CWE-644 – Improper Neutralization of HTTP Headers for Scripting Syntax
Description The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can...
CWE-645 – Overly Restrictive Account Lockout Mechanism
Description The software contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to...
CWE-646 – Reliance on File Name or Extension of Externally-Supplied File
Description The software allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate...
CWE-602 – Client-Side Enforcement of Server-Side Security
Description The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. When...
CWE-603 – Use of Client-Side Authentication
Description A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that...
CWE-605 – Multiple Binds to the Same Port
Description When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed. On most systems,...
CWE-606 – Unchecked Input for Loop Condition
Description The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because...
CWE-607 – Public Static Final Field References Mutable Object
Description A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from...
CWE-608 – Struts: Non-private Field in ActionForm Class
Description An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter. Modes of...
CWE-609 – Double-Checked Locking
Description The program uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient. Double-checked locking refers to...