Categories

The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

The software does not properly clean up and remove temporary or supporting resources after they have been used.

The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

The software performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.

The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.