Search
Weaknesses
| CWE | Weakness | Actions |
|---|---|---|
| CWE-1099 |
Inconsistent Naming Conventions for Identifiers
The product's code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callables, I/O capabilities, data types, file names, or similar types of elements. |
|
| CWE-444 |
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
|
| CWE-1068 |
Inconsistency Between Implementation and Documented Design
The implementation of the product is not consistent with the design as described within the relevant documentation. |
|
| CWE-437 |
Incomplete Model of Endpoint Features
A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model. |
|
| CWE-184 |
Incomplete List of Disallowed Inputs
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
|
| CWE-372 |
Incomplete Internal State Distinction
The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner. |
|
| CWE-616 |
Incomplete Identification of Uploaded File Variables (PHP)
The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files. |
|
| CWE-1111 |
Incomplete I/O Documentation
The product's documentation does not adequately define inputs, outputs, or system/software interfaces. |
|
| CWE-791 |
Incomplete Filtering of Special Elements
The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component. |
|
| CWE-792 |
Incomplete Filtering of One or More Instances of Special Elements
The product receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream component. |
|
| CWE-794 |
Incomplete Filtering of Multiple Instances of Special Elements
The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component. |
|
| CWE-1112 |
Incomplete Documentation of Program Execution
The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed. |
|
| CWE-1110 |
Incomplete Design Documentation
The product's design documentation does not adequately describe control flow, data flow, system initialization, relationships between tasks, components, rationales, or other important aspects of the design. |
|
| CWE-692 |
Incomplete Denylist to Cross-Site Scripting
The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed. |
|
| CWE-1023 |
Incomplete Comparison with Missing Factors
The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors. |
|
| CWE-459 |
Incomplete Cleanup
The product does not properly "clean up" and remove temporary or supporting resources after they have been used. |
|
| CWE-830 |
Inclusion of Web Functionality from an Untrusted Source
The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source. |
|
| CWE-1242 |
Inclusion of Undocumented Features or Chicken Bits
The device includes chicken bits or undocumented features that can create entry points for unauthorized actors. |
|
| CWE-541 |
Inclusion of Sensitive Information in an Include File
If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system. |
|
| CWE-531 |
Inclusion of Sensitive Information in Test Code
Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions. |