970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 851–900 of 970 · page 18 of 20
| ID | Title | Summary |
|---|---|---|
| CWE-759 | Use of a One-Way Hash without a Salt | The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as p… |
| CWE-76 | Improper Neutralization of Equivalent Special Elements | The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements. The product may have a fixed list of sp… |
| CWE-760 | Use of a One-Way Hash with a Predictable Salt | The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as pa… |
| CWE-761 | Free of Pointer not at Start of Buffer | The product calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer. |
| CWE-762 | Mismatched Memory Management Routines | The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally us… |
| CWE-763 | Release of Invalid Pointer or Reference | The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly. |
| CWE-764 | Multiple Locks of a Critical Resource | The product locks a critical resource more times than intended, leading to an unexpected state in the system. When a product is operating in a concurrent envi… |
| CWE-765 | Multiple Unlocks of a Critical Resource | The product unlocks a critical resource more times than intended, leading to an unexpected state in the system. When the product is operating in a concurrent … |
| CWE-766 | Critical Data Element Declared Public | The product declares a critical variable, field, or member to be public when intended security policy requires it to be private. |
| CWE-767 | Access to Critical Private Variable via Public Method | The product defines a public method that reads or modifies a private variable. If an attacker modifies the variable to contain unexpected values, this could v… |
| CWE-768 | Incorrect Short Circuit Evaluation | The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may l… |
| CWE-769 | DEPRECATED: Uncontrolled File Descriptor Consumption | This entry has been deprecated because it was a duplicate of CWE-774. All content has been transferred to CWE-774. |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutral… |
| CWE-770 | Allocation of Resources Without Limits or Throttling | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resou… |
| CWE-771 | Missing Reference to Active Allocated Resource | The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed. This does not nece… |
| CWE-772 | Missing Release of Resource after Effective Lifetime | The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed. |
| CWE-773 | Missing Reference to Active File Descriptor or Handle | The product does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed. This can ca… |
| CWE-774 | Allocation of File Descriptors or Handles Without Limits or Throttling | The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violatio… |
| CWE-775 | Missing Release of File Descriptor or Handle after Effective Lifetime | The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed. W… |
| CWE-776 | Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') | The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of r… |
| CWE-777 | Regular Expression without Anchors | The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip t… |
| CWE-778 | Insufficient Logging | When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. |
| CWE-779 | Logging of Excessive Data | The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack. While lo… |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neu… |
| CWE-780 | Use of RSA Algorithm without OAEP | The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption. Padding schemes a… |
| CWE-781 | Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code | The product defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided. When an IOCT… |
| CWE-782 | Exposed IOCTL with Insufficient Access Control | The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL. |
| CWE-783 | Operator Precedence Logic Error | The product uses an expression in which operator precedence causes incorrect logic to be used. While often just a bug, operator precedence logic errors can ha… |
| CWE-784 | Reliance on Cookies without Validation and Integrity Checking in a Security Decision | The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the as… |
| CWE-785 | Use of Path Manipulation Function without Maximum-sized Buffer | The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PA… |
| CWE-786 | Access of Memory Location Before Start of Buffer | The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. This typically occur… |
| CWE-787 | Out-of-bounds Write | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-788 | Access of Memory Location After End of Buffer | The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer. This typically occurs when a … |
| CWE-789 | Memory Allocation with Excessive Size Value | The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amount… |
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to o… |
| CWE-790 | Improper Filtering of Special Elements | The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component. |
| CWE-791 | Incomplete Filtering of Special Elements | The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component. |
| CWE-792 | Incomplete Filtering of One or More Instances of Special Elements | The product receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstrea… |
| CWE-793 | Only Filtering One Instance of a Special Element | The product receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component. Inc… |
| CWE-794 | Incomplete Filtering of Multiple Instances of Special Elements | The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component. |
| CWE-795 | Only Filtering Special Elements at a Specified Location | The product receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special element… |
| CWE-796 | Only Filtering Special Elements Relative to a Marker | The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. "at the beginning/end of a s… |
| CWE-797 | Only Filtering Special Elements at an Absolute Position | The product receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. "byte number 10"), thereby missing r… |
| CWE-798 | Use of Hard-coded Credentials | The product contains hard-coded credentials, such as a password or cryptographic key. |
| CWE-799 | Improper Control of Interaction Frequency | The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests. This can allow… |
| CWE-8 | J2EE Misconfiguration: Entity Bean Declared Remote | When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leverag… |
| CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that … |
| CWE-804 | Guessable CAPTCHA | The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor. |
| CWE-805 | Buffer Access with Incorrect Length Value | The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the… |
| CWE-806 | Buffer Access Using Size of Source Buffer | The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the b… |