CWE-61 – UNIX Symbolic Link (Symlink) Following
Description The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a...
CWE-610 – Externally Controlled Reference to a Resource in Another Sphere
Description The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. Modes of...
CWE-611 – Improper Restriction of XML External Entity Reference
Description The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control,...
CWE-612 – Improper Authorization of Index Containing Sensitive Information
Description The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized...
CWE-613 – Insufficient Session Expiration
Description According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."...
CWE-614 – Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
Description The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext...
CWE-615 – Inclusion of Sensitive Information in Source Code Comments
Description While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links...
CWE-616 – Incomplete Identification of Uploaded File Variables (PHP)
Description The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g....
CWE-617 – Reachable Assertion
Description The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior...
CWE-618 – Exposed Unsafe ActiveX Method
Description An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the...