Categories

The software does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined.

The software creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor.

The software does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.

A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.

The application constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.

Immutable data, such as a first-stage bootloader, device identifiers, and write-once configuration settings are stored in writable memory that can be re-programmed/updated in the field.

The software receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

The product relies on third-party software components that do not provide equivalent functionality across all desirable platforms.

The product is designed such that certain parts be restricted yet does not sufficiently protect against an unauthorized actor’s ability to physically access these restricted regions of the product.