970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 601–644 of 644 in Other · page 13 of 13
| ID | Title | Summary |
|---|---|---|
| CWE-791 | Incomplete Filtering of Special Elements | The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component. |
| CWE-792 | Incomplete Filtering of One or More Instances of Special Elements | The product receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstrea… |
| CWE-793 | Only Filtering One Instance of a Special Element | The product receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component. Inc… |
| CWE-794 | Incomplete Filtering of Multiple Instances of Special Elements | The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component. |
| CWE-795 | Only Filtering Special Elements at a Specified Location | The product receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special element… |
| CWE-796 | Only Filtering Special Elements Relative to a Marker | The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. "at the beginning/end of a s… |
| CWE-797 | Only Filtering Special Elements at an Absolute Position | The product receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. "byte number 10"), thereby missing r… |
| CWE-799 | Improper Control of Interaction Frequency | The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests. This can allow… |
| CWE-804 | Guessable CAPTCHA | The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor. |
| CWE-807 | Reliance on Untrusted Inputs in a Security Decision | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that b… |
| CWE-81 | Improper Neutralization of Script in an Error Message Web Page | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as we… |
| CWE-82 | Improper Neutralization of Script in Attributes of IMG Tags in a Web Page | The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute. Attackers… |
| CWE-827 | Improper Control of Document Type Definition | The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary… |
| CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
| CWE-83 | Improper Neutralization of Script in Attributes in a Web Page | The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, oner… |
| CWE-830 | Inclusion of Web Functionality from an Untrusted Source | The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially gra… |
| CWE-831 | Signal Handler Function Associated with Multiple Signals | The product defines a function that is used as a handler for more than one signal. |
| CWE-833 | Deadlock | The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock. |
| CWE-834 | Excessive Iteration | The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed. If the iteration can be influenced by a… |
| CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
| CWE-837 | Improper Enforcement of a Single, Unique Action | The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improp… |
| CWE-838 | Inappropriate Encoding for Output Context | The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is … |
| CWE-839 | Numeric Range Comparison Without Minimum Check | The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the min… |
| CWE-84 | Improper Neutralization of Encoded URI Schemes in a Web Page | The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings. |
| CWE-841 | Improper Enforcement of Behavioral Workflow | The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behav… |
| CWE-842 | Placement of User into Incorrect Group | The product or the administrator places a user into an incorrect group. If the incorrect group has more access or privileges than the intended group, the user… |
| CWE-86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages | The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.… |
| CWE-910 | Use of Expired File Descriptor | The product uses or accesses a file descriptor after it has been closed. After a file descriptor for a particular file or device has been released, it can be … |
| CWE-911 | Improper Update of Reference Count | The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count. Reference counts can be used when … |
| CWE-912 | Hidden Functionality | The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is o… |
| CWE-914 | Improper Control of Dynamically-Identified Variables | The product does not properly restrict reading from or writing to dynamically-identified variables. Many languages offer powerful features that allow the prog… |
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an obj… |
| CWE-92 | DEPRECATED: Improper Sanitization of Custom Special Characters | This entry has been deprecated. It originally came from PLOVER, which sometimes defined "other" and "miscellaneous" categories in order to satisfy exhaustivene… |
| CWE-920 | Improper Restriction of Power Consumption | The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restric… |
| CWE-923 | Improper Restriction of Communication Channel to Intended Endpoints | The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is com… |
| CWE-924 | Improper Enforcement of Message Integrity During Transmission in a Communication Channel | The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the messag… |
| CWE-925 | Improper Verification of Intent by Broadcast Receiver | The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source. Certain… |
| CWE-926 | Improper Export of Android Application Components | The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access… |
| CWE-940 | Improper Verification of Source of a Communication Channel | The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the req… |
| CWE-941 | Incorrectly Specified Destination in a Communication Channel | The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that ac… |
| CWE-942 | Permissive Cross-domain Security Policy with Untrusted Domains | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includ… |
| CWE-943 | Improper Neutralization of Special Elements in Data Query Logic | The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes s… |
| CWE-97 | Improper Neutralization of Server-Side Includes (SSI) Within a Web Page | The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include… |
| CWE-98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "incl… |