Categories

The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

The software does not validate, or incorrectly validates, a certificate.

The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.