Categories

The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the container term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry.

Weaknesses in this category are related to improper management of system state.Weaknesses in this category are related to improper management of system state.

The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

The software protects a primary channel, but it does not use the same level of protection for an alternate channel.

The software does not lock or does not correctly lock a resource when the software must have exclusive access to the resource.

The application stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.

The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.

The software assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.