970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 551–600 of 644 in Other · page 12 of 13
| ID | Title | Summary |
|---|---|---|
| CWE-685 | Function Call With Incorrect Number of Arguments | The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior an… |
| CWE-686 | Function Call With Incorrect Argument Type | The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses. … |
| CWE-687 | Function Call With Incorrectly Specified Argument Value | The product calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses. |
| CWE-688 | Function Call With Incorrect Variable or Reference as Argument | The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefi… |
| CWE-69 | Improper Handling of Windows ::DATA Alternate Data Stream | The product does not properly prevent access to, or detect usage of, alternate data streams (ADS). An attacker can use an ADS to hide information about a file… |
| CWE-691 | Insufficient Control Flow Management | The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways. |
| CWE-692 | Incomplete Denylist to Cross-Site Scripting | The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed. While … |
| CWE-693 | Protection Mechanism Failure | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. This weakne… |
| CWE-695 | Use of Low-Level Functionality | The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate. The u… |
| CWE-696 | Incorrect Behavior Order | The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways that may produce resultant weaknesses. |
| CWE-697 | Incorrect Comparison | The product compares two entities in a security-relevant context, but the comparison is incorrect. |
| CWE-698 | Execution After Redirect (EAR) | The web application sends a redirect to another location, but instead of exiting, it executes additional code. |
| CWE-703 | Improper Check or Handling of Exceptional Conditions | The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product. |
| CWE-704 | Incorrect Type Conversion or Cast | The product does not correctly convert an object, resource, or structure from one type to a different type. |
| CWE-705 | Incorrect Control Flow Scoping | The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition. |
| CWE-706 | Use of Incorrectly-Resolved Name or Reference | The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. |
| CWE-707 | Improper Neutralization | The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being r… |
| CWE-708 | Incorrect Ownership Assignment | The product assigns an owner to a resource, but the owner is outside of the intended control sphere. This may allow the resource to be manipulated by actors o… |
| CWE-71 | DEPRECATED: Apple '.DS_Store' | This entry has been deprecated as it represents a specific observed example of a UNIX Hard Link weakness type rather than its own individual weakness type. Ple… |
| CWE-710 | Improper Adherence to Coding Standards | The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabili… |
| CWE-72 | Improper Handling of Apple HFS+ Alternate Data Stream Path | The product does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system. If the product chooses actio… |
| CWE-73 | External Control of File Name or Path | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-733 | Compiler Optimization Removal or Modification of Security-critical Code | The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or m… |
| CWE-749 | Exposed Dangerous Method or Function | The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a danger… |
| CWE-754 | Improper Check for Unusual or Exceptional Conditions | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of… |
| CWE-755 | Improper Handling of Exceptional Conditions | The product does not handle or incorrectly handles an exceptional condition. |
| CWE-756 | Missing Custom Error Page | The product does not return custom error pages to the user, possibly exposing sensitive information. |
| CWE-757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') | A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protecti… |
| CWE-758 | Reliance on Undefined, Unspecified, or Implementation-Defined Behavior | The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. T… |
| CWE-759 | Use of a One-Way Hash without a Salt | The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as p… |
| CWE-76 | Improper Neutralization of Equivalent Special Elements | The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements. The product may have a fixed list of sp… |
| CWE-760 | Use of a One-Way Hash with a Predictable Salt | The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as pa… |
| CWE-766 | Critical Data Element Declared Public | The product declares a critical variable, field, or member to be public when intended security policy requires it to be private. |
| CWE-767 | Access to Critical Private Variable via Public Method | The product defines a public method that reads or modifies a private variable. If an attacker modifies the variable to contain unexpected values, this could v… |
| CWE-768 | Incorrect Short Circuit Evaluation | The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may l… |
| CWE-769 | DEPRECATED: Uncontrolled File Descriptor Consumption | This entry has been deprecated because it was a duplicate of CWE-774. All content has been transferred to CWE-774. |
| CWE-773 | Missing Reference to Active File Descriptor or Handle | The product does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed. This can ca… |
| CWE-774 | Allocation of File Descriptors or Handles Without Limits or Throttling | The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violatio… |
| CWE-775 | Missing Release of File Descriptor or Handle after Effective Lifetime | The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed. W… |
| CWE-776 | Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') | The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of r… |
| CWE-777 | Regular Expression without Anchors | The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip t… |
| CWE-778 | Insufficient Logging | When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. |
| CWE-779 | Logging of Excessive Data | The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack. While lo… |
| CWE-780 | Use of RSA Algorithm without OAEP | The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption. Padding schemes a… |
| CWE-781 | Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code | The product defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided. When an IOCT… |
| CWE-782 | Exposed IOCTL with Insufficient Access Control | The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL. |
| CWE-783 | Operator Precedence Logic Error | The product uses an expression in which operator precedence causes incorrect logic to be used. While often just a bug, operator precedence logic errors can ha… |
| CWE-784 | Reliance on Cookies without Validation and Integrity Checking in a Security Decision | The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the as… |
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to o… |
| CWE-790 | Improper Filtering of Special Elements | The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component. |