Categories
CWE | NAME | LAST 12M | LOW | MEDIUM | HIGH | CRITICAL | TOTAL VULNS |
---|---|---|---|---|---|---|---|
CWE-642 | External Control of Critical State Data The software stores security-critical state information about its users, or the software itself, in a location that is accessible to unauthorized actors. | 0 | 1 | 1 | 0 | 2 | |
CWE-21 | Pathname Traversal and Equivalence Errors Weaknesses in this category can be used to access files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered. The manipulations generally involve special characters or sequences in pathnames, or the use of alternate references or channels. | 0 | 1 | 0 | 1 | 2 | |
CWE-912 | Hidden Functionality The software contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the software's users or administrators. | 0 | 0 | 1 | 1 | 2 | |
CWE-282 | Improper Ownership Management The software assigns the wrong ownership, or does not properly verify the ownership, of an object or resource. | 0 | 0 | 2 | 0 | 2 | |
CWE-61 | UNIX Symbolic Link (Symlink) Following The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. | 0 | 2 | 0 | 0 | 2 | |
CWE-317 | Cleartext Storage of Sensitive Information in GUI The application stores sensitive information in cleartext within the GUI. | 0 | 2 | 0 | 0 | 2 | |
CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. eval). | 0 | 0 | 1 | 1 | 2 | |
CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. | 0 | 2 | 0 | 0 | 2 | |
CWE-451 | User Interface (UI) Misrepresentation of Critical Information The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. | 0 | 2 | 0 | 0 | 2 | |
CWE-923 | Improper Restriction of Communication Channel to Intended Endpoints The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint. | 0 | 1 | 1 | 0 | 2 |