Categories

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

The product, upon installation, sets incorrect permissions for an object that exposes it to an unintended actor.

The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.