CWE VIEW: Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses
CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.
The following graph shows the tree-like relationships between weaknesses that exist at different levels of abstraction. At the highest level, categories and pillars exist to group weaknesses. Categories (which are not technically weaknesses) are special CWE entries used to group weaknesses that share a common characteristic. Pillars are weaknesses that are described in the most abstract fashion. Below these top-level entries are weaknesses are varying levels of abstraction. Classes are still very abstract, typically independent of any specific language or technology. Base level weaknesses are used to present a more specific type of weakness. A variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability. While a composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability. Show Details:
1350 - Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses
![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')) The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.XSSHTML InjectionCSS ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 787 (Out-of-bounds Write) The product writes data past the end, or before the beginning, of the intended buffer.Memory Corruption ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 20 (Improper Input Validation) The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly. ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 125 (Out-of-bounds Read) The product reads data past the end, or before the beginning, of the intended buffer. ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Buffer Overflowbuffer overrunmemory safety ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')) The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 200 (Exposure of Sensitive Information to an Unauthorized Actor) The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Information DisclosureInformation Leak ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 416 (Use After Free) Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Dangling pointerUse-After-Free ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 352 (Cross-Site Request Forgery (CSRF)) The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Session RidingCross Site Reference ForgeryXSRF ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Shell injectionShell metacharacters ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 190 (Integer Overflow or Wraparound) The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')) The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Directory traversalPath traversal ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 476 (NULL Pointer Dereference) A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.NPDnull derefnil pointer dereference ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 287 (Improper Authentication) When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.authentificationAuthNAuthC ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 434 (Unrestricted Upload of File with Dangerous Type) The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.Unrestricted File Upload ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 732 (Incorrect Permission Assignment for Critical Resource) The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 94 (Improper Control of Generation of Code ('Code Injection')) The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 522 (Insufficiently Protected Credentials) The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 611 (Improper Restriction of XML External Entity Reference) The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.XXE ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 798 (Use of Hard-coded Credentials) The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 502 (Deserialization of Untrusted Data) The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Marshaling, UnmarshalingPickling, UnpicklingPHP Object Injection ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 269 (Improper Privilege Management) The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 400 (Uncontrolled Resource Consumption) The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Resource Exhaustion ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 306 (Missing Authentication for Critical Function) The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. ![]() ![]() 1350 (Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses) > 862 (Missing Authorization) The product does not perform an authorization check when an actor attempts to access a resource or perform an action.AuthZ
More information is available — Please edit the custom filter or select a different filter. |
Use of the Common Weakness Enumeration (CWE) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2023, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. |