Categories

The software does not adequately filter user-controlled input for special elements with control implications.

The software does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context.

The software does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.

The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.

[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.

The software does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.

The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.

The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.