Tag: top25-cwes
Deserialization of untrusted objects can lead to security vulnerabilities such as, inadvertently running remote code.
Deserializing objects from relational databases should allocate a 64-bit, not 32-bit, type for the auto-incremented identifier.
Insufficient sanitization of potentially untrusted URLs on the server side can allow server requests to unwanted destinations.
Creating file paths from untrusted input might give a malicious actor access to sensitive files.
Hardcoded credentials can be intercepted by malicious actors.
Allocated resources are not released properly.
Objects that parse or handle XML can lead to XML External Entity (XXE) attacks when misconfigured.
Public method parameters should be validated for nullness, unexpected values, and malicious values.
Sensitive information should not be exposed through log files or stack traces.
Objects that parse or handle XML in XML document can lead to XML External Entity (XXE) attacks when misconfigured.
Scripts generated from unsanitized inputs can lead to malicious behavior and inadvertently running code remotely.
Insufficiently restrictive file uploads can lead to inadvertently running malicious code.
Comment parsing for OpenSAML2 might enable an attacker to bypass authentication.
Insecure configuration can lead to a cross-site request forgery (CRSF) vulnerability.
User-controlled input that specifies a link to an external site could lead to phishing attacks and allow user credentials to be stolen.
Use of unsanitized external input in reflection can allow attackers to bypass security checks and run malicious code.
Dereferencing a null pointer can lead to unexpected null pointer exceptions.
Relying on potentially untrusted user inputs when constructing web application outputs can lead to cross-site scripting vulnerabilities.
Weak obfuscation while configuring a web request
Use numeric types that are large enough to hold the result of arithmetic operations.
Weak file permissions can lead to privilege escalation.
Constructing operating system or shell commands with unsanitized user input can lead to inadvertently running malicious code.
Use of untrusted inputs in SQL database query can enable attackers to read, modify, or delete sensitive data in the database