Categories
| CWE | NAME | LAST 12M | LOW | MEDIUM | HIGH | CRITICAL | TOTAL VULNS |
|---|---|---|---|---|---|---|---|
| CWE-642 | External Control of Critical State Data The software stores security-critical state information about its users, or the software itself, in a location that is accessible to unauthorized actors. | 0 | 1 | 1 | 0 | 2 | |
| CWE-21 | Pathname Traversal and Equivalence Errors Weaknesses in this category can be used to access files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered. The manipulations generally involve special characters or sequences in pathnames, or the use of alternate references or channels. | 0 | 1 | 0 | 1 | 2 | |
| CWE-1220 | Insufficient Granularity of Access Control The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. | 0 | 2 | 0 | 0 | 2 | |
| CWE-912 | Hidden Functionality The software contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the software's users or administrators. | 0 | 0 | 1 | 1 | 2 | |
| CWE-1287 | Improper Validation of Specified Type of Input The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. | 0 | 0 | 1 | 1 | 2 | |
| CWE-61 | UNIX Symbolic Link (Symlink) Following The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. | 0 | 2 | 0 | 0 | 2 | |
| CWE-317 | Cleartext Storage of Sensitive Information in GUI The application stores sensitive information in cleartext within the GUI. | 0 | 2 | 0 | 0 | 2 | |
| CWE-35 | Path Traversal: '.../...//' The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. | 0 | 1 | 1 | 0 | 2 | |
| CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. eval). | 0 | 0 | 1 | 1 | 2 | |
| CWE-525 | Information Exposure Through Browser Caching The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached. | 0 | 2 | 0 | 0 | 2 |