Categories

The software creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

The software uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

The software uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.

The software does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.

The software uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.

The requirements for the software dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

The software does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

The application inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.