| Accessing Functionality Not Properly Constrained by ACLs |
|
CWE-276
|
Incorrect Default Permissions
|
|
CWE-285
|
Improper Authorization
|
|
CWE-434
|
Unrestricted Upload of File with Dangerous Type
|
|
CWE-693
|
Protection Mechanism Failure
|
|
CWE-732
|
Incorrect Permission Assignment for Critical Resource
|
|
CWE-1191
|
On-Chip Debug and Test Interface With Improper Access Control
|
|
CWE-1193
|
Power-On of Untrusted Execution Core Before Enabling Fabric Access Control
|
|
CWE-1220
|
Insufficient Granularity of Access Control
|
|
CWE-1297
|
Unprotected Confidential Information on Device is Accessible by OSAT Vendors
|
|
CWE-1311
|
Improper Translation of Security Attributes by Fabric Bridge
|
|
CWE-1314
|
Missing Write Protection for Parametric Data Values
|
|
CWE-1315
|
Improper Setting of Bus Controlling Capability in Fabric End-point
|
|
CWE-1318
|
Missing Support for Security Features in On-chip Fabrics or Buses
|
|
CWE-1320
|
Improper Protection for Outbound Error Messages and Alert Signals
|
|
CWE-1321
|
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
|
CWE-1327
|
Binding to an Unrestricted IP Address
|
|
| Cross Zone Scripting |
|
CWE-20
|
Improper Input Validation
|
|
CWE-116
|
Improper Encoding or Escaping of Output
|
|
CWE-250
|
Execution with Unnecessary Privileges
|
|
CWE-285
|
Improper Authorization
|
|
CWE-638
|
Not Using Complete Mediation
|
|
| Directory Indexing |
|
CWE-276
|
Incorrect Default Permissions
|
|
CWE-285
|
Improper Authorization
|
|
CWE-288
|
Authentication Bypass Using an Alternate Path or Channel
|
|
CWE-424
|
Improper Protection of Alternate Path
|
|
CWE-425
|
Direct Request ('Forced Browsing')
|
|
CWE-693
|
Protection Mechanism Failure
|
|
CWE-732
|
Incorrect Permission Assignment for Critical Resource
|
|
| Subverting Environment Variable Values |
|
CWE-15
|
External Control of System or Configuration Setting
|
|
CWE-20
|
Improper Input Validation
|
|
CWE-73
|
External Control of File Name or Path
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-200
|
Exposure of Sensitive Information to an Unauthorized Actor
|
|
CWE-285
|
Improper Authorization
|
|
CWE-302
|
Authentication Bypass by Assumed-Immutable Data
|
|
CWE-353
|
Missing Support for Integrity Check
|
|
| Using Malicious Files |
|
CWE-59
|
Improper Link Resolution Before File Access ('Link Following')
|
|
CWE-270
|
Privilege Context Switching Error
|
|
CWE-272
|
Least Privilege Violation
|
|
CWE-282
|
Improper Ownership Management
|
|
CWE-285
|
Improper Authorization
|
|
CWE-693
|
Protection Mechanism Failure
|
|
CWE-732
|
Incorrect Permission Assignment for Critical Resource
|
|
| Manipulating Opaque Client-based Data Tokens |
|
CWE-233
|
Improper Handling of Parameters
|
|
CWE-285
|
Improper Authorization
|
|
CWE-302
|
Authentication Bypass by Assumed-Immutable Data
|
|
CWE-315
|
Cleartext Storage of Sensitive Information in a Cookie
|
|
CWE-353
|
Missing Support for Integrity Check
|
|
CWE-384
|
Session Fixation
|
|
CWE-472
|
External Control of Assumed-Immutable Web Parameter
|
|
CWE-539
|
Use of Persistent Cookies Containing Sensitive Information
|
|
CWE-565
|
Reliance on Cookies without Validation and Integrity Checking
|
|
| Bypassing ATA Password Security |
|
| Buffer Overflow via Symbolic Links |
|
CWE-20
|
Improper Input Validation
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-118
|
Incorrect Access of Indexable Resource ('Range Error')
|
|
CWE-119
|
Improper Restriction of Operations within the Bounds of a Memory Buffer
|
|
CWE-120
|
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
|
|
CWE-285
|
Improper Authorization
|
|
CWE-302
|
Authentication Bypass by Assumed-Immutable Data
|
|
CWE-680
|
Integer Overflow to Buffer Overflow
|
|
CWE-697
|
Incorrect Comparison
|
|
| Blue Boxing |
|
| Poison Web Service Registry |
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-285
|
Improper Authorization
|
|
CWE-693
|
Protection Mechanism Failure
|
|
| Session Credential Falsification through Prediction |
|
CWE-6
|
J2EE Misconfiguration: Insufficient Session-ID Length
|
|
CWE-200
|
Exposure of Sensitive Information to an Unauthorized Actor
|
|
CWE-285
|
Improper Authorization
|
|
CWE-290
|
Authentication Bypass by Spoofing
|
|
CWE-330
|
Use of Insufficiently Random Values
|
|
CWE-331
|
Insufficient Entropy
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-384
|
Session Fixation
|
|
CWE-488
|
Exposure of Data Element to Wrong Session
|
|
CWE-539
|
Use of Persistent Cookies Containing Sensitive Information
|
|
CWE-693
|
Protection Mechanism Failure
|
|
| Reusing Session IDs (aka Session Replay) |
|
CWE-200
|
Exposure of Sensitive Information to an Unauthorized Actor
|
|
CWE-285
|
Improper Authorization
|
|
CWE-290
|
Authentication Bypass by Spoofing
|
|
CWE-294
|
Authentication Bypass by Capture-replay
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-384
|
Session Fixation
|
|
CWE-488
|
Exposure of Data Element to Wrong Session
|
|
CWE-539
|
Use of Persistent Cookies Containing Sensitive Information
|
|
CWE-664
|
Improper Control of a Resource Through its Lifetime
|
|
CWE-732
|
Incorrect Permission Assignment for Critical Resource
|
|
| Collect Data from Registries |
|
| Key Negotiation of Bluetooth Attack (KNOB) |
|
CWE-285
|
Improper Authorization
|
|
CWE-425
|
Direct Request ('Forced Browsing')
|
|
CWE-693
|
Protection Mechanism Failure
|
|
| Manipulating Web Input to File System Calls |
|
CWE-15
|
External Control of System or Configuration Setting
|
|
CWE-22
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|
|
CWE-23
|
Relative Path Traversal
|
|
CWE-59
|
Improper Link Resolution Before File Access ('Link Following')
|
|
CWE-73
|
External Control of File Name or Path
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
|
CWE-77
|
Improper Neutralization of Special Elements used in a Command ('Command Injection')
|
|
CWE-272
|
Least Privilege Violation
|
|
CWE-285
|
Improper Authorization
|
|
CWE-346
|
Origin Validation Error
|
|
CWE-348
|
Use of Less Trusted Source
|
|
| Manipulating User-Controlled Variables |
|
CWE-15
|
External Control of System or Configuration Setting
|
|
CWE-94
|
Improper Control of Generation of Code ('Code Injection')
|
|
CWE-96
|
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
|
|
CWE-285
|
Improper Authorization
|
|
CWE-302
|
Authentication Bypass by Assumed-Immutable Data
|
|
CWE-473
|
PHP External Variable Modification
|
|
CWE-1321
|
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
|
| Forceful Browsing |
|
CWE-285
|
Improper Authorization
|
|
CWE-425
|
Direct Request ('Forced Browsing')
|
|
CWE-693
|
Protection Mechanism Failure
|
|