CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Differences between Version 1.0 and Version 1.0.1  
ID

Differences between Version 1.0 and Version 1.0.1
Differences between Version 1.0 and Version 1.0.1

Summary
Summary
Total new 1
Total deprecated 0
Total shared 734
Total important changes 152
Total major changes 166
Total minor changes 4
Total minor changes (no major)
Total unchanged 568
Back to top
Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Affected_Resources 0 0
Alternate_Terms 2 0
Applicable_Platforms 9 0
Background_Details 5 0
Black_Box_Definitions 0 0
Causal_Nature 0 0
Common_Consequences 1 1
Common_Methods_of_Exploitation 0 0
Context_Notes 0 0
Demonstrative_Examples 4 1
Description 135 1
Detection_Factors 0 0
Enabling_Factors_for_Exploitation 2 0
Functional_Areas 0 0
Likelihood_of_Exploit 0 0
Maintenance_Notes 10 0
Modes_of_Introduction 0 0
Name 12 1
Observed_Examples 6 0
Other_Notes 18 0
Potential_Mitigations 10 0
References 2 0
Related_Attack_Patterns 0 0
Relationship_Notes 4 0
Relationships 26 0
Relevant_Properties 0 0
Research_Gaps 2 0
Source_Taxonomy 0 0
Taxonomy_Mappings 0 0
Terminology_Notes 3 0
Theoretical_Notes 5 0
Time_of_Introduction 0 0
Type 1 0
View_Audience 0 0
View_Filter 0 0
View_Structure 0 0
View_Type 0 0
Weakness_Ordinalities 0 0
White_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 733
Weakness/Base Weakness/Class 1

Relationship Changes

The "Version 1.0.1 Total" lists the total number of relationships in Version 1.0.1. The "Shared" value is the total number of relationships in entries that were in both Version 1.0.1 and Version 1.0. The "New" value is the total number of relationships involving entries that did not exist in Version 1.0. Thus, the total number of relationships in Version 1.0.1 would combine stats from Shared entries and New entries.

Relationship Version 1.0.1 Total Version 1.0 Total Version 1.0.1 Shared Unchanged Added to Version 1.0.1 Removed from Version 1.0.1 Version 1.0.1 New
ALL 4025 3994 4021 3977 44 17 4
CanAlsoBe 38 39 38 38 1
CanFollow 73 65 73 65 8
CanPrecede 73 65 73 65 8
ChildOf 1702 1694 1700 1686 14 8 2
HasMember 96 96 96 96
MemberOf 96 96 96 96
ParentOf 1702 1694 1700 1686 14 8 2
PeerOf 188 188 188 188
RequiredBy 27 27 27 27
Requires 27 27 27 27
StartsWith 3 3 3 3

Nodes Removed from Version 1.0

CWE-ID CWE Name
None.

Nodes Added to Version 1.0.1

CWE-ID CWE Name
733 Compiler Optimization Removal or Modification of Security-critical Code

Nodes Deprecated in Version 1.0.1

CWE-ID CWE Name
None.
Back to top
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

D 6 J2EE Misconfiguration: Insufficient Session-ID Length
D 7 J2EE Misconfiguration: Missing Error Handling
R 12 ASP.NET Misconfiguration: Missing Custom Error Handling
R 14 Compiler Removal of Code to Clear Buffers
D 15 External Control of System or Configuration Setting
D 21 Pathname Traversal and Equivalence Errors
D 22 Path Traversal
D 23 Relative Path Traversal
D 24 Path Traversal: '../filedir'
D 25 Path Traversal: '/../filedir'
D 26 Path Traversal: '/dir/../filename'
D 27 Path Traversal: 'dir/../../filename'
DN 28 Path Traversal: '..\filedir'
D 29 Path Traversal: '\..\filename'
D 30 Path Traversal: '\dir\..\filename'
D 31 Path Traversal: 'dir\..\..\filename'
D 32 Path Traversal: '...' (Triple Dot)
D 33 Path Traversal: '....' (Multiple Dot)
D 34 Path Traversal: '....//'
D 35 Path Traversal: '.../...//'
D 36 Absolute Path Traversal
D 41 Failure to Resolve Path Equivalence
DN 57 Path Equivalence: 'fakedir/../realdir/filename'
D 58 Path Equivalence: Windows 8.3 Filename
D 61 UNIX Symbolic Link (Symlink) Following
D 62 UNIX Hard Link
D 64 Windows Shortcut Following (.LNK)
D 65 Windows Hard Link
D 67 Failure to Handle Windows Device Names
D 69 Failure to Handle Windows ::DATA Alternate Data Stream
D 78 Failure to Sanitize Data into an OS Command (aka 'OS Command Injection')
D 80 Failure to Sanitize Script-Related HTML Tags in a Web Page (Basic XSS)
D 81 Failure to Sanitize Directives in an Error Message Web Page
D 82 Failure to Sanitize Script in Attributes of IMG Tags in a Web Page
D 89 Failure to Sanitize Data within SQL Queries (aka 'SQL Injection')
DN 92 Insufficient Sanitization of Custom Special Characters
D 102 Struts: Duplicate Validation Forms
D 103 Struts: Incomplete validate() Method Definition
D 113 Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting')
R 119 Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer
DN 120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
R 131 Incorrect Calculation of Buffer Size
D 145 Failure to Sanitize Section Delimiters
D 146 Failure to Sanitize Expression/Command Delimiters
D 147 Failure to Sanitize Input Terminators
D 150 Failure to Sanitize Escape, Meta, or Control Sequences
D 154 Failure to Sanitize Variable Name Delimiter
D 155 Failure to Sanitize Wildcard or Matching Symbol
D 158 Failure to Sanitize Null Byte or NUL Character
D 160 Failure to Sanitize Leading Special Element
D 161 Failure to Sanitize Multiple Leading Special Elements
D 162 Failure to Sanitize Trailing Special Element
D 163 Failure to Sanitize Multiple Trailing Special Elements
D 164 Failure to Sanitize Internal Special Element
D 165 Failure to Sanitize Multiple Internal Special Elements
D 168 Failure to Resolve Inconsistent Special Elements
D 179 Incorrect Behavior Order: Early Validation
D 180 Incorrect Behavior Order: Validate Before Canonicalize
D 181 Incorrect Behavior Order: Validate Before Filter
D 190 Integer Overflow (Wrap or Wraparound)
D 191 Integer Underflow (Wrap or Wraparound)
D 200 Information Leak (Information Disclosure)
D 204 Response Discrepancy Information Leak
D 205 Behavioral Discrepancy Information Leak
D 208 Timing Discrepancy Information Leak
R 209 Error Message Information Leaks
D 211 Product-External Error Message Information Leak
D 212 Cross-boundary Cleansing Information Leak
D 214 Process Environment Information Leak
R 226 Sensitive Information Uncleared Before Release
D 243 Failure to Change Working Directory in chroot Jail
R 244 Failure to Clear Heap Memory Before Release (aka 'Heap Inspection')
D 250 Design Principle Violation: Failure to Use Least Privilege
D 257 Storing Passwords in a Recoverable Format
D 259 Hard-Coded Password
D 260 Password in Configuration File
D 265 Privilege / Sandbox Issues
D 271 Privilege Dropping / Lowering Errors
R 284 Access Control (Authorization) Issues
R 287 Insufficient Authentication
D 295 Certificate Issues
D 302 Authentication Bypass by Assumed-Immutable Data
D 303 Improper Implementation of Authentication Algorithm
D 304 Missing Critical Step in Authentication
D 322 Key Exchange without Entity Authentication
D 328 Reversible One-Way Hash
D 343 Predictable Value Range from Previous Values
D 356 Product UI does not Warn User of Unsafe Actions
D 361 Time and State
R 362 Race Condition
D R 363 Race Condition Enabling Link Following
DNR 367 Time-of-check Time-of-use (TOCTOU) Race Condition
D 370 Race Condition in Checking for Certificate Revocation
D 385 Covert Timing Channel
D 388 Error Handling
D 389 Error Conditions, Return Values, Status Codes
D 393 Return of Wrong Status Code
DNR 400 Uncontrolled Resource Consumption (aka 'Resource Exhaustion')
D 401 Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak')
R 404 Improper Resource Shutdown or Release
D 405 Asymmetric Resource Consumption (Amplification)
DN 406 Insufficient Control of Network Message Volume (Network Amplification)
D 409 Failure to Handle Highly Compressed Data (Data Amplification)
D R 410 Insufficient Resource Pool
D 412 Unrestricted Lock on Critical Resource
D 421 Race Condition During Access to Alternate Channel
D 425 Direct Request ('Forced Browsing')
D 430 Deployment of Wrong Handler
D 432 Dangerous Handler not Disabled During Sensitive Operations
D 433 Unparsed Raw Web Content Delivery
D R 435 Interaction Error
D 436 Interpretation Conflict
D 437 Incomplete Model of Endpoint Features
R 442 Web Problems
D 446 UI Discrepancy for Security Feature
D 470 Use of Externally-Controlled Input to Select Classes or Code (aka 'Unsafe Reflection')
R 480 Use of Incorrect Operator
D 507 Trojan Horse
D 511 Logic/Time Bomb
D 512 Spyware
D 514 Covert Channel
D 515 Covert Storage Channel
D 518 Inadvertently Introduced Weakness
D 527 Information Leak Through CVS Repository
D 540 Information Leak Through Source Code
R 544 Missing Error Handling Mechanism
D 550 Information Leak Through Server Error Message
D 556 ASP.NET Misconfiguration: Use of Identity Impersonation
D 582 Array Declared Public, Final, and Static
D 589 Call to Non-ubiquitous API
R 597 Use of Wrong Operator in String Comparison
D 615 Information Leak Through Comments
D 616 Incomplete Identification of Uploaded File Variables (PHP)
D 618 Exposed Unsafe ActiveX Method
D R 619 Dangling Database Cursor (aka 'Cursor Injection')
D 621 Variable Extraction Error
D 624 Executable Regular Expression Error
D 627 Dynamic Variable Evaluation
D 639 Access Control Bypass Through User-Controlled Key
D 641 Insufficient Filtering of File and Other Resource Names for Executable Content
D 642 External Control of User State Data
DN 643 Failure to Sanitize Data within XPath Expressions (aka 'XPath injection')
DNR 644 Insufficient Sanitization of HTTP Headers for Scripting Syntax
D 645 Overly Restrictive Account Lockout Mechanism
DNR 646 Reliance on File Name or Extension of Externally-Supplied File
DNR 647 Use of Non-Canonical URL Paths for Authorization Decisions
D 648 Improper Use of Privileged APIs
D 649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
D 650 Trusting HTTP Permission Methods on the Server Side
DN 652 Failure to Sanitize Data within XQuery Expressions (aka 'XQuery Injection')
R 662 Insufficient Synchronization
R 669 Incorrect Resource Transfer Between Spheres
Back to top
Detailed Difference Report
Detailed Difference Report
6 J2EE Misconfiguration: Insufficient Session-ID Length
Major Background_Details, Description
Minor None
7 J2EE Misconfiguration: Missing Error Handling
Major Description
Minor None
12 ASP.NET Misconfiguration: Missing Custom Error Handling
Major Relationships
Minor None
14 Compiler Removal of Code to Clear Buffers
Major Relationships
Minor None
15 External Control of System or Configuration Setting
Major Description
Minor None
21 Pathname Traversal and Equivalence Errors
Major Description
Minor None
22 Path Traversal
Major Description
Minor None
23 Relative Path Traversal
Major Description
Minor None
24 Path Traversal: '../filedir'
Major Description
Minor None
25 Path Traversal: '/../filedir'
Major Description
Minor None
26 Path Traversal: '/dir/../filename'
Major Description
Minor None
27 Path Traversal: 'dir/../../filename'
Major Description
Minor None
28 Path Traversal: '..\filedir'
Major Applicable_Platforms, Description, Name
Minor None
29 Path Traversal: '\..\filename'
Major Applicable_Platforms, Description
Minor None
30 Path Traversal: '\dir\..\filename'
Major Applicable_Platforms, Description
Minor None
31 Path Traversal: 'dir\..\..\filename'
Major Applicable_Platforms, Description
Minor Name
32 Path Traversal: '...' (Triple Dot)
Major Description, Maintenance_Notes
Minor None
33 Path Traversal: '....' (Multiple Dot)
Major Description, Maintenance_Notes
Minor None
34 Path Traversal: '....//'
Major Description
Minor None
35 Path Traversal: '.../...//'
Major Description
Minor None
36 Absolute Path Traversal
Major Description
Minor None
41 Failure to Resolve Path Equivalence
Major Description
Minor None
57 Path Equivalence: 'fakedir/../realdir/filename'
Major Description, Name, Observed_Examples, Other_Notes, Theoretical_Notes
Minor None
58 Path Equivalence: Windows 8.3 Filename
Major Description
Minor None
61 UNIX Symbolic Link (Symlink) Following
Major Description
Minor None
62 UNIX Hard Link
Major Description
Minor None
64 Windows Shortcut Following (.LNK)
Major Description
Minor None
65 Windows Hard Link
Major Description
Minor None
67 Failure to Handle Windows Device Names
Major Description
Minor None
69 Failure to Handle Windows ::DATA Alternate Data Stream
Major Description
Minor None
71 Apple '.DS_Store'
Major Maintenance_Notes
Minor Description
78 Failure to Sanitize Data into an OS Command (aka 'OS Command Injection')
Major Description
Minor None
80 Failure to Sanitize Script-Related HTML Tags in a Web Page (Basic XSS)
Major Description
Minor None
81 Failure to Sanitize Directives in an Error Message Web Page
Major Description
Minor None
82 Failure to Sanitize Script in Attributes of IMG Tags in a Web Page
Major Description
Minor None
89 Failure to Sanitize Data within SQL Queries (aka 'SQL Injection')
Major Description
Minor None
91 XML Injection (aka Blind XPath Injection)
Major Maintenance_Notes, Other_Notes, Theoretical_Notes
Minor None
92 Insufficient Sanitization of Custom Special Characters
Major Description, Name
Minor None
102 Struts: Duplicate Validation Forms
Major Description, Other_Notes, Potential_Mitigations
Minor None
103 Struts: Incomplete validate() Method Definition
Major Description, Maintenance_Notes
Minor None
113 Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting')
Major Description
Minor None
119 Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer
Major Relationships
Minor None
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major Alternate_Terms, Description, Name, Other_Notes, Terminology_Notes
Minor None
131 Incorrect Calculation of Buffer Size
Major Relationships
Minor None
145 Failure to Sanitize Section Delimiters
Major Description
Minor None
146 Failure to Sanitize Expression/Command Delimiters
Major Description
Minor None
147 Failure to Sanitize Input Terminators
Major Description
Minor None
150 Failure to Sanitize Escape, Meta, or Control Sequences
Major Description
Minor None
154 Failure to Sanitize Variable Name Delimiter
Major Description
Minor None
155 Failure to Sanitize Wildcard or Matching Symbol
Major Description
Minor None
158 Failure to Sanitize Null Byte or NUL Character
Major Description
Minor None
160 Failure to Sanitize Leading Special Element
Major Description
Minor None
161 Failure to Sanitize Multiple Leading Special Elements
Major Description
Minor None
162 Failure to Sanitize Trailing Special Element
Major Description
Minor None
163 Failure to Sanitize Multiple Trailing Special Elements
Major Description
Minor None
164 Failure to Sanitize Internal Special Element
Major Description
Minor None
165 Failure to Sanitize Multiple Internal Special Elements
Major Description
Minor None
168 Failure to Resolve Inconsistent Special Elements
Major Description
Minor None
178 Failure to Resolve Case Sensitivity
Major Observed_Examples
Minor None
179 Incorrect Behavior Order: Early Validation
Major Description
Minor None
180 Incorrect Behavior Order: Validate Before Canonicalize
Major Description
Minor None
181 Incorrect Behavior Order: Validate Before Filter
Major Description
Minor None
190 Integer Overflow (Wrap or Wraparound)
Major Common_Consequences, Description, Potential_Mitigations, Terminology_Notes
Minor None
191 Integer Underflow (Wrap or Wraparound)
Major Description
Minor None
200 Information Leak (Information Disclosure)
Major Description
Minor None
204 Response Discrepancy Information Leak
Major Description, Potential_Mitigations
Minor None
205 Behavioral Discrepancy Information Leak
Major Description
Minor None
208 Timing Discrepancy Information Leak
Major Description
Minor None
209 Error Message Information Leaks
Major Relationships
Minor None
211 Product-External Error Message Information Leak
Major Description
Minor None
212 Cross-boundary Cleansing Information Leak
Major Description
Minor None
214 Process Environment Information Leak
Major Description, Other_Notes
Minor None
226 Sensitive Information Uncleared Before Release
Major Relationships
Minor None
243 Failure to Change Working Directory in chroot Jail
Major Description
Minor None
244 Failure to Clear Heap Memory Before Release (aka 'Heap Inspection')
Major Relationships
Minor None
248 Uncaught Exception
Major Applicable_Platforms
Minor None
250 Design Principle Violation: Failure to Use Least Privilege
Major Description, Maintenance_Notes
Minor None
257 Storing Passwords in a Recoverable Format
Major Demonstrative_Examples, Description, Maintenance_Notes, Potential_Mitigations
Minor None
259 Hard-Coded Password
Major Description, Potential_Mitigations
Minor None
260 Password in Configuration File
Major Description
Minor None
265 Privilege / Sandbox Issues
Major Description, Research_Gaps, Theoretical_Notes
Minor None
271 Privilege Dropping / Lowering Errors
Major Description, Maintenance_Notes
Minor None
272 Least Privilege Violation
Major Maintenance_Notes
Minor Demonstrative_Examples
284 Access Control (Authorization) Issues
Major Relationships
Minor None
287 Insufficient Authentication
Major Relationships
Minor None
295 Certificate Issues
Major Background_Details, Description
Minor None
302 Authentication Bypass by Assumed-Immutable Data
Major Demonstrative_Examples, Description
Minor None
303 Improper Implementation of Authentication Algorithm
Major Description
Minor None
304 Missing Critical Step in Authentication
Major Description
Minor None
322 Key Exchange without Entity Authentication
Major Description, Other_Notes
Minor Common_Consequences
328 Reversible One-Way Hash
Major Description
Minor None
343 Predictable Value Range from Previous Values
Major Description
Minor None
356 Product UI does not Warn User of Unsafe Actions
Major Description
Minor None
361 Time and State
Major Description
Minor None
362 Race Condition
Major Relationships
Minor None
363 Race Condition Enabling Link Following
Major Description, Other_Notes, Relationships
Minor None
367 Time-of-check Time-of-use (TOCTOU) Race Condition
Major Description, Name, Relationships
Minor None
370 Race Condition in Checking for Certificate Revocation
Major Description, Other_Notes, Potential_Mitigations
Minor None
385 Covert Timing Channel
Major Description
Minor None
388 Error Handling
Major Description
Minor None
389 Error Conditions, Return Values, Status Codes
Major Description
Minor None
393 Return of Wrong Status Code
Major Description
Minor None
396 Declaration of Catch for Generic Exception
Major Applicable_Platforms
Minor None
397 Declaration of Throws for Generic Exception
Major Applicable_Platforms
Minor None
400 Uncontrolled Resource Consumption (aka 'Resource Exhaustion')
Major Description, Name, Relationships
Minor None
401 Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak')
Major Description
Minor None
404 Improper Resource Shutdown or Release
Major Relationships
Minor None
405 Asymmetric Resource Consumption (Amplification)
Major Description
Minor None
406 Insufficient Control of Network Message Volume (Network Amplification)
Major Description, Enabling_Factors_for_Exploitation, Name, Other_Notes, Theoretical_Notes
Minor None
409 Failure to Handle Highly Compressed Data (Data Amplification)
Major Description
Minor None
410 Insufficient Resource Pool
Major Description, Relationships
Minor None
412 Unrestricted Lock on Critical Resource
Major Description
Minor None
421 Race Condition During Access to Alternate Channel
Major Description
Minor None
422 Unprotected Windows Messaging Channel ('Shatter')
Major Other_Notes, Relationship_Notes, Research_Gaps
Minor None
425 Direct Request ('Forced Browsing')
Major Description
Minor None
430 Deployment of Wrong Handler
Major Description
Minor None
432 Dangerous Handler not Disabled During Sensitive Operations
Major Description
Minor None
433 Unparsed Raw Web Content Delivery
Major Description, Other_Notes, Relationship_Notes
Minor None
435 Interaction Error
Major Description, Relationships
Minor None
436 Interpretation Conflict
Major Description
Minor None
437 Incomplete Model of Endpoint Features
Major Description
Minor None
442 Web Problems
Major Relationships
Minor None
446 UI Discrepancy for Security Feature
Major Description, Maintenance_Notes, Other_Notes
Minor None
470 Use of Externally-Controlled Input to Select Classes or Code (aka 'Unsafe Reflection')
Major Applicable_Platforms, Demonstrative_Examples, Description, Other_Notes
Minor None
480 Use of Incorrect Operator
Major Relationships
Minor None
498 Information Leak through Class Cloning
Major Other_Notes
Minor None
507 Trojan Horse
Major Description, Terminology_Notes
Minor None
511 Logic/Time Bomb
Major Description
Minor None
512 Spyware
Major Description, Potential_Mitigations
Minor None
514 Covert Channel
Major Description, Other_Notes, Theoretical_Notes
Minor None
515 Covert Storage Channel
Major Description
Minor None
518 Inadvertently Introduced Weakness
Major Description
Minor None
527 Information Leak Through CVS Repository
Major Description
Minor None
540 Information Leak Through Source Code
Major Description
Minor None
544 Missing Error Handling Mechanism
Major Relationships
Minor None
548 Information Leak Through Directory Listing
Major Other_Notes
Minor None
550 Information Leak Through Server Error Message
Major Description
Minor None
556 ASP.NET Misconfiguration: Use of Identity Impersonation
Major Description
Minor None
582 Array Declared Public, Final, and Static
Major Background_Details, Demonstrative_Examples, Description, Other_Notes
Minor None
589 Call to Non-ubiquitous API
Major Description
Minor None
597 Use of Wrong Operator in String Comparison
Major Relationships
Minor None
601 URL Redirection to Untrusted Site (aka 'Open Redirect')
Major Alternate_Terms, Observed_Examples, References
Minor None
614 Sensitive Cookie in HTTPS Session Without "Secure" Attribute
Major Observed_Examples
Minor None
615 Information Leak Through Comments
Major Description
Minor None
616 Incomplete Identification of Uploaded File Variables (PHP)
Major Description, Other_Notes, Potential_Mitigations
Minor None
618 Exposed Unsafe ActiveX Method
Major Description
Minor None
619 Dangling Database Cursor (aka 'Cursor Injection')
Major Background_Details, Description, Relationships
Minor None
621 Variable Extraction Error
Major Description
Minor None
624 Executable Regular Expression Error
Major Description
Minor None
627 Dynamic Variable Evaluation
Major Background_Details, Description
Minor None
639 Access Control Bypass Through User-Controlled Key
Major Description
Minor None
641 Insufficient Filtering of File and Other Resource Names for Executable Content
Major Description
Minor None
642 External Control of User State Data
Major Description
Minor None
643 Failure to Sanitize Data within XPath Expressions (aka 'XPath injection')
Major Description, Name, References, Relationship_Notes
Minor None
644 Insufficient Sanitization of HTTP Headers for Scripting Syntax
Major Description, Name, Observed_Examples, Relationships
Minor None
645 Overly Restrictive Account Lockout Mechanism
Major Description
Minor None
646 Reliance on File Name or Extension of Externally-Supplied File
Major Description, Name, Observed_Examples, Relationships
Minor None
647 Use of Non-Canonical URL Paths for Authorization Decisions
Major Description, Name, Potential_Mitigations, Relationships
Minor None
648 Improper Use of Privileged APIs
Major Description, Potential_Mitigations
Minor None
649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Major Description
Minor None
650 Trusting HTTP Permission Methods on the Server Side
Major Description, Enabling_Factors_for_Exploitation
Minor None
652 Failure to Sanitize Data within XQuery Expressions (aka 'XQuery Injection')
Major Description, Name, Relationship_Notes
Minor None
662 Insufficient Synchronization
Major Relationships
Minor None
669 Incorrect Resource Transfer Between Spheres
Major Relationships
Minor None
682 Incorrect Calculation
Major Type
Minor None
692 Incomplete Blacklist to Cross-Site Scripting
Major Applicable_Platforms
Minor None
Back to top
Page Last Updated: January 05, 2017
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.