970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 501–550 of 644 in Other · page 11 of 13
| ID | Title | Summary |
|---|---|---|
| CWE-599 | Missing Validation of OpenSSL Certificate | The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all neces… |
| CWE-600 | Uncaught Exception in Servlet | The Servlet does not catch all exceptions, which may reveal sensitive debugging information. When a Servlet throws an exception, the default error response th… |
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
| CWE-602 | Client-Side Enforcement of Server-Side Security | The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. When the server relies on prote… |
| CWE-605 | Multiple Binds to the Same Port | When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed. On most systems, a combination of setting th… |
| CWE-606 | Unchecked Input for Loop Condition | The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of exces… |
| CWE-607 | Public Static Final Field References Mutable Object | A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another pac… |
| CWE-608 | Struts: Non-private Field in ActionForm Class | An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter. |
| CWE-609 | Double-Checked Locking | The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient. Double-checked… |
| CWE-61 | UNIX Symbolic Link (Symlink) Following | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the inte… |
| CWE-611 | Improper Restriction of XML External Entity Reference | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the … |
| CWE-616 | Incomplete Identification of Uploaded File Variables (PHP) | The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varna… |
| CWE-617 | Reachable Assertion | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more s… |
| CWE-618 | Exposed Unsafe ActiveX Method | An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model… |
| CWE-62 | UNIX Hard Link | The product, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of th… |
| CWE-621 | Variable Extraction Error | The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified vari… |
| CWE-622 | Improper Validation of Function Hook Arguments | The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities. Such h… |
| CWE-623 | Unsafe ActiveX Control Marked Safe For Scripting | An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting. This might allow attackers to use dangerous functionality via… |
| CWE-624 | Executable Regular Expression Error | The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by… |
| CWE-625 | Permissive Regular Expression | The product uses a regular expression that does not sufficiently restrict the set of allowed values. |
| CWE-626 | Null Byte Interaction Error (Poison Null Byte) | The product does not properly handle null bytes or NUL characters when passing data between different representations or components. |
| CWE-627 | Dynamic Variable Evaluation | In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitr… |
| CWE-628 | Function Call with Incorrectly Specified Arguments | The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknes… |
| CWE-636 | Not Failing Securely ('Failing Open') | When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are avail… |
| CWE-637 | Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') | The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, con… |
| CWE-638 | Not Using Complete Mediation | The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity… |
| CWE-64 | Windows Shortcut Following (.LNK) | The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended … |
| CWE-642 | External Control of Critical State Data | The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors. |
| CWE-644 | Improper Neutralization of HTTP Headers for Scripting Syntax | The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw… |
| CWE-645 | Overly Restrictive Account Lockout Mechanism | The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to d… |
| CWE-646 | Reliance on File Name or Extension of Externally-Supplied File | The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by… |
| CWE-65 | Windows Hard Link | The product, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the int… |
| CWE-653 | Improper Isolation or Compartmentalization | The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permission… |
| CWE-654 | Reliance on a Single Factor in a Security Decision | A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order… |
| CWE-655 | Insufficient Psychological Acceptability | The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whethe… |
| CWE-656 | Reliance on Security Through Obscurity | The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to def… |
| CWE-657 | Violation of Secure Design Principles | The product violates well-established principles for secure design. This can introduce resultant weaknesses or make it easier for developers to introduce rela… |
| CWE-663 | Use of a Non-reentrant Function in a Concurrent Context | The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity t… |
| CWE-665 | Improper Initialization | The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. This… |
| CWE-667 | Improper Locking | The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. |
| CWE-67 | Improper Handling of Windows Device Names | The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON.… |
| CWE-670 | Always-Incorrect Control Flow Implementation | The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this p… |
| CWE-671 | Lack of Administrator Control over Security | The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the … |
| CWE-673 | External Influence of Sphere Definition | The product does not prevent the definition of control spheres from external actors. Typically, a product defines its control sphere within the code itself, o… |
| CWE-674 | Uncontrolled Recursion | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
| CWE-676 | Use of Potentially Dangerous Function | The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely. |
| CWE-681 | Incorrect Conversion between Numeric Types | When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resu… |
| CWE-682 | Incorrect Calculation | The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management. W… |
| CWE-683 | Function Call With Incorrect Order of Arguments | The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses. While this… |
| CWE-684 | Incorrect Provision of Specified Functionality | The code does not function according to its published specifications, potentially leading to incorrect usage. When providing functionality to an external part… |