970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 401–450 of 644 in Other · page 9 of 13
| ID | Title | Summary |
|---|---|---|
| CWE-44 | Path Equivalence: 'file.name' (Internal Dot) | The product accepts path input in the form of internal dot ('file.ordir') without appropriate validation, which can lead to ambiguous path resolution and allow… |
| CWE-440 | Expected Behavior Violation | A feature, API, or function does not perform according to its specification. |
| CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') | The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the req… |
| CWE-443 | DEPRECATED: HTTP response splitting | This weakness can be found at CWE-113. |
| CWE-444 | Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and serve… |
| CWE-446 | UI Discrepancy for Security Feature | The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feat… |
| CWE-447 | Unimplemented or Unsupported Feature in UI | A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionalit… |
| CWE-448 | Obsolete Feature in UI | A UI function is obsolete and the product does not warn the user. |
| CWE-449 | The UI Performs the Wrong Action | The UI performs the wrong action with respect to the user's request. |
| CWE-45 | Path Equivalence: 'file...name' (Multiple Internal Dot) | The product accepts path input in the form of multiple internal dot ('file...dir') without appropriate validation, which can lead to ambiguous path resolution … |
| CWE-450 | Multiple Interpretations of UI Input | The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation. |
| CWE-451 | User Interface (UI) Misrepresentation of Critical Information | The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. Thi… |
| CWE-454 | External Initialization of Trusted Variables or Data Stores | The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors. A product system should be reluctant… |
| CWE-455 | Non-exit on Failed Initialization | The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a … |
| CWE-456 | Missing Initialization of a Variable | The product does not initialize critical variables, which causes the execution environment to use unexpected values. |
| CWE-457 | Use of Uninitialized Variable | The code uses a variable that has not been initialized, leading to unpredictable or unintended results. In some languages such as C and C++, stack variables a… |
| CWE-458 | DEPRECATED: Incorrect Initialization | This weakness has been deprecated because its name and description did not match. The description duplicated CWE-454, while the name suggested a more abstract … |
| CWE-459 | Incomplete Cleanup | The product does not properly "clean up" and remove temporary or supporting resources after they have been used. |
| CWE-46 | Path Equivalence: 'filename ' (Trailing Space) | The product accepts path input in the form of trailing space ('filedir ') without appropriate validation, which can lead to ambiguous path resolution and allow… |
| CWE-460 | Improper Cleanup on Thrown Exception | The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow. Often, wh… |
| CWE-462 | Duplicate Key in Associative List (Alist) | Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error. A duplicate key entry -- if the alist is designed properly -- cou… |
| CWE-463 | Deletion of Data Structure Sentinel | The accidental deletion of a data-structure sentinel can cause serious programming logic problems. Often times data-structure sentinels are used to mark struc… |
| CWE-464 | Addition of Data Structure Sentinel | The accidental addition of a data-structure sentinel can cause serious programming logic problems. Data-structure sentinels are often used to mark the structu… |
| CWE-47 | Path Equivalence: ' filename' (Leading Space) | The product accepts path input in the form of leading space (' filedir') without appropriate validation, which can lead to ambiguous path resolution and allow … |
| CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper … |
| CWE-471 | Modification of Assumed-Immutable Data (MAID) | The product does not properly protect an assumed-immutable element from being modified by an attacker. This occurs when a particular input is critical enough … |
| CWE-472 | External Control of Assumed-Immutable Web Parameter | The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. |
| CWE-473 | PHP External Variable Modification | A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose t… |
| CWE-474 | Use of Function with Inconsistent Implementations | The code uses a function that has inconsistent implementations across operating systems and versions. |
| CWE-475 | Undefined Behavior for Input to API | The behavior of this function is undefined unless its control parameter is set to a specific value. |
| CWE-477 | Use of Obsolete Function | The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained. |
| CWE-479 | Signal Handler Use of a Non-reentrant Function | The product defines a signal handler that calls a non-reentrant function. |
| CWE-48 | Path Equivalence: 'file name' (Internal Whitespace) | The product accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation, which can lead to ambiguous path resolution an… |
| CWE-480 | Use of Incorrect Operator | The product accidentally uses the wrong operator, which changes the logic in security-relevant ways. These types of errors are generally the result of a typo … |
| CWE-481 | Assigning instead of Comparing | The code uses an operator for assignment when the intention was to perform a comparison. In many languages the compare statement is very close in appearance t… |
| CWE-482 | Comparing instead of Assigning | The code uses an operator for comparison when the intention was to perform an assignment. In many languages, the compare statement is very close in appearance… |
| CWE-483 | Incorrect Block Delimitation | The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error. In some languages, braces (or other del… |
| CWE-484 | Omitted Break Statement in Switch | The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems … |
| CWE-486 | Comparison of Classes by Name | The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name. If the decision to trust the met… |
| CWE-487 | Reliance on Package-level Scope | Java packages are not inherently closed; therefore, relying on them for code security is not a good practice. The purpose of package scope is to prevent accid… |
| CWE-49 | Path Equivalence: 'filename/' (Trailing Slash) | The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow… |
| CWE-491 | Public cloneable() Method Without Final ('Object Hijack') | A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to… |
| CWE-493 | Critical Public Variable Without Final Modifier | The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values. If a field is non-final a… |
| CWE-494 | Download of Code Without Integrity Check | The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the … |
| CWE-495 | Private Data Structure Returned From A Public Method | The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways. |
| CWE-496 | Public Data Assigned to Private Array-Typed Field | Assigning public data to a private array is equivalent to giving public access to the array. |
| CWE-50 | Path Equivalence: '//multiple/leading/slash' | The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous p… |
| CWE-500 | Public Static Field Not Marked Final | An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways. Public static variables can be read… |
| CWE-501 | Trust Boundary Violation | The product mixes trusted and untrusted data in the same data structure or structured message. A trust boundary can be thought of as line drawn through a prog… |
| CWE-506 | Embedded Malicious Code | The product contains code that appears to be malicious in nature. Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, an… |