Categories
| CWE | NAME | LAST 12M | LOW | MEDIUM | HIGH | CRITICAL | TOTAL VULNS |
|---|---|---|---|---|---|---|---|
| CWE-259 | Use of Hard-coded Password The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. | 0 | 2 | 1 | 6 | 9 | |
| CWE-29 | Path Traversal: '\..\filename' The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory. | 0 | 1 | 5 | 3 | 9 | |
| CWE-208 | Information Exposure Through Timing Discrepancy Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. | 1 | 4 | 3 | 0 | 8 | |
| CWE-912 | Hidden Functionality The software contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the software's users or administrators. | 1 | 1 | 3 | 3 | 8 | |
| CWE-385 | Covert Timing Channel Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information. | 0 | 7 | 1 | 0 | 8 | |
| CWE-361 | 7PK - Time and State This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information." | 0 | 4 | 3 | 0 | 7 | |
| CWE-472 | External Control of Assumed-Immutable Web Parameter The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. | 0 | 0 | 0 | 7 | 7 | |
| CWE-201 | Information Exposure Through Sent Data The code transmits data to another actor, but the data contains sensitive information that should not be accessible to the actor that is receiving the data. | 2 | 5 | 0 | 0 | 7 | |
| CWE-457 | Use of Uninitialized Variable The code uses a variable that has not been initialized, leading to unpredictable or unintended results. | 0 | 6 | 1 | 0 | 7 | |
| CWE-799 | Improper Control of Interaction Frequency The software does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests. | 1 | 3 | 3 | 0 | 7 |