Categories

Software that does not appropriately monitor or control resource consumption can lead to adverse system performance.

The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.

The software does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).

A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.

The software performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.

A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.

The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

The software or the administrator places a user into an incorrect group.

The software writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.