970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 951–970 of 970 · page 20 of 20
| ID | Title | Summary |
|---|---|---|
| CWE-920 | Improper Restriction of Power Consumption | The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restric… |
| CWE-921 | Storage of Sensitive Data in a Mechanism without Access Control | The product stores sensitive information in a file system or device that does not have built-in access control. |
| CWE-922 | Insecure Storage of Sensitive Information | The product stores sensitive information without properly limiting read or write access by unauthorized actors. If read access is not properly restricted, the… |
| CWE-923 | Improper Restriction of Communication Channel to Intended Endpoints | The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is com… |
| CWE-924 | Improper Enforcement of Message Integrity During Transmission in a Communication Channel | The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the messag… |
| CWE-925 | Improper Verification of Intent by Broadcast Receiver | The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source. Certain… |
| CWE-926 | Improper Export of Android Application Components | The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access… |
| CWE-927 | Use of Implicit Intent for Sensitive Communication | The Android application uses an implicit intent for transmitting sensitive data to other applications. |
| CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutraliz… |
| CWE-939 | Improper Authorization in Handler for Custom URL Scheme | The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme. Mobile platforms a… |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly ne… |
| CWE-940 | Improper Verification of Source of a Communication Channel | The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the req… |
| CWE-941 | Incorrectly Specified Destination in a Communication Channel | The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that ac… |
| CWE-942 | Permissive Cross-domain Security Policy with Untrusted Domains | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includ… |
| CWE-943 | Improper Neutralization of Special Elements in Data Query Logic | The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes s… |
| CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic ev… |
| CWE-96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an exe… |
| CWE-97 | Improper Neutralization of Server-Side Includes (SSI) Within a Web Page | The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include… |
| CWE-98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "incl… |
| CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') | The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a res… |