Community Edition
Total Tests:
This Week:
Today:
OWASP Top 10
OWASP Top 10: Broken Access Control Practical Overview
March 9, 2021
OWASP Top 10: Cryptographic Failures Practical Overview
February 8, 2021
OWASP Top 10: Injection Practical Overview
January 11, 2021
OWASP Top 10: Insecure Design Practical Overview
October 18, 2021
OWASP Top 10: Security Misconfiguration Practical Overview
March 22, 2021
OWASP Top 10: Vulnerable and Outdated Components Practical Overview
May 10, 2021
OWASP Top 10: Identification and Authentication Failures Practical Overview
January 25, 2021
OWASP Top 10: Software and Data Integrity Failures Practical Overview
October 18, 2021
OWASP Top 10: Security Logging and Monitoring Failures Practical Overview
May 24, 2021
OWASP Top 10: Server-Side Request Forgery Practical Overview
October 18, 2021
Stay in Touch

Get exclusive updates and invitations to our events and webinars:


Your data will stay confidential Private and Confidential

ImmuniWeb > CWE Knowledge Base

CWE Knowledge Base

ImmuniWeb CWE (Common Weakness Enumeration by MITRE) Knowledge Base covers all CWE vulnerabilities that are encountered in ImmuniWeb Security Advisories or detected by ImmuniWeb®. For each entry we try to provide as much information, examples and internal research as possible. Records are being regularly updated.

Some security weaknesses and misconfiguration related to web application that do not really fall under vulnerability section are grouped on the Common Web Application Security Weaknesses page. You can also view our CVSS calculator.

CWE-22 Path Traversal

This weakness describes improper filtering of pathname to a restricted directory.

CWE-78 OS Command Injection

This weakness describes improper neutra­lization of special elements which results in modification of the OS command.

CWE-79 Cross-Site Scripting

This weakness describes improper neutralization of input during web page generation.

CWE-89 SQL Injection

This weakness type describes improper neutralization of special elements used in an SQL query.

CWE-90 LDAP Injection

This weakness describes improper neutralization of special elements used in LDAP queries.

CWE-91 XML Injection

This weakness describes improper neutralization of special elements used in XML queries.

CWE-94 Code Injection

This weakness describes improper control of code generation.

CWE-98 PHP File Inclusion

This weakness describes improper control of filename within Include or Require statements in a PHP program.

CWE-113 HTTP Response Splitting

This weakness describes improper neutra­lization of CRLF sequences in HTTP hea­ders.

CWE-119 Buffer Errors

This weakness describes improper restric­tion of operations within the bounds of a memory buffer.

CWE-130 Improper Handling of Length Parameter Inconsistency

This weakness describes improper handling of a length field for associated data.

CWE-193 Off-by-one Error

This weakness occurs when a program uses an improper maximum or minimum value that is one more or one less than the proper value.

CWE-200 Information Exposure

This weakness describes intentional or un­intentional disclosure of information that is considered sensitive.

CWE-211 Information Exposure Through Externally-Generated Error Message

This weakness describes information exposure case, where software generates a message with potentially sensitive data and outputs it.

CWE-236 Improper Handling of Undefined Parameters

This weakness describes a case when application uses undefined parameter, field, or argument.

CWE-276 Incorrect Default Permissions

This weakness describes a case where software sets insecure permissions to objects on a system.

CWE-284 Improper Access Control

This weakness describes a failure in the AAA security model.

CWE-285 Improper Authorization

This weakness describes improper mechanisms of user's authorization.

CWE-287 Improper Authentication

This weakness describes improper mecha­nisms of user's identity verification.

CWE-297 Improper Validation of Certificate with Host Mismatch

This weakness describes Improper Validation of Certificate with Host Mismatch.

CWE-306 Missing Authentication for Critical Function

This weakness describes Missing Authentication for Critical Function.

CWE-312 Cleartext Storage of Sensitive Information

This weakness describes a case where sensitive information is stored in clear text in location, accessible by other users.

CWE-345 Insufficient Verification of Data Authenticity

This weakness describes improper or absent verification of input data authenticity.

CWE-352 Cross-Site Request Forgery

This weakness describes improper or absent verification of the HTTP request origin.

CWE-384 Session Fixation

This weakness describes a case where application incorrectly handles session identifiers when establishing new sessions.

CWE-427 Uncontrolled Search Path Element

This weakness is caused by applications passing an insufficiently qualified path when loading an external library.

CWE-434 Unrestricted Upload of File with Dangerous Type

This weakness describes improper valida­tion of file types when uploading files.

CWE-476 NULL Pointer Dereference

This weakness describes an application who dereferences a pointer that ought to be valid but indeed is NULL.

CWE-521 Weak Password Requirements

This weakness described a case where application implements a poor password policy allowing users to create short or very simple passwords.

CWE-601 Open Redirect

This weakness describes improper saniti­zation of input that is used to redirect users to external websites.

CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

The weakness describes the case where XML parser is not correctly configured and allows the attacker to directly interact with local or external files.

CWE-613 Insufficient Session Expiration

This weakness describes a case of insufficient session expiration, which allows an attacker to use existing session identifier to log in into the application.

CWE-618 Exposed Unsafe ActiveX Method

This weakness describes exposure of dan­gerous ActiveX methods that perform acti­ons outside the browser's security model.

CWE-671 Lack of Administrator Control over Security

This weakness describes a case where implemented security features do not grant administrators full control over product security.

CWE-798 Use of Hard-coded Credentials

The weakness describes a case where hardcoded access credentials are stored within application code.

CWE-799 Improper Control of Interaction Frequency

This vulnerability described the case where the application does not control the number and frequency of unsuccessful requests allowing brute-force attack.

CWE-822 Untrusted Pointer Dereference

This weakness occurs where software uses untrusted input as a pointer value.

CWE-835 Infinite Loop

This weakness describes a case when a loop cannot reach an exit condition.

CWE-918 Server-Side Request Forgery (SSRF)

This weakness describes a case where the attacker can leverage the ability of a web application to perform unauthorized requests to internal or external systems.

CWE-942 Overly Permissive Cross-domain Whitelist

The weakness describes a case where software uses cross-domain policy, which includes domains that should not be trusted.


Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.

This website uses cookies to provide you with a better surfing experience. To learn more, please visit our Privacy Policy. By continuing to use this website you consent to our use of cookies.

Book a Call Ask a Question
Close
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a Technical Question?

Our security experts will answer within
one business day. No obligations.

Have a Sales Question?
Email:
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
*
*
*
*
Your data will stay private and confidential