Categories

The software does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

The program accesses or uses a pointer that has not been initialized.

The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

The software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

The software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.