Table of Contents |
---|
Introduction
CWE™(Common Weakness Enumeration) aims to provide a common base to identify the type of software weakness (vulnerability).. International in scope and free for public use, CWE™ provides a unified, measurable set of software weaknesses that will enable more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code. CWE™ gives a hierarchically structured list of weakness types to help identifying software vulnerabilities that come in a wide variety, such as SQL injection, cross-site scripting and buffer overflow.
Anchor | ||||
---|---|---|---|---|
|
...
Security Reviewer provides a consistent number of CWE 4.4 6 rules designed for detecting vulnerabilities inside source code. Each rule defines up to 12 variants and up to 50 API on which will applied, ande has its own CWE™ Identifier and Description, with related MITRE™ web site link, on which you can do a Search:
...
You Export the rules list in Excel CSV format with CWE™ details:
...
CWE™ Ruleset
You can execute the Static Analysis with CWE™ and CWE™ SANS Top 25 ruleset:
...
CWE™ Results
After Static Analysis Completion, even you chose a different RuleSet, each vulnerability detected has always its own CWE™ ID with the related web link:
...
In the Static Analysis Reports, each rule's violation shows the related clickable CWE™ ID:
...
CWE™ Capabilities
Requirement | Capability | Fulfillment Method |
CWE | Security, Dead code, Best practices Rules, Analysis Results and Reports | By using the search function in Security Reviewer, the vulnerability countermeasure information database, users are able to conduct a search using CWE identifiers as the keyword. |
CWE | Analysis Results | CWE identifiers are displayed in the “Results” section within each vulnerability countermeasure information pages. |
Reports | CWE identifier is displayed in the “Violations” section of the detailed information window of each vulnerability countermeasure information. | |
CWE | Security Reviewer Knowledge Center, User Guide | This material document will become the documentation necessary to describe and demonstrate CWE, CWE association and methods used to satisfy the compatibility requirements. |
Mapping | Security, Dead code, Best practices Rules, Analysis Results and Reports | Security Reviewer supports many of CWE 4.4 IDs related to Static Analysis |
Supported CWE™ per Programming Language (Tiobe Index Top 10)
CWE ID | Description | Language | Rule | Severity |
111 | Avoid invoking a native method | .NET | NativeNET | 3 |
113 | Header Checking Disabled | .NET | Header_Checking_Disabled | 3 |
119 | Array Index Out Of Bounds | .NET | C67VB | 1 |
200 | Deprecated use of Functions returning a Variant | .NET | DEPRECATED_VB_Variant | 2 |
200 | Avoid using of System.Console 'Write()' or 'WriteLine()' statements | .NET | Securitymisc07 | 3 |
200 | Use of deprecated ActiveX/OCX components | .NET | DEPRECATED_VB | 3 |
200 | Deprecated type or function | .NET | deprecatedObjectVB | 3 |
200 | Deprecated Variable type | .NET | deprecatedVariableVB | 3 |
200 | Use of deprecated win32 API | .NET | DEPRECATED_API | 3 |
200 | Deprecated Win32 API returning ANY | .NET | DEPRECATED_API_ANY | 3 |
209 | Improper call of 'StackTrace' property of System.Exception | .NET | Securitymisc08 | 3 |
209 | ASP.NET Misconfiguration (Impersonation) | .NET | ACIdentity | 1 |
209 | ASP.NET Misconfiguration (ViewStateMac Disabled) | .NET | ACStateMac | 1 |
209 | ASP.NET Misconfiguration (Header Checking Disabled) | .NET | ACHeaderChecking | 1 |
212 | public instance fields accessed by untrusted class | .NET | Idor06 | 4 |
212 | public inner classes accessed from untrusted classes | .NET | Idor08 | 4 |
215 | WCF Misconfiguration (Debug Information) | .NET | WCF_Debug_Information | 3 |
248 | Improper invoking of an exception filtering method | .NET | Securitymisc09 | 3 |
254 | WCF Misconfiguration (Unsafe Revocation Mode) | .NET | WCF_Unsafe_Revocation_Mode | 2 |
254 | WCF Misconfiguration (Weak Token) | .NET | WCF_Weak_Token | 2 |
257 | Avoid recreating string from SecureString | .NET | Ftorurla01 | 2 |
257 | Avoid using of String for password | .NET | Ics04 | 2 |
285 | WCF Misconfiguration (Anonymous MSMQ) | .NET | WCF_Anonymous_MSMQ | 1 |
327 | Hardcoded connection strings | .NET | Itl02 | 3 |
327 | Static Random Number Generator | .NET | Ics07VB | 2 |
327 | Static Random Number Generator | .NET | Ics07 | 2 |
327 | Poor Seeding | .NET | PoorSeeding | 2 |
327 | Improper change of RSA/DSA KeySize property | .NET | Ics03 | 1 |
327 | Hardcoded connection strings VB | .NET | Itl02VB | 3 |
352 | Unsecure local 'Cookie' object (XML) | .NET | cookieXML_NET | 3 |
388 | Ensure all exceptions are logged in the error blocks | .NET | Securitymisc03 | 2 |
388 | Avoid using of 'throw' exceptions inside destructors | .NET | Securitymisc06 | 3 |
388 | WCF Misconfiguration (Insufficient Audit Failure Handling) | .NET | WCF_Insufficient_Audit | 3 |
388 | Poor error handling | .NET | OnErrorVB | 2 |
400 | Denial of Service (Sleep) | .NET | C14VB | 1 |
400 | Denial of Service Threat | .NET | Injection23VB | 1 |
404 | Close DB connections in 'finally' block | .NET | Injection15 | 2 |
404 | Unreleased Resource | .NET | Unreleased | 1 |
404 | Unreleased Resource | .NET | Injection14VB | 1 |
404 | Close DB objects in 'finally' block | .NET | Injection14 | 1 |
495 | Static fields that are not readonly | .NET | Idor07 | 4 |
495 | public instance fields accessed by untrusted classes | .NET | Idor02 | 3 |
497 | Information Leakage (DDE) | .NET | VBDDE | 3 |
497 | LSET and RSET functions are deprecated fields not string | .NET | VBLRSET | 3 |
511 | Logic-Time Bomb (.NET) | .NET | TIMEBOMB_NET | 2 |
532 | Improper using of System.Console.Write() or WriteLine() in Catch blocks | .NET | Securitymisc05 | 2 |
581 | Improper equality using hash codes | .NET | Ics01 | 1 |
639 | System Error printed out | .NET | CE6VB | 3 |
651 | WCF Misconfiguration (Service Enumeration) | .NET | WCF_Service_Enumeration | 3 |
665 | Readonly Array fields should be cloned | .NET | Idor01 | 3 |
665 | Improper 'virtual' declaration of a 'Clone()' method | .NET | Securitymisc11 | 3 |
667 | Improrer locking of typed Objects | .NET | Idor10 | 3 |
671 | Improper modification to security settings | .NET | Securitymisc15 | 4 |
676 | Avoid using System Milliseconds | .NET | Securitymisc14 | 4 |
676 | Setting Timer Interval to zero is deprecated | .NET | Securitymisc14VB | 4 |
73 | Setting Manipulation | .NET | Injection04SM | 1 |
732 | Improper deny of SkipVerification security permission | .NET | Ics02 | 1 |
77 | [RunPE-Packed] Malware Suspicious behaviour | .NET | PEPacked | 1 |
77 | [RunPE] Malware Suspicious behaviour | .NET | PE | 1 |
778 | WCF Misconfiguration (Insufficient Logging) | .NET | WCF_Insufficient_Logging | 3 |
78 | Improper call to late-binding methods | .NET | Securitymisc10 | 3 |
79 | Reflected XSS ASP-ASPX / Security Decisions Via Untrusted Inputs | .NET | Injection26 | 3 |
798 | Avoid using of hardcoded string for password related parameters | .NET | Ics05 | 2 |
822 | Exposing Pointer type fields | .NET | Idor03 | 2 |
822 | Deprecated ObjPtr VarPtr StrPtr | .NET | idor03VB | 2 |
829 | Class outside namespace | .NET | Securitymisc02 | 2 |
863 | Access Control: Database (VB) | .NET | accessControlVB | 1 |
89 | SQL Connection Injection | .NET | Injection11 | 1 |
111 | Avoid user-defined Native methods (JSNI) | ALL | NativeJS | 3 |
117 | Log Forging | ALL | Injection19 | 1 |
15 | External Control of System or Configuration Setting | ALL | ExternalSCS | 2 |
190 | Integer Overflow | ALL | IntegerOverflow | 1 |
200 | Deprecated DOS command | ALL | DeprecatedDOScommand | 1 |
200 | toString on Array | ALL | ArrayToString | 1 |
200 | Reflected Exposing of Sensitive data | ALL | Securitymisc17 | 3 |
209 | Hardcoded credentials (JavaScript) | ALL | Hardcodedjs | 1 |
213 | Exposing of Sensitive data | ALL | Securitymisc01 | 1 |
22 | Path Traversal | ALL | Injection05 | 1 |
242 | Dangerous Function | ALL | deprecatedObjectFunction | 1 |
311 | Hardcoded credentials | ALL | HardcodedCredentials | 1 |
326 | Insecure algorithms for cryptography | ALL | Ics06 | 2 |
327 | Weak Cryptography (JavaScript) | ALL | Cryptographic_JS | 2 |
327 | Weak Cryptography (SQL) | ALL | Cwe327SQL | 2 |
327 | Insecure TLS configuration | ALL | TLS_XML | 2 |
328 | Insecure TLS Cipher (Medium) | ALL | TLS_MEDIUM | 3 |
328 | Insecure SSL Cipher/Protocol | ALL | SSL | 1 |
328 | Insecure SSL Cipher (Medium) | ALL | SSL_MEDIUM | 3 |
328 | Insecure SSL configuration | ALL | SSL_XML | 1 |
328 | Weak TLS Cipher/Protocol | ALL | TLS | 2 |
330 | Use window.Crypto.getRandomValues() | ALL | Ics07JS | 2 |
344 | Hardcoded IP address | ALL | Itl03 | 1 |
349 | JavaScript DB Injection | ALL | DBInjectionJS | 1 |
352 | Cross Site Request Forgery (JavaScript) - Missed datafilter | ALL | Csrfjs | 2 |
352 | HTTP Response Splitting | ALL | Csrf01 | 1 |
352 | Cross Site Request Forgery (JavaScript) | ALL | Csrfjs_2 | 2 |
359 | e-mail address in Source Code | ALL | EmailCode | 3 |
36 | Absolute Path in comment | ALL | Securitymisc19 | 4 |
36 | Absolute path to a Shared Resource in source code | ALL | AbsoluteResource | 3 |
36 | Absolute Path in Source Code | ALL | Securitymisc18 | 3 |
388 | Missing Custom Errors Page(s) | ALL | PageXML | 3 |
388 | Excessive Session Timeout | ALL | ExcessiveTimeOutXML | 3 |
388 | Avoid return break continue or throw in finally block | ALL | FinallyReturn | 3 |
395 | Denial of Service Threat - Resource consumption (CPU) | ALL | Sr_NullPointerException | 1 |
400 | Denial of Service (JavaScript) | ALL | DenialOfService_JS | 1 |
434 | Unrestricted Upload | ALL | InjectionUnrestricted | 1 |
447 | Unsupported Feature | ALL | UnsupportedIEW7 | 1 |
448 | Deprecated Element | ALL | deprecatedBrowserIE | 2 |
465 | Second order Injection / Security Decisions Via Untrusted Inputs | ALL | Injection18 | 3 |
476 | Null Pointer Deference (Nullable object) | ALL | NullableObject | 1 |
476 | Numeric method returns null | ALL | ReturnNumberNull | 3 |
476 | Null Pointer Deference (throw null) | ALL | NullableThrow | 1 |
476 | Null Pointer Deference (Nullable formal parameter) | ALL | NullableFormalParameter | 1 |
476 | Boolean Method returns null | ALL | NullableReturns | 2 |
477 | Statement is Deprecated (JavaScript) | ALL | deprecatedJS | 3 |
478 | switch/Select' statement should have a 'default'/'case else' condition | ALL | CWE200SC | 4 |
494 | Download of Code Without Integrity Check | ALL | Idor494 | 2 |
501 | Cross-Session Contamination (JavaSCript) | ALL | CrossSessionContamination_JS | 1 |
501 | Trusted Bound Violation | ALL | Injection24 | 1 |
501 | Trust Boundary Violation | ALL | Injection24_2 | 1 |
511 | Logic-Time Bomb (DOS Command) | ALL | DangerousDOSCommand_BOMB | 2 |
522 | Password in Configuration file | ALL | Pcf | 1 |
531 | Unit Test Libraries should be used in a separate source file | ALL | CWE395TEST_2 | 3 |
531 | TestCase should be in a separate source file | ALL | CWE395TEST_1 | 2 |
564 | SQL Injection (HibernateJS) | ALL | Injection564 | 1 |
601 | HTTP Redirect | ALL | Csrf03 | 1 |
610 | File or Directory Name Manipulation (JavaScript) | ALL | FileManipulation_JS | 1 |
612 | JavaScript IndexedDB Injection | ALL | IndexedDBInjectionJS | 1 |
614 | Insecure Cookie (JavaScript) | ALL | idorjs_unsecure_cookie | 1 |
614 | Cookie Session too long (JavaScript) | ALL | idorjs_cookie | 2 |
614 | Insecure Cookie | ALL | IdorCOOKIE | 3 |
614 | Insecure Cookie Path (JavaScript) | ALL | idorjs_unsecure_cookie_path | 2 |
639 | Avoid Debug/Trace mode in production | ALL | BrokenauthXML | 5 |
642 | Improper Granting of all privileges on an object | ALL | idorjs | 1 |
664 | Unsecure XML setting | ALL | IdorXML | 3 |
668 | Improper Logger (JavaScript) | ALL | Securitymisc12js | 3 |
669 | Avoid using Components NW.js | ALL | NWJS | 1 |
669 | Avoid using Components with Known Vulnerabilities in POM-JAR or Project File (Low) | ALL | Uckv08 | 3 |
669 | Avoid using Components with Known Vulnerabilities (Medium) | ALL | Uckv02 | 2 |
669 | Avoid using Components with Known Vulnerabilities in POM-JAR or Project File (Medium) | ALL | Uckv07 | 2 |
669 | Avoid using Components with Known Vulnerabilities (Low) | ALL | Uckv03 | 3 |
669 | Avoid using Components with Known Vulnerabilities (High) | ALL | Uckv01 | 1 |
669 | No Project Files were found | ALL | Uckv04 | 1 |
669 | No POM.XML Files were found | ALL | Uckv05 | 1 |
669 | Avoid using Components with Known Vulnerabilities in POM-JAR or Project File (High) | ALL | Uckv06 | 1 |
676 | Dangerous DOS command | ALL | DangerousDOScommand | 1 |
676 | Missing wrapping of 'dangerous' functions | ALL | Securitymisc13 | 3 |
676 | Dangerous Linux command | ALL | DangerousLinuxcommand | 1 |
77 | Code Injection - Tag | ALL | Injection01Tag | 1 |
77 | Command Injection | ALL | Injection01 | 1 |
78 | OS Command Injection (JavaScript) | ALL | OSINJECTION_JS | 1 |
79 | Reflected XSS (JavaScript) / Security Decisions Via Untrusted Inputs | ALL | XSS_JS | 3 |
79 | Cross-Site Scripting (Web2py) | ALL | PYTHON_S60 | 1 |
79 | Cross Site Scripting / Security Decisions Via Untrusted Inputs | ALL | Xss01 | 1 |
798 | User-Password-Profile-ID in Comment | ALL | Uohcc01 | 4 |
798 | Hardcoded IP address in comment | ALL | Itl04 | 4 |
798 | Suspicious Hardcoded URL/URI | ALL | Dangerous_Hardcoded_URL | 3 |
863 | Access Control: Database (JavaScript) | ALL | accessControl_JS | 1 |
88 | Avoid SELECT * statements | ALL | Injection17 | 3 |
88 | NET injection | ALL | Injection20 | 1 |
89 | SQL Query Injection | ALL | Injection10 | 1 |
90 | LDAP Injection | ALL | Injection07 | 1 |
90 | Possible LDAP Injection | ALL | InjectionCert | 3 |
91 | Weak XML Schema (tag Any) | ALL | XSDAny | 3 |
91 | Weak XML Schema (type Unbounded) | ALL | XSDmaxOccurs | 3 |
91 | XPath Injection | ALL | Injection13 | 1 |
91 | Weak XML Schema (Lax-Skip tags) | ALL | LaxSkip | 1 |
94 | CORS - Overly permissive target origin | ALL | CodeInjection_JS3 | 1 |
94 | JQuery Code Injection (JavaScript) | ALL | jqueryjs | 1 |
94 | Second Order Code Injection (JavaScript) | ALL | MooToolsjs | 1 |
94 | Overly permissive target origin | ALL | CodeInjection_JS2 | 1 |
94 | HTML Injection (JavaScript) | ALL | HTMLInjectionJS | 1 |
94 | Code Injection (JavaScript) | ALL | CodeInjection_JS | 1 |
94 | Second Order File Injection (JavaScript) | ALL | MooToolsFilejs | 1 |
94 | Second Order Unsecure JSON decoding (JavaScript) | ALL | MooToolsJsonjs | 1 |
95 | Eval Injection (JavaScript) | ALL | EvalInjection | 1 |
96 | SQL Injection (JavaScript) | ALL | SQL_Injection_JS | 1 |
97 | Server Side Include (SSI) Injection | ALL | SSI | 1 |
99 | Resource Injection (JavaScript) | ALL | ResourceInjection_JS | 1 |
119 | Array Index Out Of Bounds | CCPP | C67 | 1 |
119 | Buffer Overflow (Containers) | CCPP | C03 | 1 |
120 | Second order Buffer Overflow (sizeof of sizeof) | CCPP | C46 | 3 |
120 | Buffer Overflow (Buffer) | CCPP | C08 | 1 |
120 | Buffer Overflow (Array pointer) | CCPP | C04 | 1 |
120 | Memory Leak (ctype isalnum|isalpha|isascii|is..) | CCPP | C35 | 2 |
120 | Buffer Overflow (Array Index) | CCPP | C02 | 2 |
121 | scanf without field width limits | CCPP | C86 | 3 |
122 | Buffer Overflow (strncpy/memset/memcpy) | CCPP | C10 | 1 |
125 | Buffer Access Out Of Bounds | CCPP | C68 | 1 |
125 | Buffer Overflow (Array) | CCPP | C07 | 1 |
125 | Second order Buffer Overflow (Array) | CCPP | C49 | 3 |
126 | Second order Buffer Overflow (strncpy) | CCPP | C50 | 2 |
126 | Buffer Overlap (s[n]printf()) | CCPP | C11 | 2 |
129 | Buffer Overflow (Index is out of range) | CCPP | C06 | 1 |
131 | Avoid using of Unitialized Variable (Wrong buffer write) | CCPP | C62 | 1 |
134 | sprintf: insufficient format string parameters | CCPP | C87 | 3 |
134 | Stack Overflow (scanf) | CCPP | C81 | 3 |
135 | Incorrect Calculation of Multi-Byte String Length | CCPP | C135 | 3 |
170 | Buffer Not Zero Terminated (After a call to a function) | CCPP | C70 | 1 |
190 | Buffer Overflow (strncat) | CCPP | C09 | 1 |
195 | Stack Overflow (printf sint) | CCPP | C79 | 3 |
196 | Stack Overflow (printf uint) | CCPP | C80 | 3 |
20 | Memory Leak (Same iterator) | CCPP | C24 | 2 |
200 | Information Leakage (#pragma ibm critical) | CCPP | CE11 | 3 |
214 | Information Leakage (#pragma ibm parallel_loop) | CCPP | CE12 | 3 |
233 | Invalid Length Modifier (printf) | CCPP | C73 | 3 |
243 | Creation of chroot Jail Without Changing Working Directory | CCPP | CE243 | 1 |
256 | Plaintext Storage of a Password | CCPP | CE256 | 2 |
257 | Avoid using of String for password | CCPP | CE7 | 2 |
311 | Memory Leak (Unsafe root Class) | CCPP | C29 | 2 |
327 | Cryptographic key too short | CCPP | CE8 | 3 |
344 | Hardcoded IP address | CCPP | CE9 | 1 |
369 | Division by zero | CCPP | C15 | 1 |
369 | Potential division by zero | CCPP | C42 | 2 |
388 | Invalid c_str() after a call | CCPP | C20 | 2 |
388 | Invalid c_str() after throwing exception | CCPP | C21 | 2 |
396 | Improper Logger (Rethrow) | CCPP | C41 | 1 |
398 | Memory Leak (Missing virtual destructor) | CCPP | C34 | 2 |
399 | Memory Leak (Class provides constructors) | CCPP | C27 | 2 |
400 | Denial of Service (usleep) | CCPP | C14 | 1 |
401 | Memory Leak (Copy 'auto_ptr' pointer) | CCPP | C33 | 2 |
401 | Memory Leak (when executing) | CCPP | C39 | 1 |
404 | Resource Leak (when executing) | CCPP | C40 | 1 |
456 | Avoid using of Unitialized Variable (Leak) | CCPP | C60 | 1 |
457 | Avoid using of Unitialized Variable (Member Variable) | CCPP | C59 | 1 |
457 | Memory Leak (Data not initialized) | CCPP | C28 | 2 |
466 | Stack Overflow (Wrong returning reference) | CCPP | C57 | 2 |
467 | Buffer Overflow (pointer) | CCPP | C01 | 1 |
467 | Second order Buffer Overflow (sizeof for Array) | CCPP | C48 | 3 |
468 | Stack Overflow (printf *) | CCPP | C77 | 3 |
476 | Second order null Pointer Dereference (null Pointer) | CCPP | C51 | 2 |
476 | Second order null Pointer Dereference (shifting negative) | CCPP | C53 | 2 |
476 | Memory Leak (New) | CCPP | C37 | 1 |
477 | Obsolete Functions | CCPP | C32 | 3 |
480 | Assign Bool To Pointer (converting bool value to address) | CCPP | C69 | 3 |
487 | Invalid Scope Object ('auto-ptr' pointer) | CCPP | C23 | 1 |
495 | Stack Overflow (local Array variable) | CCPP | C56 | 2 |
497 | Information Leakage (#pragma ibm schedule) | CCPP | CE13 | 3 |
511 | Logic-Time Bomb (C/C++) | CCPP | TIMEBOMB_C | 2 |
523 | Avoid using of non-SSL communications | CCPP | CE4 | 2 |
531 | Unit Test Libraries should be used in a separate source file | CCPP | CWE395TEST_2_CPP | 3 |
532 | Improper Logger (Destructor) | CCPP | C30 | 1 |
534 | Ensure all exceptions are either logged with a standard logger or rethrow | CCPP | C31 | 2 |
562 | Stack Overflow (auto-variable) | CCPP | C55 | 2 |
562 | Stack Overflow (temporary) | CCPP | C58 | 2 |
569 | Memory Leak (Class contains a std::string) | CCPP | C26 | 2 |
569 | Second order Buffer Overflow (strlen/sizeof) | CCPP | C44 | 3 |
569 | Second order Buffer Overflow (sizeof) | CCPP | C45 | 3 |
590 | Memory Leak (Memory allocated not freed) | CCPP | C25 | 2 |
617 | Call Settings manipulation (Assert) | CCPP | C12 | 3 |
628 | Stack Overflow (printf char*) | CCPP | C78 | 3 |
628 | Call Settings manipulation (pipe()) | CCPP | C13 | 2 |
639 | System Error stored in a variable | CCPP | CE6_S | 4 |
639 | System Error printed out | CCPP | CE6 | 3 |
665 | Avoid using of Unitialized Variable (inside constructor) | CCPP | C65 | 1 |
665 | Second order null Pointer Dereference (passing NULL) | CCPP | C52 | 2 |
665 | Avoid using of Unitialized Variable (Missing use of constructor) | CCPP | C66 | 1 |
665 | Avoid using of Unitialized Variable (Wrong reassignement) | CCPP | C61 | 3 |
665 | Invalid Scope Object | CCPP | C22 | 1 |
665 | Avoid using of Unitialized Variable | CCPP | C63 | 1 |
665 | Avoid using of Unitialized Variable (struct) | CCPP | C64 | 1 |
676 | Stack Overflow (Pure virtual call) | CCPP | C54 | 1 |
680 | Buffer Overflow (operator) | CCPP | C05 | 1 |
681 | Invalid printf argument type (floating point) | CCPP | C74 | 3 |
681 | Stack Overflow (printf int) | CCPP | C75 | 3 |
686 | Stack Overflow (printf int*) | CCPP | C76 | 3 |
695 | Improper usage of I/O Stream | CCPP | C16 | 2 |
695 | Avoid using of I/O Stream (Read) | CCPP | C17 | 2 |
695 | Avoid using of I/O Stream | CCPP | C18 | 2 |
695 | Avoid using of I/O Stream (Write) | CCPP | C19 | 2 |
762 | Memory Leak (New mismatch) | CCPP | C38 | 3 |
763 | Portability failure (CastIntegerToAddressAtReturn) | CCPP | C85 | 1 |
763 | Portability failure (AssignmentIntegerToAddress) | CCPP | C83 | 1 |
78 | OS command Injection (Unvalidated command string) | CCPP | CE5 | 1 |
783 | Second order Buffer Overflow (sizeof with a numeric constant) | CCPP | C47 | 3 |
79 | Cross Site Scripting / Security Decisions Via Untrusted Inputs | CCPP | CE2 | 1 |
79 | Reflected Cross Site Scripting / Security Decisions Via Untrusted Inputs | CCPP | C43 | 2 |
825 | Memory Leak (deallocated pointer) | CCPP | C36 | 1 |
86 | OS command Injection (Buffer overrun) | CCPP | C82 | 2 |
86 | Portability failure (AssignmentAddressToInteger) | CCPP | C82 | 1 |
86 | Portability failure (CastAddressToIntegerAtReturn) | CCPP | C84 | 1 |
88 | NET injection | CCPP | CE3 | 1 |
89 | SQL Query Injection | CCPP | CE1 | 1 |
113 | HTTP Response Splitting | COBOL | Cwe113 | 1 |
117 | COBOL LOG Forging | COBOL | Cwe117 | 1 |
15 | CALL Settings Manipulation | COBOL | Cwe15 | 2 |
200 | Information Leakage - ACCEPT ... FROM CONSOLE | COBOL | Cwe200P3 | 3 |
200 | Information Leakage - DUMPCODE | COBOL | Cwe200 | 3 |
200 | Information Leakage - DISPLAY | COBOL | Cwe200P1 | 3 |
200 | Information Leakage - EVALUATE | COBOL | Cwe200P2 | 4 |
307 | Access Control: MQ | COBOL | Cwe307 | 1 |
327 | Weak Cryptography | COBOL | Cwe327 | 2 |
359 | Privacy Violation : Hardened Credentials | COBOL | Cwe359 | 2 |
388 | Include SQLCA MISSED | COBOL | Cwe388P2 | 2 |
388 | Ignored Error Condition | COBOL | Cwe388 | 3 |
388 | Multiple HANDLE ABEND | COBOL | Cwe388P1 | 4 |
457 | Avoid using of Unitialized Variable | COBOL | Cwe457 | 3 |
546 | Suspicious Comment | COBOL | Cwe546 | 4 |
610 | URL Redirection to Untrusted Site | COBOL | Cwe610 | 1 |
692 | Reflected Cross Site Scripting / Security Decisions Via Untrusted Inputs | COBOL | Cwe692 | 2 |
692 | Stored Cross Site Scripting / Security Decisions Via Untrusted Inputs | COBOL | Cwe692P1 | 1 |
692 | UTF-7 Cross-Site Scripting (COBOL) | COBOL | Cwe692P2 | 3 |
73 | FILE Path Manipulation | COBOL | Cwe73 | 2 |
78 | OS Command Injection | COBOL | Cwe78 | 1 |
79 | Cross-site Scripting | COBOL | Cwe79 | 1 |
798 | Password in Comment | COBOL | Cwe798P2 | 4 |
798 | Password Stored in plain text | COBOL | Cwe798 | 2 |
798 | Hardcoded Password | COBOL | Cwe798P1 | 2 |
863 | Access Control: DLI | COBOL | Cwe863 | 1 |
89 | Access Control: Database | COBOL | Cwe89 | 1 |
99 | QUEUE Resource Injection | COBOL | Cwe732 | 1 |
11 | Flex Misconfiguration (Debug Information) | JAVA | XML_Debug_Information | 2 |
114 | Library injection | JAVA | Injection08 | 1 |
16 | Build misconfiguration (Dynamic Dependency) | JAVA | Dynamic_Dependency | 3 |
16 | Build Misconfiguration (External Maven Dependency Repository) | JAVA | External_Maven_Dependency_Repository | 4 |
16 | Build Misconfiguration (External Ant Dependency Repository) | JAVA | External_Ant_Dependency_Repository | 4 |
20 | ADF Bad Practice (Unsecure Attribute) | JAVA | ADF_Unsecure_Attribute | 2 |
20 | ADF Bad Practice (url-invoke) | JAVA | ADF_url_invoke | 2 |
20 | addAccount vulnerability (CVE-2014-8609) | JAVA | addAccount | 1 |
20 | ADF Bad Practice (Missing Converter) | JAVA | ADF_Missing_Converter | 2 |
200 | Deprecated Functions | JAVA | DEPRECATED_1 | 3 |
200 | Improper using of System.err.println() in Catch blocks | JAVA | Securitymisc04 | 2 |
200 | Avoid use of com.sun or sun packages | JAVA | DEPRECATED_2 | 3 |
200 | System information leak- Direct JSP Access | JAVA | LeakXML | 1 |
200 | Information Exposure - HTML comment in JSP | JAVA | CommentHTML | 5 |
209 | Debug statements can be leaked | JAVA | Brokenauth04 | 5 |
209 | Debug level of 3 or greater could cause sensitive data including passwords to be logged. Debug #[Object] | JAVA | DebugXML | 3 |
209 | HTTP Verb Tampering | JAVA | TamperingXML | 1 |
213 | Unecessary temporaries when using toString() | JAVA | UnecessarytoString | 1 |
246 | JAVA Bad Practices: Direct Use of Sockets | JAVA | use_of_Sockets | 1 |
254 | WebSphere Misconfiguration (Missing Outbound Timestamp) | JAVA | WSP_Missing_Outbound_Timestamp | 3 |
254 | WebSphere Misconfiguration (Missing Inbound Timestamp) | JAVA | WSP_Missing_Inbound_Timestamp | 3 |
254 | Weblogic Misconfiguration (Missing Timestamp) | JAVA | Weblogic_Missing_Timestamp | 3 |
254 | WWS-Security Misconfiguration (Weak Token) | JAVA | WWS_Weak_Token | 2 |
257 | Avoid recreating string from GuardedString | JAVA | Ftorurla01Java | 2 |
257 | Avoid using of String for password | JAVA | jcs04 | 2 |
311 | WebSphere Misconfiguration (Weak Token) | JAVA | WSP_Weak_Token | 3 |
327 | Missing transport-guarantee Constraint | JAVA | GuaranteeXML | 1 |
327 | Cipher.getInstance with ECB | JAVA | GetInstance_lint | 3 |
327 | Cryptographic key too short | JAVA | Ics08 | 3 |
330 | Weak pseudo-random numbers | JAVA | Ics07Java | 2 |
330 | Weak RNG | JAVA | TrulyRandom_lint | 3 |
330 | Using a fixed seed with SecureRandom | JAVA | SecureRandom_lint | 3 |
345 | WebSphere Misconfiguration (Missing Outbound WS-Security) | JAVA | WSP_Missing_Outbound_WS_Security | 3 |
345 | WebSphere Misconfiguration (Servlets) | JAVA | WSP_Servlets | 3 |
345 | WebSphere Misconfiguration (Missing Inbound WS-Security) | JAVA | WSP_Missing_Inbound | 3 |
345 | WebSphere Misconfiguration (Missing Inbound Encryption) | JAVA | WSP_Missing_Inbound_Encryption | 3 |
345 | WebSphere Misconfiguration (Missing Outbound Signature) | JAVA | WSP_Missing_Outbound_Signature | 3 |
345 | WebSphere Misconfiguration (Missing Outbound Encryption) | JAVA | WSP_Missing_Outbound_Encryption | 3 |
345 | WebSphere Misconfiguration (Missing Inbound Signature) | JAVA | WSP_Missing_Inbound_Signature | 3 |
345 | WebSphere Misconfiguration (Missing Timestamp Expiration) | JAVA | WSP_Missing_Timestamp_Expiration | 3 |
352 | Unsecure local 'Cookie' object | JAVA | Brokenauth03 | 3 |
352 | Avoid using of 'get' for credential transfers | JAVA | Csrf02 | 2 |
372 | Incorrect Static Field Access | JAVA | StateDistinction | 3 |
382 | JAVA Bad Practice - System.exit() | JAVA | USE_SYSTEM_EXIT | 1 |
388 | Throw in main() method | JAVA | ThrowInMain | 3 |
388 | Ensure all exceptions are either logged with a standard logger or rethrow | JAVA | Securitymisc12 | 3 |
388 | Unsecure tracking.mode | JAVA | TrackingXML | 3 |
394 | Host Name or Address in a condition | JAVA | SecurityBreach | 2 |
400 | Denial of Service Threat | JAVA | Injection23 | 1 |
404 | Memory Leak (ObjectOutputStream) | JAVA | MemoryLeakObjectOutputStream | 4 |
404 | Missing call to super | JAVA | MissingCallSuper | 2 |
470 | Reflection injection | JAVA | Injection09 | 1 |
471 | Immutable Classes: Non-final Fields | JAVA | ImmutableClass | 3 |
476 | Null Pointer Deference (sinchronized) | JAVA | NullableSinchronized | 1 |
476 | Null Pointer Deference (condition) | JAVA | NullableCondition | 1 |
476 | Empty arrays and collections should be returned instead of null | JAVA | ReturnEmptyArrays | 2 |
477 | Unsupported Feature | JAVA | UnsupportedFeatureJS | 2 |
499 | Incorrect Serializable Method Signature | JAVA | IncorrectSerializable | 3 |
499 | Incorrect Serialization of inner classes | JAVA | InnerClassSerializable | 4 |
5 | ACEGI Security Bad Practice (Insecure Channel Mixing) | JAVA | ACEGI_Insecure_Channel_Mixing | 2 |
506 | JAVA Bad Practice - Dangerous access to local resources | JAVA | writePathName | 1 |
511 | Logic-Time Bomb (JavaScript) | JAVA | TIMEBOMB_JS | 2 |
511 | Logic-Time Bomb | JAVA | TIMEBOMB_JAVA | 2 |
522 | Weak LDAP Authentication (Anonymous) | JAVA | SECURITY_AUTHENTICATION | 2 |
523 | Insecure SSL Connection | JAVA | InsecureSSLconnection | 2 |
523 | Titanium Broken default HTTPS | JAVA | NonValidatingTrustManager | 2 |
523 | Avoid using of non-SSL communications | JAVA | Itl01 | 2 |
532 | Improper call to printStackTrace() method of Throwable objects | JAVA | Securitymisc16 | 5 |
572 | Denial Of Service (Thread) | JAVA | ThreadRUN | 2 |
573 | Bean Class should be serialized | JAVA | NonSerializableBean | 3 |
594 | Missing writeObject or serialVersionUID | JAVA | ClassSerializable | 3 |
639 | Custom Security Manager outside of 'main' | JAVA | Brokenauth01 | 2 |
662 | Denial Of Service (Synchronization) | JAVA | Notify | 2 |
668 | Exposing dangerous data | JAVA | Ftorurla02 | 2 |
693 | Missing 'SecurityManager' checks | JAVA | Idor09 | 4 |
693 | Missing security manager | JAVA | Idor11 | 3 |
693 | Custom 'SecurityManager' | JAVA | Idor05 | 3 |
708 | ACEGI Security Bad Practice (Run-As) | JAVA | ACEGI_Run_As | 2 |
73 | File Contents Injection | JAVA | Injection04 | 1 |
73 | Empty Jar o Zip file creation | JAVA | EmptyJarZip | 2 |
73 | File Inclusion Vulnerability | JAVA | IncludeFile | 2 |
732 | Bean class should be public | JAVA | BeanClassPublic | 2 |
732 | Bean class without ejbCreate() method | JAVA | BeanClassejbCreate | 2 |
732 | Bean class should not have finalize() method | JAVA | BeanClassFinalize | 2 |
732 | Abstract Bean class | JAVA | AbstractBeanClass | 2 |
732 | Uncorrect declaring of ejbCreate() method | JAVA | UncorrectDeclaring | 2 |
732 | Uncorrect declaring of ejbCreate() method | JAVA | UncorrectDdeclaring | 2 |
732 | Final Bean class | JAVA | FinalBeanClass | 2 |
732 | Bean class shloud not return 'this' | JAVA | BeanClassThis | 2 |
77 | Malicious package name was found | JAVA | MaliciousPackage | 1 |
78 | Environment Variable Injection | JAVA | Injection03 | 1 |
79 | Second order reflected XSS / Security Decisions Via Untrusted Inputs | JAVA | Injection99 | 2 |
79 | Stored XSS | JAVA | JSPStored | 1 |
79 | Reflected XSS / Security Decisions Via Untrusted Inputs | JAVA | Injection25 | 2 |
798 | Autocompleted password fields | JAVA | Brokenauth02 | 2 |
798 | Password stored in plaintext (JAVA) | JAVA | PasswordStored | 2 |
798 | Dangerous Hardcoded TCP Port | JAVA | Itl03Port | 1 |
813 | Exposing of internal representations by returning mutable fields | JAVA | Idor04 | 3 |
829 | Avoid user-defined Native methods | JAVA | NativeJava | 2 |
88 | Attribute injection | JAVA | Injection22 | 1 |
88 | Unsecure Properties setting | JAVA | UnsecurePropertiesSetting | 2 |
89 | Second order SQL Injection | JAVA | Injection16 | 3 |
89 | Jakarta Digester Injection | JAVA | Injection02 | 1 |
89 | Second Order SQL Injection - Primary Key | JAVA | Injection10Key | 3 |
91 | XML Injection | JAVA | Injection12 | 1 |
91 | XXE - XML External Entities | JAVA | XMLExternalEntities | 1 |
91 | XXE - XML External Entity Injection | JAVA | InjectionXXE | 1 |
91 | JXPath Injection | JAVA | Injection06 | 1 |
94 | addJavascriptInterface Called | JAVA | AddJavascriptInterface_lint | 3 |
94 | Code injection | JAVA | Injection21 | 1 |
94 | Code Injection-Insecure loading of a JAVA Class or a Child Process | JAVA | createPackageContext | 1 |
117 | User-Passwords logging | PHP | PHP.26 | 1 |
117 | Unsanitized Data Written to Logs | PHP | PHP.27 | 3 |
16 | Failure to use 'disable_functions' | PHP | PHP.16 | 4 |
200 | Information Leakage ($_GET['test']) | PHP | PHP.14 | 3 |
200 | Improper Use of 'register_globals' | PHP | PHP.38 | 1 |
200 | Improper Use of 'register_globals' | PHP | PHP.31 | 3 |
200 | Information Leakage through Deprecated Functions | PHP | PHP.13 | 3 |
200 | Information Exposure Through an Error Message (phpinfo) | PHP | PHP.12 | 3 |
257 | Avoid Hardcoded Passwords | PHP | PHP.17 | 1 |
261 | Unsafe Password Management | PHP | PHP.28 | 1 |
284 | File Access Vulnerability | PHP | PHP.23 | 2 |
284 | Package Running Under Potentially Excessive Permissions (AUTHID DEFINER) | PHP | PHP.46 | 4 |
327 | Insecure pseudo-random number generation(mt_rand) | PHP | PHP.15 | 3 |
338 | Deterministic Pseudo-Random Values (openssl_random_pseudo_bytes) | PHP | PHP.36 | 3 |
338 | Deterministic Pseudo-Random Values ('secure' value deliberately set to 'false') | PHP | PHP.35 | 3 |
434 | Unsafe Processing of $_FILES Array | PHP | PHP.25 | 3 |
601 | Indiscriminate Merging of Input Variables | PHP | PHP.40 | 2 |
79 | Potential DOM-Based XSS / Security Decisions Via Untrusted Inputs | PHP | PHP.42 | 2 |
79 | Stored XSS | PHP | PHP.45 | 3 |
79 | Potential XSS (user-supplied) / Security Decisions Via Untrusted Inputs | PHP | PHP.41 | 2 |
812 | Log in to MySQL as 'root' | PHP | PHP.34 | 1 |
812 | De-Activation of 'safe_mode' | PHP | PHP.32 | 3 |
88 | Function allowing execution of commands coming (proc_open) | PHP | PHP.06 | 1 |
88 | Function allowing execution of commands coming (pcntl_exec) | PHP | PHP.07 | 1 |
88 | Function allowing execution of commands (exec) | PHP | PHP.03 | 1 |
88 | Function allowing execution of commands (system) | PHP | PHP.02 | 1 |
88 | Function allowing execution of commands (shell_exec) | PHP | PHP.01 | 1 |
88 | Function allowing execution of commands (passthru) | PHP | PHP.05 | 1 |
88 | Function allowing execution of commands (popen) | PHP | PHP.04 | 1 |
88 | Application Variable Used on System Command Line | PHP | PHP.19 | 1 |
88 | User Controlled Variable Used on System Command Line | PHP | PHP.18 | 2 |
89 | Potential SQL Injection (pre-prepared dynamic SQL) | PHP | PHP.43 | 1 |
89 | Potential SQL Injection (dynamic SQL) | PHP | PHP.44 | 1 |
94 | User's input contains code syntax (preg_replace) | PHP | PHP.10 | 1 |
94 | User's input contains code syntax (eval) | PHP | PHP.08 | 1 |
94 | User's input contains code syntax (assert) | PHP | PHP.09 | 1 |
94 | User's input contains code syntax (create_function) | PHP | PHP.11 | 1 |
94 | De-Activation of 'magic_quotes' | PHP | PHP.33 | 2 |
94 | Function May Evaluate PHP Code Contained in User Controlled Variable | PHP | PHP.29 | 2 |
98 | Variable Used as FileName | PHP | PHP.24 | 5 |
98 | File Inclusion Vulnerability | PHP | PHP.20 | 2 |
98 | Variable Used as FileName | PHP | PHP.21 | 1 |
98 | File Inclusion Vulnerability (uncompiled) | PHP | PHP.22 | 2 |
113 | Header Manipulation - Cookies (Python) | PYTHON | PYTHON_S14 | 2 |
117 | Log Forging (Python) | PYTHON | PYTHON_S16 | 1 |
15 | Setting Manipulation (Python) | PYTHON | PYTHON_S23 | 2 |
20 | Memcached Injection | PYTHON | PYTHON_S17 | 2 |
200 | Suspicious long-term packet sniffing | PYTHON | PYTHON_S57 | 3 |
200 | Suspicious multi-port Sniffing | PYTHON | PYTHON_S66 | 3 |
200 | System Information Leak - External (Python) | PYTHON | PYTHON_S05 | 4 |
22 | Path Traversal (Python) | PYTHON | PYTHON_S39 | 1 |
23 | Relative Path Traversal (Python) | PYTHON | PYTHON_S76 | 3 |
246 | Suspicious Socket/Scapy packets send | PYTHON | PYTHON_S51 | 1 |
256 | Password in connection string | PYTHON | PYTHON_S34 | 1 |
261 | Weak Cryptography (Python) | PYTHON | PYTHON_S36 | 2 |
314 | Command Injection | PYTHON | PYTHON_S47 | 2 |
321 | Empty or Null Encryption Key | PYTHON | PYTHON_S31 | 2 |
321 | Empty HMAC Key | PYTHON | PYTHON_S32 | 2 |
321 | Empty PBE Password | PYTHON | PYTHON_S33 | 2 |
327 | Weak Cryptography (Python) | PYTHON | PYTHON_S70 | 2 |
330 | Insecure Randomness - Hardcoded Seed | PYTHON | PYTHON_S30 | 2 |
330 | Insecure Randomness (Python) | PYTHON | PYTHON_S29 | 2 |
340 | Predictable Resource Name | PYTHON | PYTHON_S08 | 1 |
359 | Privacy Violation : Hardened Credentials | PYTHON | PYTHON_S45 | 2 |
387 | Information Leakage-Signal (Python) | PYTHON | PYTHON_S50 | 2 |
387 | Information leakage-Keyboard (Python) | PYTHON | PYTHON_S49 | 2 |
388 | Improper print of sensitive information during exception handling | PYTHON | PYTHON_S74 | 3 |
388 | Improper masking of exceptions (Python) | PYTHON | PYTHON_S52 | 3 |
388 | Unsecure Callback function (Django-hotsauce) | PYTHON | PYTHON_S62 | 3 |
388 | Poor Exception Handling (Python) | PYTHON | PYTHON_S68 | 3 |
400 | Denial of Service (Sleep) | PYTHON | PYTHON_S53 | 1 |
434 | Unrestricted Upload (Django) | PYTHON | PYTHON_S02 | 1 |
477 | Obsolete Python Framework | PYTHON | PYTHON_S67 | 3 |
494 | Unsafe Pickle Deserialization | PYTHON | PYTHON_S13 | 3 |
494 | Reflection Injection (Python) | PYTHON | PYTHON_S41 | 2 |
497 | System Information Leak - Internal (Python) | PYTHON | PYTHON_S06 | 1 |
501 | Trust Boundary Violation (Python) | PYTHON | PYTHON_S07 | 1 |
522 | Unsecure URL/URI in a condition (Python) | PYTHON | PYTHON_S75 | 3 |
531 | Assert code found (Python) | PYTHON | PYTHON_S43 | 2 |
531 | Test code found in production (Python) | PYTHON | PYTHON_S42 | 2 |
539 | Unsecure Cookie (Python) | PYTHON | PYTHON_S27 | 2 |
539 | Unsecure Cookie - HTTPOnly not Set (Python) | PYTHON | PYTHON_S28 | 2 |
552 | File Disclusure (Django) | PYTHON | PYTHON_S01 | 1 |
601 | Open Redirect (Python) | PYTHON | PYTHON_S18 | 1 |
610 | File or Directory Name Manipulation (Python) | PYTHON | PYTHON_S46 | 1 |
631 | XSLT Injection (Python) | PYTHON | PYTHON_S26 | 1 |
643 | XPath Injection (Python) | PYTHON | PYTHON_S24 | 1 |
692 | Blacklisted Attributes (Django) | PYTHON | PYTHON_S03 | 3 |
73 | Path Manipulation (Python) | PYTHON | PYTHON_S19 | 2 |
77 | Command Injection (Python) | PYTHON | PYTHON_S10 | 1 |
78 | Suspicious user input (OS Prompt) | PYTHON | PYTHON_S56 | 1 |
78 | Suspicious Win32 usage (SID) | PYTHON | PYTHON_S71 | 1 |
78 | Suspicious Win32 usage (Win32Security) | PYTHON | PYTHON_S72 | 1 |
78 | Environment Variable Injection | PYTHON | PYTHON_S73 | 1 |
78 | OS Command Injection (Python) | PYTHON | PYTHON_S44 | 1 |
78 | Suspicious Win32 usage (Console Window) | PYTHON | PYTHON_S48 | 1 |
79 | Cross-Site Scripting (Web2py) | PYTHON | PYTHON_S64 | 1 |
79 | Cross-Site Scripting (Python) | PYTHON | PYTHON_S63 | 1 |
79 | Stored XSS (Python) | PYTHON | PYTHON_S11 | 2 |
79 | ReDoS In Replace | PYTHON | PYTHON_S40 | 1 |
798 | Dangerous Hardcoded TCP Port | PYTHON | PYTHON_S65 | 1 |
798 | Hardcoded Password (Python) | PYTHON | PYTHON_S35 | 1 |
88 | Suspicious DNS Dynamic Update | PYTHON | PYTHON_S55 | 1 |
88 | Direct use of Sockets (Python) | PYTHON | PYTHON_S58 | 1 |
88 | Suspicious DNS Transfer | PYTHON | PYTHON_S54 | 1 |
89 | SQL Injection (Web2py) | PYTHON | PYTHON_S59 | 1 |
89 | Possible SQL Injection (cubicweb) | PYTHON | PYTHON_S61 | 1 |
89 | SQL Injection (Python) | PYTHON | PYTHON_S21 | 1 |
91 | XML Injection (Python) | PYTHON | PYTHON_S25 | 1 |
918 | Server-Side Request Forgery | PYTHON | PYTHON_S22 | 1 |
93 | Mail Content Injection | PYTHON | PYTHON_S15 | 1 |
94 | Overly Permissive CORS Policy (Python) | PYTHON | PYTHON_S04 | 1 |
94 | Code Injection (Python) | PYTHON | PYTHON_S12 | 1 |
99 | Resource Injection (Python) | PYTHON | PYTHON_S20 | 1 |
117 | Information disclosure (detailed exceptions) | RUBY | INJECTION_RUBY_62.1 | 1 |
117 | Information disclosure | RUBY | INJECTION_RUBY_61.1 | 1 |
117 | Information disclosure (detailed exceptions) | RUBY | INJECTION_RUBY_62.2 | 2 |
117 | Second order Information disclosure | RUBY | INJECTION_RUBY_61.2 | 2 |
200 | Default Routes | RUBY | IMP_RUBY_12.1 | 1 |
200 | Default Routes | RUBY | IMP_RUBY_12.2 | 2 |
209 | Hardcoded credentials (CVE-2013-0333) | RUBY | BROKEN_RUBY_9.0 | 3 |
212 | 'serialize' vulnerability (CVE-2013-0277) | RUBY | INSECURE_RUBY_50.1 | 1 |
212 | Unsafe deserialization | RUBY | INSECURE_RUBY_25.2 | 2 |
212 | 'serialize' vulnerability (CVE-2013-0277) | RUBY | INSECURE_RUBY_50.2 | 2 |
269 | Unsafe instances | RUBY | FAILURE_RUBY_70.2 | 2 |
269 | Unsecure mass assignment | RUBY | FAILURE_RUBY_17.2 | 2 |
269 | Unsecure mass assignment | RUBY | FAILURE_RUBY_54.2 | 2 |
269 | Dangerous attributes in Model | RUBY | IMP_RUBY_60.1 | 1 |
269 | Nested attributes in Rails 2.3.9 and 3.0.0 (CVE-2010-3933) | RUBY | FAILURE_RUBY_31.1 | 1 |
269 | Unsecure mass assignment | RUBY | FAILURE_RUBY_17.1 | 1 |
269 | Unsecure mass assignment | RUBY | FAILURE_RUBY_54.1 | 1 |
269 | Dangerous attributes in Model | RUBY | IMP_RUBY_60.2 | 2 |
269 | Improper Session key length | RUBY | FAILURE_RUBY_26.1 | 1 |
269 | Unsafe instances | RUBY | FAILURE_RUBY_70.1 | 1 |
269 | Unsecure mass assignment | RUBY | FAILURE_RUBY_17.3 | 3 |
269 | Dangerous attributes in Model | RUBY | IMP_RUBY_60.3 | 3 |
269 | Unsafe instances | RUBY | FAILURE_RUBY_70.3 | 3 |
352 | CSRF or authentication checks wrongly skipping | RUBY | CSRF_RUBY_10.2 | 2 |
352 | 'protect_from_forgery' not enabled in ApplicationController (csrf_protection_missing) | RUBY | CSRF_RUBY_7.1 | 1 |
352 | Response splitting (CVE-2011-3186) | RUBY | CSRF_RUBY_37.2 | 2 |
352 | Verifies that protect_from_forgery is enabled in ApplicationController (CVE-2011-0447) | RUBY | CSRF_RUBY_33.1 | 1 |
352 | CSRF or authentication checks wrongly skipping | RUBY | CSRF_RUBY_8.2 | 2 |
352 | Verifies that protect_from_forgery is enabled in ApplicationController (csrf_protection_disabled) | RUBY | CSRF_RUBY_6.1 | 1 |
400 | Header DoS (CVE-2011-2930) | RUBY | INJECTION_RUBY_35.1 | 1 |
400 | Render :text DoS (CVE_2014_0082) | RUBY | INJECTION_RUBY_75.1 | 1 |
400 | Second order DoS (CVE-2012-3424) | RUBY | INJECTION_RUBY_42.3 | 3 |
400 | Denial of Service (CVE-2012-3424) | RUBY | INJECTION_RUBY_42.1 | 1 |
400 | Second order Header DoS (CVE-2011-2930) | RUBY | INJECTION_RUBY_35.2 | 2 |
400 | Symbol DoS (ActiveRecord or 'unsafe_symbol_creation') | RUBY | INJECTION_RUBY_59.1 | 1 |
400 | Header DoS (CVE-2013-6414) | RUBY | INJECTION_RUBY_64.2 | 2 |
400 | Symbol DoS (ActiveRecord or 'unsafe_symbol_creation') | RUBY | INJECTION_RUBY_59.2 | 2 |
400 | Symbol DoS (ActiveRecord) (CVE-2013-1854) | RUBY | INJECTION_RUBY_55.2 | 2 |
470 | Unsafe reflection | RUBY | INJECTION_RUBY_24.1 | 1 |
470 | Unsafe reflection | RUBY | INJECTION_RUBY_24.2 | 2 |
601 | Dangerous 'redirect_to' | RUBY | URL_RUBY_18.3 | 3 |
601 | Dangerous 'redirect_to' | RUBY | URL_RUBY_18.1 | 1 |
639 | Unsafe hrefs value | RUBY | FAILURE_RUBY_4.2 | 2 |
639 | Unsafe hrefs value | RUBY | FAILURE_RUBY_4.1 | 1 |
665 | Rails versions with SafeBuffer bug | RUBY | INSECURE_RUBY_21.2 | 2 |
669 | Avoid using Components with Known Vulnerabilities | RUBY | LAYER_RUBY_1.2013 | 1 |
676 | Vulnerable sanitize helper (CVE-2013-1857) | RUBY | SECURITMISC_RUBY_58.2 | 2 |
676 | Unsafe use of select() helper | RUBY | SECURITMISC_RUBY_22.2 | 2 |
676 | Versions with vulnerable sanitize and sanitize_css (CVE-2013-1855) | RUBY | SECURITMISC_RUBY_56.2 | 2 |
676 | Versions with vulnerable sanitize and sanitize_css (CVE-2013-1855) | RUBY | SECURITMISC_RUBY_56.1 | 1 |
676 | Vulnerable sanitize helper (CVE-2013-1857) | RUBY | SECURITMISC_RUBY_58.1 | 1 |
676 | Unsafe use of select() helper | RUBY | SECURITMISC_RUBY_22.3 | 3 |
676 | Unsafe use of Object#send | RUBY | SECURITMISC_RUBY_23.1 | 1 |
676 | unsafe uses of select_tag() (CVE-2012-3463) | RUBY | SECURITMISC_RUBY_43.1 | 1 |
73 | Unpredictable file access through user input | RUBY | INJECTION_RUBY_16.1 | 1 |
73 | Unsafe file access | RUBY | INJECTION_RUBY_15.1 | 1 |
73 | Possible Unsafe file access | RUBY | INJECTION_RUBY_15.3 | 3 |
73 | Possible Unpredictable file access | RUBY | INJECTION_RUBY_16.3 | 3 |
73 | Second order Unsafe file access | RUBY | INJECTION_RUBY_15.2 | 2 |
73 | Second order Unpredictable file access | RUBY | INJECTION_RUBY_16.2 | 2 |
732 | Dangerous attributes in Model | RUBY | IMP_RUBY_19.1 | 1 |
732 | Dangerous public attributes in Model (CVE-2013-0276) | RUBY | IMP_RUBY_51.1 | 1 |
732 | Dangerous public attributes in Model | RUBY | IMP_RUBY_20.1 | 1 |
732 | Dangerous public attributes in Model (CVE-2013-0276) | RUBY | IMP_RUBY_51.2 | 2 |
732 | Dangerous public attributes in Model | RUBY | IMP_RUBY_20.2 | 2 |
732 | Dangerous attributes in Model | RUBY | IMP_RUBY_19.2 | 2 |
732 | Dangerous public attributes in Model | RUBY | IMP_RUBY_20.3 | 3 |
78 | YAML parsing vulnerabilities (CVE-2013-0156) | RUBY | INJECTION_RUBY_48.1 | 1 |
78 | Code injection (CVE-2013-0333) | RUBY | INJECTION_RUBY_14.1 | 1 |
79 | Simple_format XSS (CVE-2013-6416) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_67.2 | 2 |
79 | XSS (helper) (CVE-2014-0081) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_73.2 | 2 |
79 | Cross Site Scripting (Unescaped JSON) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_5.2 | 2 |
79 | Cross Site Scripting (Unescaped JSON) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_5.1 | 1 |
79 | Cross Site Scripting (CVE-2011-2929) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_34.1 | 1 |
79 | Possible XSS (link_to) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_3.2 | 2 |
79 | Cross Site Scripting (JRuby) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_53.1 | 1 |
79 | i18n XSS (CVE-2013-4491) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_63.2 | 2 |
79 | Cross Site Scripting (Unescaped Output) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_2.1 | 1 |
79 | Missing escape on single quotes (CVE-2012-3464) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_44.2 | 2 |
79 | XSS vulnerability in translate helper / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_28.2 | 2 |
79 | Cross Site Scripting (Unescaped JSON) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_5.3 | 3 |
79 | Second order SQL injection (CVE-2013-0333) | RUBY | INJECTION_RUBY_14.2 | 2 |
79 | Cross Site Scripting (Unescaped Output) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_2.3 | 3 |
79 | Strip_tags vulnerabilities (CVE-2012-3465) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_45.1 | 1 |
79 | Vulnerable 'strip_tags' or other escape method (CVE-2011-2931) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_36.1 | 1 |
79 | XSS (sanitize and sanitize_css) (CVE-2013-1855) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_30.1 | 1 |
79 | XSS vulnerability in translate helper / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_28.1 | 1 |
79 | Cross Site Scripting (JRuby) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_53.2 | 2 |
79 | Cross Site Scripting (Unescaped Output) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_2.2 | 2 |
79 | XSS (Mail_to) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_32.1 | 1 |
79 | XSS (link_to) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_3.1 | 1 |
798 | Insecure SSL certificate | RUBY | LAYER_RUBY_71.1 | 1 |
89 | SQL injection (:limit and :offset) | RUBY | INJECTION_RUBY_1.2 | 2 |
89 | SQL injection | RUBY | INJECTION_RUBY_0.2 | 2 |
89 | SQL injection (CVE-2014-0080) | RUBY | INJECTION_RUBY_72.1 | 1 |
89 | SQL injection (:limit and :offset) | RUBY | INJECTION_RUBY_1.1 | 1 |
89 | SQL injection | RUBY | INJECTION_RUBY_0.1 | 1 |
89 | Missed evaluation of user input | RUBY | INJECTION_RUBY_13.1 | 1 |
89 | SQL injection (CVE-2012-2660) | RUBY | INJECTION_RUBY_38.1 | 1 |
89 | SQL injection (CVE-2012-6496) | RUBY | INJECTION_RUBY_46.1 | 1 |
89 | SQL injection (CVE-2013-0155) | RUBY | INJECTION_RUBY_47.1 | 1 |
89 | SQL injection (CVE-2013-6417) | RUBY | INJECTION_RUBY_69.1 | 1 |
89 | SQL injection (CVE-2012-2695) | RUBY | INJECTION_RUBY_40.1 | 1 |
89 | SQL injection (CVE-2012-2661) | RUBY | INJECTION_RUBY_39.1 | 1 |
91 | JSON parsing vulnerabilities (CVE-2013-0269) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_49.1 | 1 |
91 | Versions with JRuby XML parsing backend (CVE-2013-1856) | RUBY | INJECTION_RUBY_57.1 | 1 |
91 | JSON parsing vulnerabilities (CVE-2013-0333) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_52.3 | 3 |
91 | JSON parsing vulnerabilities (CVE-2013-0333) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_52.1 | 1 |
91 | JSON parsing vulnerabilities (CVE-2013-0333) / Security Decisions Via Untrusted Inputs | RUBY | XSS_RUBY_52.2 | 2 |
200 | Information Leakage (DBMS_OUTPUT.PUT_LINE) | SQL | PLSQL.15 | 3 |
200 | Improper using of WHEN OTHERS as only exception handler. | SQL | PLSQL.21 | 3 |
200 | Error Handling With Output Parameters. | SQL | PLSQL.03 | 3 |
200 | Information Leakage (WHEN OTHERS THEN) | SQL | PLSQL.01 | 3 |
200 | Dangerous Deprecated Feature (T-SQL) | SQL | SQL.02 | 2 |
200 | Deprecated Feature (T-SQL) | SQL | SQL.01 | 3 |
200 | Avoid using DBMS_UTILITY.EXEC_DDL_STATEMENT | SQL | PLSQL.33 | 3 |
200 | Information Leakage (FUNCTION with OUT parameters) | SQL | PLSQL.20 | 2 |
200 | Deprecated Functions Teradata SQL | SQL | SQL.04 | 3 |
200 | Useless Feature (T-SQL) | SQL | SQL.03 | 4 |
257 | Hardcoded Passwords | SQL | PLSQL.13 | 1 |
265 | Improper Granting of all privileges on an object | SQL | PLSQL.38 | 1 |
284 | Avoid using Invoker's rights (AUTHID CURRENT_USER) | SQL | PLSQL.35 | 1 |
284 | Improper using of Packages to administer the network Access Control List functions inside a procedure (DBMS_NETWORK) | SQL | PLSQL.26 | 1 |
284 | Package Running Under Potentially Excessive Permissions (AUTHID CURRENT_USER) | SQL | PLSQL.05 | 4 |
284 | Package Running Under Potentially Excessive Permissions (AUTHID DEFINER) | SQL | PLSQL.04 | 4 |
284 | The use of one of these SYS procedures performed by a SYS user will give to any user the rights of database admin and therefore allows to do everything possible including deleting all access rights. | SQL | PLSQL.25 | 1 |
311 | Missing DBMS_LDAP.free_mod_array | SQL | PLSQL.29 | 2 |
326 | MD5 MD4 and SHA-1 should no longer be relied upon to verify the authenticity of data in security-critical contexts. | SQL | PLSQL.39 | 2 |
327 | Static Random Number Generator | SQL | PLSQL.32 | 2 |
36 | Absolute Path in Source Code (SQL) | SQL | PLSQL.30 | 3 |
388 | Improper masking exceptions with NULL statements | SQL | PLSQL.18 | 1 |
388 | Avoid disabling DBMS_LDAP.USE_EXCEPTION. | SQL | PLSQL.27 | 1 |
388 | Avoid decentralized EXCEPTION_INIT statements | SQL | PLSQL.19 | 3 |
388 | Improper processing of User-Password-IP Address | SQL | PLSQL.02 | 2 |
400 | SQL statement DoS (CROSS JOIN in a LOOP-FOR) | SQL | PLSQL.23 | 1 |
400 | Avoid using DELETE or UPDATE without a WHERE clause | SQL | PLSQL.22 | 1 |
400 | Denial Of Service Threat (dbms_lock.sleep) | SQL | PLSQL.41 | 1 |
400 | SQL statement DoS (GROUP BY in a loop) | SQL | PLSQL.24 | 1 |
400 | Data Formatting Within VIEW | SQL | PLSQL.07 | 4 |
477 | Use DBMS_STATS instead. | SQL | PLSQL.34 | 3 |
497 | Information Leakage (OWA_UTIL.print) | SQL | PLSQL.36 | 3 |
501 | Improper accepting of untrusted sensitive data from a Cookie and using it without validation | SQL | PLSQL.37 | 1 |
79 | Stored XSS | SQL | PLSQL.06 | 5 |
798 | Hardcoded IP address | SQL | PLSQL.31 | 1 |
89 | SQL Injection (deprecated DBMS_SQL.* statement) | SQL | PLSQL.16 | 1 |
89 | Variable concatenated with dynamic SQL statement. | SQL | PLSQL.08 | 1 |
89 | SQL injection through use of an input variable within a query. | SQL | PLSQL.9 | 1 |
89 | Avoid SELECT * statements (SQL) | SQL | PLSQL.17 | 3 |
90 | Populating a mod_array and using it directly in DBMS_LDAP.add_s DBMS_LDAP.modify_s DBMS_LDAP.delete_s may expose it to a LDAP Injection | SQL | PLSQL.28 | 1 |
References
(*1)CWE: Common Weakness Enumeration.
http://cwe.mitre.org/index.html
...
(*6)WASC: Web Application Security Consortium is a non profit made up of an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web.
(*7)TIOBE: The TIOBE Programming Community index is an indicator of the popularity of programming languages. The index is updated once a month. The ratings are based on the number of skilled engineers world-wide, courses and third party vendors.
https://www.tiobe.com/tiobe-index/
COPYRIGHT (C) 2014-2021 2022 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.