Categories

The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context.

The software does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.

The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.

[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.

The software does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.

The software does not properly manage a user within its environment.

The software does not properly distinguish between different types of elements in a way that leads to insecure behavior.

The program releases a resource that is still intended to be used by the program itself or another actor.

The software makes resources available to untrusted parties when those resources are only intended to be accessed by the software.

The product uses a scheme that generates numbers or identifiers that are more predictable than required.