CWE-93 – Improper Neutralization of CRLF Sequences (‘CRLF Injection’)
Description The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or...
CWE-939 – Improper Authorization in Handler for Custom URL Scheme
Description The software uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the...
CWE-836 – Use of Password Hash Instead of Password for Authentication
Description The software records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to...
CWE-837 – Improper Enforcement of a Single, Unique Action
Description The software requires that an actor should only be able to perform an action once, or to have only one unique action, but the...
CWE-838 – Inappropriate Encoding for Output Context
Description The software uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the...
CWE-839 – Numeric Range Comparison Without Minimum Check
Description The program checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that...
CWE-84 – Improper Neutralization of Encoded URI Schemes in a Web Page
Description The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings. Modes of Introduction: - Architecture and Design Likelihood of Exploit:...
CWE-841 – Improper Enforcement of Behavioral Workflow
Description The software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that...
CWE-842 – Placement of User into Incorrect Group
Description The software or the administrator places a user into an incorrect group. If the incorrect group has more access or privileges than the intended...
CWE-843 – Access of Resource Using Incompatible Type (‘Type Confusion’)
Description The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using...