Categories

The software assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.

The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.

The application stores sensitive information in cleartext within the GUI.

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input.

An exception is thrown from a function, but it is not caught.

The software uses a cross-domain policy file that includes domains that should not be trusted.

The product mixes trusted and untrusted data in the same data structure or structured message.

The software does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.