970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 901–950 of 970 · page 19 of 20
| ID | Title | Summary |
|---|---|---|
| CWE-807 | Reliance on Untrusted Inputs in a Security Decision | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that b… |
| CWE-81 | Improper Neutralization of Script in an Error Message Web Page | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as we… |
| CWE-82 | Improper Neutralization of Script in Attributes of IMG Tags in a Web Page | The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute. Attackers… |
| CWE-820 | Missing Synchronization | The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource. If access to a shared resource is no… |
| CWE-821 | Incorrect Synchronization | The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource. If access to a shared resource is… |
| CWE-822 | Untrusted Pointer Dereference | The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer. |
| CWE-823 | Use of Out-of-range Pointer Offset | The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for th… |
| CWE-824 | Access of Uninitialized Pointer | The product accesses or uses a pointer that has not been initialized. |
| CWE-825 | Expired Pointer Dereference | The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid. When a product releases memory, but … |
| CWE-826 | Premature Release of Resource During Expected Lifetime | The product releases a resource that is still intended to be used by itself or another actor. |
| CWE-827 | Improper Control of Document Type Definition | The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary… |
| CWE-828 | Signal Handler with Functionality that is not Asynchronous-Safe | The product defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interr… |
| CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
| CWE-83 | Improper Neutralization of Script in Attributes in a Web Page | The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, oner… |
| CWE-830 | Inclusion of Web Functionality from an Untrusted Source | The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially gra… |
| CWE-831 | Signal Handler Function Associated with Multiple Signals | The product defines a function that is used as a handler for more than one signal. |
| CWE-832 | Unlock of a Resource that is not Locked | The product attempts to unlock a resource that is not locked. Depending on the locking functionality, an unlock of a non-locked resource might cause memory co… |
| CWE-833 | Deadlock | The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock. |
| CWE-834 | Excessive Iteration | The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed. If the iteration can be influenced by a… |
| CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
| CWE-836 | Use of Password Hash Instead of Password for Authentication | The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the … |
| CWE-837 | Improper Enforcement of a Single, Unique Action | The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improp… |
| CWE-838 | Inappropriate Encoding for Output Context | The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is … |
| CWE-839 | Numeric Range Comparison Without Minimum Check | The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the min… |
| CWE-84 | Improper Neutralization of Encoded URI Schemes in a Web Page | The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings. |
| CWE-841 | Improper Enforcement of Behavioral Workflow | The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behav… |
| CWE-842 | Placement of User into Incorrect Group | The product or the administrator places a user into an incorrect group. If the incorrect group has more access or privileges than the intended group, the user… |
| CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is… |
| CWE-85 | Doubled Character XSS Manipulations | The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters. |
| CWE-86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages | The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.… |
| CWE-862 | Missing Authorization | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-863 | Incorrect Authorization | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-87 | Improper Neutralization of Alternate XSS Syntax | The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax. |
| CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended a… |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly ne… |
| CWE-9 | J2EE Misconfiguration: Weak Access Permissions for EJB Methods | If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product. If the EJB deployment de… |
| CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neu… |
| CWE-908 | Use of Uninitialized Resource | The product uses or accesses a resource that has not been initialized. When a resource has not been properly initialized, the product may behave unexpectedly.… |
| CWE-909 | Missing Initialization of Resource | The product does not initialize a critical resource. Many resources require initialization before they can be properly used. If a resource is not initialized,… |
| CWE-91 | XML Injection (aka Blind XPath Injection) | The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before… |
| CWE-910 | Use of Expired File Descriptor | The product uses or accesses a file descriptor after it has been closed. After a file descriptor for a particular file or device has been released, it can be … |
| CWE-911 | Improper Update of Reference Count | The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count. Reference counts can be used when … |
| CWE-912 | Hidden Functionality | The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is o… |
| CWE-913 | Improper Control of Dynamically-Managed Code Resources | The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions… |
| CWE-914 | Improper Control of Dynamically-Identified Variables | The product does not properly restrict reading from or writing to dynamically-identified variables. Many languages offer powerful features that allow the prog… |
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an obj… |
| CWE-916 | Use of Password Hash With Insufficient Computational Effort | The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cra… |
| CWE-917 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') | The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input f… |
| CWE-918 | Server-Side Request Forgery (SSRF) | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that th… |
| CWE-92 | DEPRECATED: Improper Sanitization of Custom Special Characters | This entry has been deprecated. It originally came from PLOVER, which sometimes defined "other" and "miscellaneous" categories in order to satisfy exhaustivene… |