Categories
| CWE | NAME | LAST 12M | LOW | MEDIUM | HIGH | CRITICAL | TOTAL VULNS |
|---|---|---|---|---|---|---|---|
| CWE-23 | Relative Path Traversal The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory. | 0 | 3 | 2 | 1 | 6 | |
| CWE-497 | Exposure of System Data to an Unauthorized Control Sphere The application does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the application does. | 1 | 5 | 0 | 0 | 6 | |
| CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') The software receives a request, message, or directive from an upstream component, but the software does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the software's control sphere. This causes the software to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. | 0 | 3 | 1 | 1 | 5 | |
| CWE-297 | Improper Validation of Certificate with Host Mismatch The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host. | 0 | 4 | 1 | 0 | 5 | |
| CWE-98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in require, include, or similar functions. | 0 | 0 | 4 | 1 | 5 | |
| CWE-359 | Exposure of Private Information ('Privacy Violation') The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. | 0 | 4 | 1 | 0 | 5 | |
| CWE-199 | Information Management Errors Weaknesses in this category are related to improper handling of sensitive information. | 0 | 3 | 0 | 1 | 4 | |
| CWE-35 | Path Traversal: '.../...//' The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. | 0 | 2 | 2 | 0 | 4 | |
| CWE-122 | Heap-based Buffer Overflow A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). | 0 | 0 | 3 | 1 | 4 | |
| CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. | 0 | 2 | 1 | 1 | 4 |