CWE-636 – Not Failing Securely (‘Failing Open’)
Description When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than...
CWE-637 – Unnecessary Complexity in Protection Mechanism (Not Using ‘Economy of Mechanism’)
Description The software uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured,...
CWE-638 – Not Using Complete Mediation
Description The software does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses...
CWE-639 – Authorization Bypass Through User-Controlled Key
Description The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying...
CWE-64 – Windows Shortcut Following (.LNK)
Description The software, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside...
CWE-640 – Weak Password Recovery Mechanism for Forgotten Password
Description The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. Modes...
CWE-641 – Improper Restriction of Names for Files and Other Resources
Description The application constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly...
CWE-642 – External Control of Critical State Data
Description The software stores security-critical state information about its users, or the software itself, in a location that is accessible to unauthorized actors. Modes of...
CWE-643 – Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)
Description The software uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize...
CWE-644 – Improper Neutralization of HTTP Headers for Scripting Syntax
Description The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can...