CWE-315 – Cleartext Storage of Sensitive Information in a Cookie
Description The application stores sensitive information in cleartext in a cookie. Attackers can use widely-available tools to view the cookie and read the sensitive information....
CWE-314 – Cleartext Storage in the Registry
Description The application stores sensitive information in cleartext in the registry. Attackers can read the information by accessing the registry key. Even if the information...
CWE-313 – Cleartext Storage in a File or on Disk
Description The application stores sensitive information in cleartext in a file, or on disk. The sensitive information could be read by attackers with access to...
CWE-312 – Cleartext Storage of Sensitive Information
Description The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. Because the information is stored in...
CWE-311 – Missing Encryption of Sensitive Data
Description The software does not encrypt sensitive or critical information before storage or transmission. The lack of proper data encryption passes up the guarantees of...
CWE-31 – Path Traversal: ‘dir….filename’
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir....filename' (multiple...
CWE-309 – Use of Password System for Primary Authentication
Description The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of...
CWE-308 – Use of Single-factor Authentication
Description The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. While the...
CWE-307 – Improper Restriction of Excessive Authentication Attempts
Description The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to...
CWE-306 – Missing Authentication for Critical Function
Description The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. Modes of...