Search
Weaknesses
| CWE | Weakness | Actions |
|---|---|---|
| CWE-568 |
finalize() Method Without super.finalize()
The product contains a finalize() method that does not call super.finalize(). |
|
| CWE-583 |
finalize() Method Declared Public
The product violates secure coding principles for mobile code by declaring a finalize() method public. |
|
| CWE-580 |
clone() Method Without super.clone()
The product contains a clone() method that does not call super.clone() to obtain the new object. |
|
| CWE-91 |
XML Injection (aka Blind XPath Injection)
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. |
|
| CWE-123 |
Write-what-where Condition
Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow. |
|
| CWE-128 |
Wrap-around Error
Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value. |
|
| CWE-64 |
Windows Shortcut Following (.LNK)
The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
|
| CWE-65 |
Windows Hard Link
The product, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
|
| CWE-521 |
Weak Password Requirements
The product does not require that users should have strong passwords. |
|
| CWE-640 |
Weak Password Recovery Mechanism for Forgotten Password
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
|
| CWE-261 |
Weak Encoding for Password
Obscuring a password with a trivial encoding does not protect the password. |
|
| CWE-1390 |
Weak Authentication
The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct. |
|
| CWE-657 |
Violation of Secure Design Principles
The product violates well-established principles for secure design. |
|
| CWE-621 |
Variable Extraction Error
The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables. |
|
| CWE-293 |
Using Referer Field for Authentication
The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking. |
|
| CWE-451 |
User Interface (UI) Misrepresentation of Critical Information
The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. |
|
| CWE-560 |
Use of umask() with chmod-style Argument
The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod(). |
|
| CWE-467 |
Use of sizeof() on a Pointer Type
The code calls sizeof() on a pointer type, which can be an incorrect calculation if the programmer intended to determine the size of the data that is being pointed to. |
|
| CWE-558 |
Use of getlogin() in Multithreaded Application
The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values. |
|
| CWE-759 |
Use of a One-Way Hash without a Salt
The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input. |