970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
28 in Injection · 970 total
| ID | Title | Summary |
|---|---|---|
| CWE-1073 | Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses | The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does … |
| CWE-1319 | Improper Protection against Electromagnetic Fault Injection (EM-FI) | The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypass… |
| CWE-1334 | Unauthorized Error Injection Can Degrade Hardware Redundancy | An unauthorized agent can inject errors into a redundant block to deprive the system of redundancy or put the system in a degraded operating mode. |
| CWE-352 | Cross-Site Request Forgery (CSRF) | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have or… |
| CWE-502 | Deserialization of Untrusted Data | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
| CWE-564 | SQL Injection: Hibernate | Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbit… |
| CWE-566 | Authorization Bypass Through User-Controlled SQL Primary Key | The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can … |
| CWE-619 | Dangling Database Cursor ('Cursor Injection') | If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, … |
| CWE-643 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') | The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrec… |
| CWE-652 | Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') | The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorre… |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutra… |
| CWE-75 | Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) | The product does not adequately filter user-controlled input for special elements with control implications. |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutral… |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neu… |
| CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that … |
| CWE-85 | Doubled Character XSS Manipulations | The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters. |
| CWE-87 | Improper Neutralization of Alternate XSS Syntax | The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax. |
| CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended a… |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly ne… |
| CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neu… |
| CWE-91 | XML Injection (aka Blind XPath Injection) | The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before… |
| CWE-917 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') | The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input f… |
| CWE-918 | Server-Side Request Forgery (SSRF) | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that th… |
| CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutraliz… |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly ne… |
| CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic ev… |
| CWE-96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an exe… |
| CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') | The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a res… |