Categories

The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

The product, upon installation, sets incorrect permissions for an object that exposes it to an unintended actor.

The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.