |
| Weakness Base Double-Checked Locking - (609) |
| Weakness Variant Doubled Character XSS Manipulations - (85) |
| Weakness Base Download of Code Without Integrity Check - (494) |
| Weakness Base Duplicate Key in Associative List (Alist) - (462) |
| Weakness Base Dynamic Variable Evaluation - (627) |
| Weakness Variant EJB Bad Practices: Use of AWT Swing - (575) |
| Weakness Variant EJB Bad Practices: Use of Class Loader - (578) |
| Weakness Variant EJB Bad Practices: Use of Java I/O - (576) |
| Weakness Variant EJB Bad Practices: Use of Sockets - (577) |
| Weakness Variant EJB Bad Practices: Use of Synchronization Primitives - (574) |
| Weakness Class Embedded Malicious Code - (506) |
| Weakness Variant Empty Password in Configuration File - (258) |
| Weakness Variant Empty Synchronized Block - (585) |
| Weakness Class Encoding Error - (172) |
| Category Environment - (2) |
| Category Error Conditions, Return Values, Status Codes - (389) |
| Category Error Handling - (388) |
| Weakness Base Excessive Iteration - (834) |
| Weakness Base Executable Regular Expression Error - (624) |
| Weakness Base Execution After Redirect (EAR) - (698) |
| Weakness Class Execution with Unnecessary Privileges - (250) |
| Weakness Base Expected Behavior Violation - (440) |
| Weakness Base Expired Pointer Dereference - (825) |
| Weakness Variant Explicit Call to Finalize() - (586) |
| Weakness Base Exposed Dangerous Method or Function - (749) |
| Weakness Variant Exposed IOCTL with Insufficient Access Control - (782) |
| Weakness Base Exposed Unsafe ActiveX Method - (618) |
| Weakness Variant Exposure of Access Control List Files to an Unauthorized Control Sphere - (529) |
| Weakness Variant Exposure of Backup File to an Unauthorized Control Sphere - (530) |
| Weakness Variant Exposure of Core Dump File to an Unauthorized Control Sphere - (528) |
| Weakness Variant Exposure of CVS Repository to an Unauthorized Control Sphere - (527) |
| Weakness Variant Exposure of Data Element to Wrong Session - (488) |
| Weakness Base Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') - (403) |
| Weakness Class Exposure of Resource to Wrong Sphere - (668) |
| Weakness Variant Exposure of Sensitive Data Through Data Queries - (202) |
| Weakness Variant Exposure of System Data to an Unauthorized Control Sphere - (497) |
| Weakness Variant Expression is Always False - (570) |
| Weakness Variant Expression is Always True - (571) |
| Category Expression Issues - (569) |
| Weakness Base External Control of Assumed-Immutable Web Parameter - (472) |
| Weakness Class External Control of Critical State Data - (642) |
| Weakness Class External Control of File Name or Path - (73) |
| Weakness Base External Control of System or Configuration Setting - (15) |
| Weakness Class External Influence of Sphere Definition - (673) |
| Weakness Base External Initialization of Trusted Variables or Data Stores - (454) |
| Weakness Class Externally Controlled Reference to a Resource in Another Sphere - (610) |
| Weakness Base Failure to Handle Incomplete Element - (239) |
| Weakness Base Failure to Handle Missing Parameter - (234) |
| Weakness Variant Failure to Sanitize Paired Delimiters - (157) |
| Weakness Class Failure to Sanitize Special Element - (159) |
| Weakness Class Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) - (75) |
| Weakness Base File and Directory Information Exposure - (538) |
| Category File Descriptor Exhaustion - (769) |
| Weakness Base Files or Directories Accessible to External Parties - (552) |
| Weakness Variant finalize() Method Declared Public - (583) |
| Weakness Variant finalize() Method Without super.finalize() - (568) |
| Weakness Variant Free of Memory not on the Heap - (590) |
| Weakness Variant Free of Pointer not at Start of Buffer - (761) |
| Weakness Variant Function Call With Incorrect Argument Type - (686) |
| Weakness Variant Function Call With Incorrect Number of Arguments - (685) |
| Weakness Variant Function Call With Incorrect Order of Arguments - (683) |
| Weakness Variant Function Call With Incorrect Variable or Reference as Argument - (688) |
| Weakness Variant Function Call With Incorrectly Specified Argument Value - (687) |
| Weakness Base Function Call with Incorrectly Specified Arguments - (628) |
| Weakness Base Guessable CAPTCHA - (804) |
| Category Handler Errors - (429) |
| Weakness Variant Heap-based Buffer Overflow - (122) |
| Weakness Class Hidden Functionality - (912) |
| Weakness Class Improper Access Control - (284) |
| Weakness Class Improper Access of Indexable Resource ('Range Error') - (118) |
| Weakness Variant Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code - (781) |
| Weakness Class Improper Authentication - (287) |
| Weakness Class Improper Authorization - (285) |
| Weakness Base Improper Certificate Validation - (295) |
| Weakness Variant Improper Check for Certificate Revocation - (299) |
| Weakness Base Improper Check for Dropped Privileges - (273) |
| Weakness Class Improper Check for Unusual or Exceptional Conditions - (754) |
| Weakness Variant Improper Cleanup on Thrown Exception - (460) |
| Weakness Variant Improper Clearing of Heap Memory Before Release ('Heap Inspection') - (244) |
| Weakness Class Improper Control of a Resource Through its Lifetime - (664) |
| Weakness Base Improper Control of Document Type Definition - (827) |
| Weakness Base Improper Control of Dynamically-Identified Variables - (914) |
| Weakness Class Improper Control of Dynamically-Managed Code Resources - (913) |
| Weakness Base Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') - (98) |
| Weakness Class Improper Control of Generation of Code ('Code Injection') - (94) |
| Weakness Class Improper Control of Interaction Frequency - (799) |
| Weakness Base Improper Control of Resource Identifiers ('Resource Injection') - (99) |
| Weakness Base Improper Cross-boundary Removal of Sensitive Data - (212) |
| Weakness Class Improper Encoding or Escaping of Output - (116) |
| Weakness Base Improper Enforcement of a Single, Unique Action - (837) |
| Weakness Base Improper Enforcement of Behavioral Workflow - (841) |
| Weakness Base Improper Following of a Certificate's Chain of Trust - (296) |
| Weakness Class Improper Following of Specification by Caller - (573) |
| Weakness Class Improper Fulfillment of API Contract ('API Abuse') - (227) |
| Weakness Base Improper Handling of Additional Special Element - (167) |
| Weakness Variant Improper Handling of Alternate Encoding - (173) |
| Weakness Variant Improper Handling of Apple HFS+ Alternate Data Stream Path - (72) |
| Weakness Base Improper Handling of Case Sensitivity - (178) |
| Weakness Base Improper Handling of Extra Parameters - (235) |
| Weakness Base Improper Handling of Extra Values - (231) |
| Weakness Base Improper Handling of File Names that Identify Virtual Resources - (66) |
| Weakness Base Improper Handling of Highly Compressed Data (Data Amplification) - (409) |
| Weakness Base Improper Handling of Incomplete Structural Elements - (238) |
| Weakness Base Improper Handling of Inconsistent Special Elements - (168) |
| Weakness Base Improper Handling of Inconsistent Structural Elements - (240) |
| Weakness Variant Improper Handling of Insufficient Entropy in TRNG - (333) |
| Weakness Base Improper Handling of Insufficient Permissions or Privileges - (280) |
| Weakness Base Improper Handling of Insufficient Privileges - (274) |
| Weakness Base Improper Handling of Length Parameter Inconsistency - (130) |
| Weakness Base Improper Handling of Missing Special Element - (166) |
| Weakness Base Improper Handling of Missing Values - (230) |
| Weakness Variant Improper Handling of Mixed Encoding - (175) |
| Weakness Class Improper Handling of Structural Elements - (237) |
| Weakness Class Improper Handling of Syntactically Invalid Structure - (228) |
| Weakness Base Improper Handling of Undefined Parameters - (236) |
| Weakness Base Improper Handling of Undefined Values - (232) |
| Weakness Base Improper Handling of Unexpected Data Type - (241) |
| Weakness Variant Improper Handling of Unicode Encoding - (176) |
| Weakness Variant Improper Handling of URL Encoding (Hex Encoding) - (177) |
| Weakness Class Improper Handling of Values - (229) |
| Weakness Variant Improper Handling of Windows ::DATA Alternate Data Stream - (69) |
| Weakness Variant Improper Handling of Windows Device Names - (67) |
| Weakness Base Improper Initialization - (665) |
| Weakness Class Improper Input Validation - (20) |
| Weakness Class Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - (22) |
| Weakness Base Improper Link Resolution Before File Access ('Link Following') - (59) |
| Weakness Base Improper Locking - (667) |
| Weakness Variant Improper Neutralization of Alternate XSS Syntax - (87) |
| Weakness Variant Improper Neutralization of Comment Delimiters - (151) |
| Weakness Base Improper Neutralization of CRLF Sequences ('CRLF Injection') - (93) |
| Weakness Base Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') - (113) |
| Weakness Base Improper Neutralization of Data within XPath Expressions ('XPath Injection') - (643) |
| Weakness Base Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') - (652) |
| Weakness Base Improper Neutralization of Delimiters - (140) |
| Weakness Base Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') - (95) |
| Weakness Base Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') - (96) |
| Weakness Variant Improper Neutralization of Encoded URI Schemes in a Web Page - (84) |
| Weakness Base Improper Neutralization of Equivalent Special Elements - (76) |
| Weakness Variant Improper Neutralization of Escape, Meta, or Control Sequences - (150) |
| Weakness Variant Improper Neutralization of Expression/Command Delimiters - (146) |
| Weakness Variant Improper Neutralization of HTTP Headers for Scripting Syntax - (644) |
| Weakness Base Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - (79) |
| Weakness Variant Improper Neutralization of Input Leaders - (148) |
| Weakness Variant Improper Neutralization of Input Terminators - (147) |
| Weakness Variant Improper Neutralization of Internal Special Elements - (164) |
| Weakness Variant Improper Neutralization of Invalid Characters in Identifiers in Web Pages - (86) |
| Weakness Variant Improper Neutralization of Leading Special Elements - (160) |
| Weakness Variant Improper Neutralization of Line Delimiters - (144) |
| Weakness Variant Improper Neutralization of Macro Symbols - (152) |
| Weakness Variant Improper Neutralization of Multiple Internal Special Elements - (165) |
| Weakness Variant Improper Neutralization of Multiple Leading Special Elements - (161) |
| Weakness Variant Improper Neutralization of Multiple Trailing Special Elements - (163) |
| Weakness Variant Improper Neutralization of Null Byte or NUL Character - (158) |
| Weakness Variant Improper Neutralization of Parameter/Argument Delimiters - (141) |
| Weakness Variant Improper Neutralization of Quoting Syntax - (149) |
| Weakness Variant Improper Neutralization of Record Delimiters - (143) |
| Weakness Variant Improper Neutralization of Script in an Error Message Web Page - (81) |
| Weakness Variant Improper Neutralization of Script in Attributes in a Web Page - (83) |
| Weakness Variant Improper Neutralization of Script in Attributes of IMG Tags in a Web Page - (82) |
| Weakness Variant Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - (80) |
| Weakness Variant Improper Neutralization of Section Delimiters - (145) |
| Weakness Variant Improper Neutralization of Server-Side Includes (SSI) Within a Web Page - (97) |
| Weakness Class Improper Neutralization of Special Elements - (138) |
| Weakness Class Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') - (74) |
| Weakness Class Improper Neutralization of Special Elements used in a Command ('Command Injection') - (77) |
| Weakness Base Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') - (917) |
| Weakness Base Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') - (90) |
| Weakness Base Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78) |
| Weakness Base Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - (89) |
| Weakness Variant Improper Neutralization of Substitution Characters - (153) |
| Weakness Variant Improper Neutralization of Trailing Special Elements - (162) |
| Weakness Variant Improper Neutralization of Value Delimiters - (142) |
| Weakness Variant Improper Neutralization of Variable Name Delimiters - (154) |
| Weakness Variant Improper Neutralization of Whitespace - (156) |
| Weakness Variant Improper Neutralization of Wildcards or Matching Symbols - (155) |
| Weakness Base Improper Null Termination - (170) |
| Weakness Base Improper Output Neutralization for Logs - (117) |
| Weakness Class Improper Ownership Management - (282) |
| Weakness Base Improper Preservation of Permissions - (281) |
| Weakness Base Improper Privilege Management - (269) |
| Weakness Class Improper Protection of Alternate Path - (424) |
| Weakness Base Improper Release of Memory Before Removing Last Reference ('Memory Leak') - (401) |
| Weakness Base Improper Resolution of Path Equivalence - (41) |
| Weakness Base Improper Resource Locking - (413) |
| Weakness Base Improper Resource Shutdown or Release - (404) |
| Weakness Base Improper Restriction of Excessive Authentication Attempts - (307) |
| Weakness Base Improper Restriction of Names for Files and Other Resources - (641) |
| Weakness Class Improper Restriction of Operations within the Bounds of a Memory Buffer - (119) |
| Weakness Variant Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') - (776) |
| Weakness Variant Improper Restriction of XML External Entity Reference ('XXE') - (611) |
| Weakness Base Improper Synchronization - (662) |
| Weakness Base Improper Update of Reference Count - (911) |
| Weakness Base Improper Validation of Array Index - (129) |
| Weakness Variant Improper Validation of Certificate Expiration - (298) |
| Weakness Variant Improper Validation of Certificate with Host Mismatch - (297) |
| Weakness Variant Improper Validation of Function Hook Arguments - (622) |
| Weakness Base Improper Validation of Integrity Check Value - (354) |
| Weakness Base Improper Verification of Cryptographic Signature - (347) |
| Weakness Base Improperly Controlled Modification of Dynamically-Determined Object Attributes - (915) |
| Weakness Base Improperly Implemented Security Check for Standard - (358) |
| Weakness Base Improperly Trusted Reverse DNS - (350) |
| Weakness Class Inadequate Encryption Strength - (326) |
| Category Inadvertently Introduced Weakness - (518) |
| Weakness Base Inappropriate Encoding for Output Context - (838) |
| Weakness Class Inclusion of Functionality from Untrusted Control Sphere - (829) |
| Weakness Base Inclusion of Web Functionality from an Untrusted Source - (830) |
| Weakness Base Incomplete Blacklist - (184) |
| Weakness Base Incomplete Cleanup - (459) |
| Weakness Variant Incomplete Identification of Uploaded File Variables (PHP) - (616) |
| Weakness Base Incomplete Internal State Distinction - (372) |
| Weakness Base Incomplete Model of Endpoint Features - (437) |
| Weakness Base Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') - (444) |
| Weakness Class Incorrect Authorization - (863) |
| Weakness Class Incorrect Behavior Order - (696) |
| Weakness Base Incorrect Behavior Order: Authorization Before Parsing and Canonicalization - (551) |
| Weakness Base Incorrect Behavior Order: Early Amplification - (408) |
| Weakness Base Incorrect Behavior Order: Early Validation - (179) |
| Weakness Base Incorrect Behavior Order: Validate Before Canonicalize - (180) |
| Weakness Base Incorrect Behavior Order: Validate Before Filter - (181) |
| Weakness Variant Incorrect Block Delimitation - (483) |
| Weakness Class Incorrect Calculation - (682) |
| Weakness Base Incorrect Calculation of Buffer Size - (131) |
| Weakness Base Incorrect Calculation of Multi-Byte String Length - (135) |
| Weakness Base Incorrect Check of Function Return Value - (253) |
| Weakness Base Incorrect Conversion between Numeric Types - (681) |
| Weakness Variant Incorrect Default Permissions - (276) |
| Weakness Variant Incorrect Execution-Assigned Permissions - (279) |
| Weakness Base Incorrect Implementation of Authentication Algorithm - (303) |
| Weakness Base Incorrect Ownership Assignment - (708) |
| Weakness Class Incorrect Permission Assignment for Critical Resource - (732) |
| Weakness Base Incorrect Pointer Scaling - (468) |
| Weakness Base Incorrect Privilege Assignment - (266) |
| Weakness Base Incorrect Provision of Specified Functionality - (684) |
| Weakness Class Incorrect Regular Expression - (185) |
| Weakness Class Incorrect Resource Transfer Between Spheres - (669) |
| Weakness Base Incorrect Semantic Object Comparison - (596) |
| Weakness Variant Incorrect Short Circuit Evaluation - (768) |
| Weakness Base Incorrect Synchronization - (821) |
| Weakness Class Incorrect Type Conversion or Cast - (704) |
| Weakness Base Incorrect Use of Privileged APIs - (648) |
| Weakness Class Incorrect User Management - (286) |
| Weakness Class Indicator of Poor Code Quality - (398) |
| Weakness Class Information Exposure - (200) |
| Weakness Variant Information Exposure of Internal State Through Behavioral Inconsistency - (206) |
| Weakness Base Information Exposure Through an Error Message - (209) |
| Weakness Variant Information Exposure Through an External Behavioral Inconsistency - (207) |
| Weakness Base Information Exposure Through Behavioral Discrepancy - (205) |
| Weakness Variant Information Exposure Through Browser Caching - (525) |
| Weakness Variant Information Exposure Through Caching - (524) |
| Weakness Variant Information Exposure Through Cleanup Log Files - (542) |
| Weakness Variant Information Exposure Through Comments - (615) |
| Weakness Variant Information Exposure Through Debug Information - (215) |
| Weakness Variant Information Exposure Through Debug Log Files - (534) |
| Weakness Variant Information Exposure Through Directory Listing - (548) |
| Weakness Class Information Exposure Through Discrepancy - (203) |
| Weakness Variant Information Exposure Through Environmental Variables - (526) |
| Weakness Base Information Exposure Through Externally-generated Error Message - (211) |
| Weakness Variant Information Exposure Through Include Source Code - (541) |
| Weakness Variant Information Exposure Through Indexing of Private Data - (612) |
| Weakness Variant Information Exposure Through Java Runtime Error Message - (537) |
| Weakness Variant Information Exposure Through Log Files - (532) |
| Weakness Variant Information Exposure Through Persistent Cookies - (539) |
| Weakness Variant Information Exposure Through Process Environment - (214) |
| Weakness Variant Information Exposure Through Query Strings in GET Request - (598) |
| Weakness Base Information Exposure Through Self-generated Error Message - (210) |
| Weakness Variant Information Exposure Through Sent Data - (201) |
| Weakness Variant Information Exposure Through Server Error Message - (550) |
| Weakness Variant Information Exposure Through Server Log Files - (533) |
| Weakness Variant Information Exposure Through Servlet Runtime Error Message - (536) |
| Weakness Variant Information Exposure Through Shell Error Message - (535) |
| Weakness Variant Information Exposure Through Source Code - (540) |
| Weakness Variant Information Exposure Through Test Code - (531) |
| Weakness Base Information Exposure Through Timing Discrepancy - (208) |
| Weakness Variant Information Exposure Through WSDL File - (651) |
| Weakness Class Information Loss or Omission - (221) |
| Category Information Management Errors - (199) |
| Category Initialization and Cleanup Errors - (452) |
| Weakness Base Insecure Default Variable Initialization - (453) |
| Weakness Variant Insecure Inherited Permissions - (277) |
| Weakness Variant Insecure Preserved Inherited Permissions - (278) |
| Weakness Base Insecure Temporary File - (377) |
| Weakness Class Insufficient Comparison - (697) |
| Weakness Base Insufficient Compartmentalization - (653) |
| Weakness Class Insufficient Control Flow Management - (691) |
| Weakness Base Insufficient Control of Network Message Volume (Network Amplification) - (406) |
| Weakness Class Insufficient Encapsulation - (485) |
| Weakness Base Insufficient Entropy - (331) |
| Weakness Variant Insufficient Entropy in PRNG - (332) |
| Weakness Base Insufficient Logging - (778) |
| Weakness Base Insufficient Psychological Acceptability - (655) |
| Weakness Base Insufficient Resource Pool - (410) |
| Weakness Base Insufficient Session Expiration - (613) |
| Weakness Base Insufficient Type Distinction - (351) |
| Weakness Base Insufficient UI Warning of Dangerous Operations - (357) |
| Weakness Class Insufficient Verification of Data Authenticity - (345) |
| Weakness Base Insufficiently Protected Credentials - (522) |
| Category Integer Coercion Error - (192) |
| Weakness Base Integer Overflow or Wraparound - (190) |
| Weakness Base Integer Underflow (Wrap or Wraparound) - (191) |
| Weakness Base Intentional Information Exposure - (213) |
| Category Intentionally Introduced Nonmalicious Weakness - (513) |
| Category Intentionally Introduced Weakness - (505) |
| Weakness Class Interaction Error - (435) |
| Weakness Base Interpretation Conflict - (436) |
| Weakness Variant J2EE Bad Practices: Direct Management of Connections - (245) |
| Weakness Variant J2EE Bad Practices: Direct Use of Sockets - (246) |
| Weakness Variant J2EE Bad Practices: Direct Use of Threads - (383) |
| Weakness Variant J2EE Bad Practices: Non-serializable Object Stored in Session - (579) |
| Weakness Variant J2EE Bad Practices: Use of System.exit() - (382) |
| Category J2EE Environment Issues - (4) |
| Weakness Variant J2EE Framework: Saving Unserializable Objects to Disk - (594) |
| Weakness Variant J2EE Misconfiguration: Data Transmission Without Encryption - (5) |
| Weakness Variant J2EE Misconfiguration: Entity Bean Declared Remote - (8) |
| Weakness Variant J2EE Misconfiguration: Insufficient Session-ID Length - (6) |
| Weakness Variant J2EE Misconfiguration: Missing Custom Error Page - (7) |
| Weakness Variant J2EE Misconfiguration: Plaintext Password in Configuration File - (555) |
| Weakness Variant J2EE Misconfiguration: Weak Access Permissions for EJB Methods - (9) |
| Category J2EE Time and State Issues - (381) |
| Weakness Base Key Exchange without Entity Authentication - (322) |
| Category Key Management Errors - (320) |
| Weakness Class Lack of Administrator Control over Security - (671) |
| Weakness Base Least Privilege Violation - (272) |
| Weakness Base Leftover Debug Code - (489) |
| Category Location - (1) |
| Weakness Base Logging of Excessive Data - (779) |
| Weakness Base Logic/Time Bomb - (511) |
| Weakness Base Loop with Unreachable Exit Condition ('Infinite Loop') - (835) |
| Category Mac Virtual File Problems - (70) |
| Weakness Base Misinterpretation of Input - (115) |
| Weakness Variant Mismatched Memory Management Routines - (762) |
| Weakness Variant Missing Authentication for Critical Function - (306) |
| Weakness Class Missing Authorization - (862) |
| Weakness Base Missing Check for Certificate Revocation after Initial Check - (370) |
| Weakness Base Missing Critical Step in Authentication - (304) |
| Weakness Class Missing Custom Error Page - (756) |
| Weakness Variant Missing Default Case in Switch Statement - (478) |
| Weakness Base Missing Encryption of Sensitive Data - (311) |
| Weakness Base Missing Handler - (431) |
| Weakness Base Missing Initialization of a Variable - (456) |
| Weakness Base Missing Initialization of Resource - (909) |
| Weakness Base Missing Lock Check - (414) |
| Weakness Variant Missing Password Field Masking - (549) |
| Weakness Variant Missing Reference to Active File Descriptor or Handle - (773) |
| Weakness Variant Missing Release of File Descriptor or Handle after Effective Lifetime - (775) |
| Weakness Base Missing Report of Error Condition - (392) |
| Weakness Base Missing Required Cryptographic Step - (325) |
| Weakness Base Missing Standardized Error Handling Mechanism - (544) |
| Weakness Base Missing Support for Integrity Check - (353) |
| Weakness Base Missing Synchronization - (820) |
| Weakness Variant Missing Validation of OpenSSL Certificate - (599) |
| Weakness Base Missing XML Validation - (112) |
| Category Mobile Code Issues - (490) |
| Weakness Base Modification of Assumed-Immutable Data (MAID) - (471) |
| Category Motivation/Intent - (504) |
| Weakness Base Multiple Binds to the Same Port - (605) |
| Weakness Base Multiple Interpretations of UI Input - (450) |
| Weakness Variant Multiple Locks of a Critical Resource - (764) |
| Weakness Variant Multiple Unlocks of a Critical Resource - (765) |
| Category .NET Environment Issues - (519) |
| Weakness Variant .NET Misconfiguration: Use of Impersonation - (520) |
| Weakness Base Non-exit on Failed Initialization - (455) |
| Weakness Base Non-Replicating Malicious Code - (508) |
| Weakness Class Not Failing Securely ('Failing Open') - (636) |
| Weakness Variant Not Using a Random IV with CBC Mode - (329) |
| Weakness Class Not Using Complete Mediation - (638) |
| Weakness Variant Not Using Password Aging - (262) |
| Weakness Variant Null Byte Interaction Error (Poison Null Byte) - (626) |
| Weakness Base NULL Pointer Dereference - (476) |
| Category Numeric Errors - (189) |
| Weakness Base Numeric Range Comparison Without Minimum Check - (839) |
| Weakness Base Numeric Truncation Error - (197) |
| Weakness Base Object Model Violation: Just One of Equals and Hashcode Defined - (581) |
| Weakness Base Obscured Security-relevant Information by Alternate Name - (224) |
| Weakness Base Obsolete Feature in UI - (448) |
| Weakness Base Off-by-one Error - (193) |
| Category Often Misused: Arguments and Parameters - (559) |
| Category Often Misused: String Management - (251) |
| Weakness Base Omission of Security-relevant Information - (223) |
| Weakness Base Omitted Break Statement in Switch - (484) |
| Weakness Base Operation on a Resource after Expiration or Release - (672) |
| Weakness Base Operation on Resource in Wrong Phase of Lifetime - (666) |
| Weakness Variant Operator Precedence Logic Error - (783) |
| Weakness Base Origin Validation Error - (346) |
| Category Other Intentional, Nonmalicious Weakness - (517) |
| Weakness Base Out-of-bounds Read - (125) |
| Weakness Base Out-of-bounds Write - (787) |
| Weakness Base Overly Restrictive Account Lockout Mechanism - (645) |
| Weakness Base Overly Restrictive Regular Expression - (186) |
| Weakness Class Parameter Problems - (233) |
| Weakness Base Partial Comparison - (187) |
| Weakness Base Passing Mutable Objects to an Untrusted Method - (374) |
| Weakness Base Password Aging with Long Expiration - (263) |
| Weakness Variant Password in Configuration File - (260) |
| Weakness Variant Path Equivalence: ' filename' (Leading Space) - (47) |
| Weakness Variant Path Equivalence: '/./' (Single Dot Directory) - (55) |
| Weakness Variant Path Equivalence: '//multiple/leading/slash' - (50) |
| Weakness Variant Path Equivalence: '/multiple//internal/slash' - (51) |
| Weakness Variant Path Equivalence: '/multiple/trailing/slash//' - (52) |
| Weakness Variant Path Equivalence: '\multiple\\internal\backslash' - (53) |
| Weakness Variant Path Equivalence: 'fakedir/../realdir/filename' - (57) |
| Weakness Variant Path Equivalence: 'file name' (Internal Whitespace) - (48) |
| Weakness Variant Path Equivalence: 'filedir*' (Wildcard) - (56) |
| Weakness Variant Path Equivalence: 'filedir\' (Trailing Backslash) - (54) |
| Weakness Variant Path Equivalence: 'filename ' (Trailing Space) - (46) |
| Weakness Variant Path Equivalence: 'file.name' (Internal Dot) - (44) |
| Weakness Variant Path Equivalence: 'file...name' (Multiple Internal Dot) - (45) |
| Weakness Variant Path Equivalence: 'filename....' (Multiple Trailing Dot) - (43) |
| Weakness Variant Path Equivalence: 'filename.' (Trailing Dot) - (42) |
| Weakness Variant Path Equivalence: 'filename/' (Trailing Slash) - (49) |
| Weakness Variant Path Equivalence: Windows 8.3 Filename - (58) |
| Weakness Variant Path Traversal: '....' (Multiple Dot) - (33) |
| Weakness Variant Path Traversal: '...' (Triple Dot) - (32) |
| Weakness Variant Path Traversal: '....//' - (34) |
| Weakness Variant Path Traversal: '.../...//' - (35) |
| Weakness Variant Path Traversal: '/../filedir' - (25) |
| Weakness Variant Path Traversal: '/absolute/pathname/here' - (37) |
| Weakness Variant Path Traversal: '/dir/../filename' - (26) |
| Weakness Variant Path Traversal: '../filedir' - (24) |
| Weakness Variant Path Traversal: '\..\filename' - (29) |
| Weakness Variant Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - (40) |
| Weakness Variant Path Traversal: '\absolute\pathname\here' - (38) |
| Weakness Variant Path Traversal: '\dir\..\filename' - (30) |
| Weakness Variant Path Traversal: '..\filedir' - (28) |
| Weakness Variant Path Traversal: 'C:dirname' - (39) |
| Weakness Variant Path Traversal: 'dir/../../filename' - (27) |
| Weakness Variant Path Traversal: 'dir\..\..\filename' - (31) |
| Category Pathname Traversal and Equivalence Errors - (21) |
| Category Permission Issues - (275) |
| Compound Element: Composite Permission Race Condition During Resource Copy - (689) |
| Category Permissions, Privileges, and Access Controls - (264) |
| Weakness Base Permissive Regular Expression - (625) |
| Weakness Base Permissive Whitelist - (183) |
| Weakness Variant PHP External Variable Modification - (473) |
| Weakness Base Placement of User into Incorrect Group - (842) |
| Weakness Variant Plaintext Storage in a Cookie - (315) |
| Weakness Variant Plaintext Storage in a File or on Disk - (313) |
| Weakness Variant Plaintext Storage in Executable - (318) |
| Weakness Variant Plaintext Storage in GUI - (317) |
| Weakness Variant Plaintext Storage in Memory - (316) |
| Weakness Variant Plaintext Storage in the Registry - (314) |
| Weakness Variant Plaintext Storage of a Password - (256) |
| Category Pointer Issues - (465) |
| Weakness Class Predictability Problems - (340) |
| Weakness Base Predictable Exact Value from Previous Values - (342) |
| Weakness Base Predictable from Observable State - (341) |
| Weakness Base Predictable Seed in PRNG - (337) |
| Weakness Base Predictable Value Range from Previous Values - (343) |
| Weakness Base Premature Release of Resource During Expected Lifetime - (826) |
| Weakness Class Privacy Violation - (359) |
| Weakness Variant Private Array-Typed Field Returned From A Public Method - (495) |
| Category Privilege / Sandbox Issues - (265) |
| Weakness Base Privilege Chaining - (268) |
| Weakness Base Privilege Context Switching Error - (270) |
| Weakness Base Privilege Defined With Unsafe Actions - (267) |
| Weakness Class Privilege Dropping / Lowering Errors - (271) |
| Weakness Class PRNG Seed Error - (335) |
| Weakness Base Process Control - (114) |
| Weakness Base Product UI does not Warn User of Unsafe Actions - (356) |
| Weakness Class Protection Mechanism Failure - (693) |
| Weakness Variant Public cloneable() Method Without Final ('Object Hijack') - (491) |
| Weakness Variant Public Data Assigned to Private Array-Typed Field - (496) |
| Weakness Variant Public Static Field Not Marked Final - (500) |
| Weakness Variant Public Static Final Field References Mutable Object - (607) |
| Weakness Base Race Condition During Access to Alternate Channel - (421) |
| Weakness Base Race Condition Enabling Link Following - (363) |
| Weakness Base Race Condition in Switch - (365) |
| Weakness Base Race Condition within a Thread - (366) |
| Weakness Variant Reachable Assertion - (617) |
| Weakness Variant Reflection Attack in an Authentication Protocol - (301) |
| Weakness Variant Regular Expression without Anchors - (777) |
| Weakness Base Relative Path Traversal - (23) |
| Weakness Base Release of Invalid Pointer or Reference - (763) |
| Weakness Base Reliance on a Single Factor in a Security Decision - (654) |
| Weakness Base Reliance on Cookies without Validation and Integrity Checking - (565) |
| Weakness Variant Reliance on Cookies without Validation and Integrity Checking in a Security Decision - (784) |
| Weakness Base Reliance on Data/Memory Layout - (188) |
| Weakness Variant Reliance on DNS Lookups in a Security Decision - (247) |
| Weakness Variant Reliance on File Name or Extension of Externally-Supplied File - (646) |
| Weakness Base Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking - (649) |
| Weakness Variant Reliance on Package-level Scope - (487) |
| Weakness Base Reliance on Security Through Obscurity - (656) |
| Weakness Base Reliance on Untrusted Inputs in a Security Decision - (807) |
| Weakness Base Replicating Malicious Code (Virus or Worm) - (509) |
| Category Representation Errors - (137) |
| Category Resource Locking Problems - (411) |
| Category Resource Management Errors - (399) |
 View Resource-specific Weaknesses - (631) |
| Weakness Base Response Discrepancy Information Exposure - (204) |
| Weakness Base Return Inside Finally Block - (584) |
| Weakness Base Return of Pointer Value Outside of Expected Range - (466) |
| Weakness Base Return of Stack Variable Address - (562) |
| Weakness Base Return of Wrong Status Code - (393) |
| Weakness Base Returning a Mutable Object to an Untrusted Caller - (375) |
| Weakness Base Reusing a Nonce, Key Pair in Encryption - (323) |
| Weakness Base Reversible One-Way Hash - (328) |
| Weakness Base Same Seed in PRNG - (336) |
| Category Security Features - (254) |
| Weakness Variant Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - (614) |
| Weakness Variant Sensitive Data Storage in Improperly Locked Memory - (591) |
| Weakness Variant Sensitive Data Under FTP Root - (220) |
| Weakness Variant Sensitive Data Under Web Root - (219) |
| Weakness Base Sensitive Information Uncleared Before Release - (226) |
| Weakness Variant Serializable Class Containing Sensitive Data - (499) |
| Weakness Base Server-Side Request Forgery (SSRF) - (918) |
| Compound Element: Composite Session Fixation - (384) |
| Category Signal Errors - (387) |
| Weakness Base Signal Handler Function Associated with Multiple Signals - (831) |
| Weakness Base Signal Handler Race Condition - (364) |
| Weakness Variant Signal Handler Use of a Non-reentrant Function - (479) |
| Weakness Base Signal Handler with Functionality that is not Asynchronous-Safe - (828) |
| Weakness Variant Signed to Unsigned Conversion Error - (195) |
| Weakness Base Small Seed Space in PRNG - (339) |
| Weakness Base Small Space of Random Values - (334) |
| Category Source Code - (18) |
| Weakness Base Spyware - (512) |
| Weakness Variant SQL Injection: Hibernate - (564) |
| Weakness Variant Stack-based Buffer Overflow - (121) |
| Category State Issues - (371) |
| Weakness Base Storing Passwords in a Recoverable Format - (257) |
| Category String Errors - (133) |
| Category Struts Validation Problems - (101) |
| Weakness Variant Struts: Duplicate Validation Forms - (102) |
| Weakness Variant Struts: Form Bean Does Not Extend Validation Class - (104) |
| Weakness Variant Struts: Form Field Without Validator - (105) |
| Weakness Variant Struts: Incomplete validate() Method Definition - (103) |
| Weakness Variant Struts: Non-private Field in ActionForm Class - (608) |
| Weakness Variant Struts: Plug-in Framework not in Use - (106) |
| Weakness Variant Struts: Unused Validation Form - (107) |
| Weakness Variant Struts: Unvalidated Action Form - (108) |
| Weakness Variant Struts: Validator Turned Off - (109) |
| Weakness Variant Struts: Validator Without Form Field - (110) |
| Weakness Variant Suspicious Comment - (546) |
| Weakness Base Symbolic Name not Mapping to Correct Object - (386) |
| Category Technology-specific Environment Issues - (3) |
| Category Technology-Specific Input Validation Problems - (100) |
| Category Technology-Specific Special Elements - (169) |
| Category Technology-Specific Time and State Issues - (380) |
| Category Temporary File Issues - (376) |
| Weakness Base The UI Performs the Wrong Action - (449) |
| Category Time and State - (361) |
| Weakness Base Time-of-check Time-of-use (TOCTOU) Race Condition - (367) |
| Weakness Class Transmission of Private Resources into a New Sphere ('Resource Leak') - (402) |
| Weakness Base Trapdoor - (510) |
| Weakness Base Trojan Horse - (507) |
| Weakness Base Truncation of Security-relevant Information - (222) |
| Weakness Base Trust Boundary Violation - (501) |
| Weakness Base Trust of System Event Data - (360) |
| Weakness Variant Trusting HTTP Permission Methods on the Server Side - (650) |
| Weakness Variant Trusting Self-reported DNS Name - (292) |
| Compound Element: Composite Trusting Self-reported IP Address - (291) |
| Category Type Errors - (136) |
| Weakness Base UI Discrepancy for Security Feature - (446) |
| Weakness Base UI Misrepresentation of Critical Information - (451) |
| Weakness Base Uncaught Exception - (248) |
| Weakness Base Uncaught Exception in Servlet - (600) |
| Weakness Base Unchecked Error Condition - (391) |
| Weakness Base Unchecked Input for Loop Condition - (606) |
| Weakness Base Unchecked Return Value - (252) |
| Weakness Base Uncontrolled Format String - (134) |
| Weakness Variant Uncontrolled Memory Allocation - (789) |
| Weakness Base Uncontrolled Recursion - (674) |
| Weakness Base Uncontrolled Resource Consumption ('Resource Exhaustion') - (400) |
| Weakness Base Uncontrolled Search Path Element - (427) |
| Weakness Base Undefined Behavior for Input to API - (475) |
| Weakness Base Unexpected Sign Extension - (194) |
| Weakness Base Unexpected Status Code or Return Value - (394) |
| Weakness Base Unimplemented or Unsupported Feature in UI - (447) |
| Weakness Class Unintended Proxy or Intermediary ('Confused Deputy') - (441) |
| Weakness Variant UNIX Hard Link - (62) |
| Category UNIX Path Link Problems - (60) |
| Compound Element: Composite UNIX Symbolic Link (Symlink) Following - (61) |
| Weakness Base Unlock of a Resource that is not Locked - (832) |
| Weakness Class Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') - (637) |
| Weakness Variant Unparsed Raw Web Content Delivery - (433) |
| Weakness Base Unprotected Alternate Channel - (420) |
| Weakness Base Unprotected Primary Channel - (419) |
| Weakness Variant Unprotected Transport of Credentials - (523) |
| Weakness Variant Unprotected Windows Messaging Channel ('Shatter') - (422) |
| Weakness Base Unquoted Search Path or Element - (428) |
| Weakness Base Unrestricted Externally Accessible Lock - (412) |
| Weakness Base Unrestricted Upload of File with Dangerous Type - (434) |
| Weakness Variant Unsafe ActiveX Control Marked Safe For Scripting - (623) |
| Weakness Variant Unsigned to Signed Conversion Error - (196) |
| Weakness Base Unsynchronized Access to Shared Data in a Multithreaded Context - (567) |
| Weakness Base Untrusted Pointer Dereference - (822) |
| Compound Element: Composite Untrusted Search Path - (426) |
| Weakness Variant Unused Variable - (563) |
| Weakness Base Unverified Ownership - (283) |
| Weakness Variant Unverified Password Change - (620) |
| Weakness Variant URL Redirection to Untrusted Site ('Open Redirect') - (601) |
| Weakness Base Use After Free - (416) |
| Weakness Base Use of a Broken or Risky Cryptographic Algorithm - (327) |
| Weakness Base Use of a Key Past its Expiration Date - (324) |
| Weakness Base Use of a Non-reentrant Function in a Concurrent Context - (663) |
| Weakness Base Use of Client-Side Authentication - (603) |
| Weakness Base Use of Cryptographically Weak PRNG - (338) |
| Weakness Variant Use of Dynamic Class Loading - (545) |
| Weakness Base Use of Expired File Descriptor - (910) |
| Weakness Base Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') - (470) |
| Weakness Base Use of Function with Inconsistent Implementations - (474) |
| Weakness Variant Use of getlogin() in Multithreaded Application - (558) |
| Weakness Base Use of Hard-coded Credentials - (798) |
| Weakness Base Use of Hard-coded Cryptographic Key - (321) |
| Weakness Base Use of Hard-coded Password - (259) |
| Weakness Variant Use of Hard-coded, Security-relevant Constants - (547) |
| Weakness Base Use of Incorrect Byte Ordering - (198) |
| Weakness Base Use of Incorrect Operator - (480) |
| Weakness Base Use of Inherently Dangerous Function - (242) |
| Weakness Variant Use of Inner Class Containing Sensitive Data - (492) |
| Weakness Class Use of Insufficiently Random Values - (330) |
| Weakness Base Use of Invariant Value in Dynamically Changing Context - (344) |
| Weakness Base Use of Less Trusted Source - (348) |
| Weakness Base Use of Low-Level Functionality - (695) |
| Weakness Base Use of Multiple Resources with Duplicate Identifier - (694) |
| Weakness Variant Use of Non-Canonical URL Paths for Authorization Decisions - (647) |
| Weakness Base Use of NullPointerException Catch to Detect NULL Pointer Dereference - (395) |
| Weakness Base Use of Obsolete Functions - (477) |
| Weakness Base Use of Out-of-range Pointer Offset - (823) |
| Weakness Base Use of Password Hash Instead of Password for Authentication - (836) |
| Weakness Base Use of Password Hash With Insufficient Computational Effort - (916) |
| Weakness Base Use of Password System for Primary Authentication - (309) |
| Weakness Variant Use of Path Manipulation Function without Maximum-sized Buffer - (785) |
| Weakness Base Use of Pointer Subtraction to Determine Size - (469) |
| Weakness Base Use of Potentially Dangerous Function - (676) |
| Weakness Variant Use of RSA Algorithm without OAEP - (780) |
| Weakness Base Use of Single-factor Authentication - (308) |
| Weakness Variant Use of Singleton Pattern Without Synchronization in a Multithreaded Context - (543) |
| Weakness Variant Use of sizeof() on a Pointer Type - (467) |
| Weakness Variant Use of umask() with chmod-style Argument - (560) |
| Weakness Base Use of Uninitialized Resource - (908) |
| Weakness Variant Use of Uninitialized Variable - (457) |
| Weakness Variant Use of Wrong Operator in String Comparison - (597) |
| Category User Interface Errors - (445) |
| Category User Interface Security Issues - (355) |
| Weakness Variant Using Referer Field for Authentication - (293) |
| Weakness Base Variable Extraction Error - (621) |
| Weakness Class Violation of Secure Design Principles - (657) |
| Weakness Variant Weak Cryptography for Passwords - (261) |
| Weakness Base Weak Password Recovery Mechanism for Forgotten Password - (640) |
| Weakness Base Weak Password Requirements - (521) |
| View Weaknesses in OWASP Top Ten (2007) - (629) |
| View Weaknesses Introduced During Design - (701) |
| View Weaknesses Introduced During Implementation - (702) |
| Category Web Problems - (442) |
| Weakness Variant Windows Hard Link - (65) |
| Category Windows Path Link Problems - (63) |
| Weakness Variant Windows Shortcut Following (.LNK) - (64) |
| Category Windows Virtual File Problems - (68) |
| Weakness Base Wrap-around Error - (128) |
| Weakness Base Write-what-where Condition - (123) |
| Weakness Base XML Injection (aka Blind XPath Injection) - (91) |
