Skip to main content

CWE™

logo

Summary

Common Weakness Enumeration is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation and prevention efforts.

  • Version used: CWE™ List 4.11
  • Last official version: CWE™ List 4.11

Definitions

DefinitionRequirements
5. Data transmission without encryption336. Disable insecure TLS versions
6. Misconfiguration - Insufficient session-ID length030. Avoid object reutilization
032. Avoid session ID leakages
11. Creating debug binary078. Disable debugging events
13. Misconfiguration - Password in configuration file026. Encrypt client-side session information
185. Encrypt sensitive information
15. External control of system or configuration setting062. Define standard configurations
320. Avoid client-side control enforcement
20. Improper input validation173. Discard unsafe inputs
22. Improper limitation of a pathname to a restricted directory ("path traversal")037. Parameters without sensitive data
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
23. Relative path traversal037. Parameters without sensitive data
36. Absolute path traversal037. Parameters without sensitive data
173. Discard unsafe inputs
320. Avoid client-side control enforcement
343. Respect the Do Not Track header
73. External control of file name or path037. Parameters without sensitive data
320. Avoid client-side control enforcement
381. Use of absolute paths
74. Improper neutralization of special elements in output used by a downstream component ("injection")158. Use a secure programming language
173. Discard unsafe inputs
78. Improper neutralization of special elements used in an OS command ("OS command injection")173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
79. Improper neutralization of input during web page generation ("cross-site scripting")029. Cookies with security attributes
173. Discard unsafe inputs
80. Improper neutralization of script-related HTML tags in a web page (basic XSS)117. Do not interpret HTML code
173. Discard unsafe inputs
89. Improper neutralization of special elements used in an SQL command ("SQL injection")169. Use parameterized queries
173. Discard unsafe inputs
90. Improper neutralization of special elements used in an LDAP query ('LDAP Injection')173. Discard unsafe inputs
91. XML injection173. Discard unsafe inputs
94. Improper control of generation of code ("code injection")173. Discard unsafe inputs
95. Improper neutralization of directives in dynamically evaluated code ("eval injection")173. Discard unsafe inputs
321. Avoid deserializing untrusted data
344. Avoid dynamic code execution
98. Improper control of filename for include/require statement in PHP program ("PHP remote file inclusion")173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
112. Missing XML validation173. Discard unsafe inputs
114. Process control266. Disable insecure functionalities
116. Improper encoding or escaping of output160. Encode system outputs
173. Discard unsafe inputs
348. Use consistent encoding
349. Include HTTP security headers
117. Improper output neutralization for logs160. Encode system outputs
120. Buffer copy without checking size of input ("classic buffer overflow")345. Establish protections against overflows
130. Buffer copy without checking size of input ("classic buffer overflow")169. Use parameterized queries
342. Validate request parameters
134. Use of externally-controlled format string345. Establish protections against overflows
138. Improper neutralization of special elements173. Discard unsafe inputs
340. Use octet stream downloads
147. Improper neutralization of input terminators173. Discard unsafe inputs
150. Improper neutralization of escape, meta, or control sequences173. Discard unsafe inputs
170. Improper null termination345. Establish protections against overflows
173. Improper handling of alternate encoding044. Define an explicit charset
160. Encode system outputs
190. Integer overflow or wraparound345. Establish protections against overflows
200. Exposure of sensitive information to an unauthorized actor032. Avoid session ID leakages
119. Hide recipients
181. Transmit data using secure protocols
261. Avoid exposing sensitive information
375. Remove sensitive data from client-side applications
203. Observable discrepancy225. Proper authentication responses
208. Observable timing discrepancy368. Use of indistinguishable response time
209. Generation of error message containing sensitive information077. Avoid disclosing technical information
210. Self-generated error message containing sensitive information077. Avoid disclosing technical information
078. Disable debugging events
212. Improper removal of sensitive information before storage or transfer183. Delete sensitive data securely
360. Remove unnecessary sensitive information
219. Storage of file with sensitive data under web root339. Avoid storing sensitive files in the web root
221. Information loss or omission075. Record exceptional events in logs
376. Register severity level
223. Omission of security-relevant information376. Register severity level
226. Sensitive information in resource not removed before reuse183. Delete sensitive data securely
360. Remove unnecessary sensitive information
233. Improper handling of parameters342. Validate request parameters
235. Improper handling of extra parameters342. Validate request parameters
250. Execution with unnecessary privileges095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege
256. Plaintext storage of a password127. Store hashed passwords
380. Define a password management tool
257. Storing passwords in a recoverable format238. Establish safe recovery
259. Use of hard-coded password156. Source code without sensitive information
172. Encrypt connection strings
263. Password aging with long expiration130. Limit password lifespan
138. Define lifespan for temporary passwords
367. Proper generation of temporary passwords
266. Incorrect privilege assignment095. Define users with privileges
267. Privilege defined with unsafe actions035. Manage privilege modifications
269. Improper privilege management035. Manage privilege modifications
186. Use the principle of least privilege
272. Least privilege violation186. Use the principle of least privilege
276. Incorrect default permissions095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege
341. Use the principle of deny by default
284. Improper access control176. Restrict system objects
229. Request access credentials
266. Disable insecure functionalities
320. Avoid client-side control enforcement
285. Improper authorization095. Define users with privileges
177. Avoid caching and temporary files
320. Avoid client-side control enforcement
341. Use the principle of deny by default
287. Improper authentication122. Validate credential ownership
228. Authenticate using standard protocols
236. Establish authentication time
264. Request authentication
319. Make authentication options equally secure
334. Avoid knowledge-based authentication
362. Assign MFA mechanisms to a single account
290. Authentication bypass by spoofing173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
294. Authentication bypass by capture-replay030. Avoid object reutilization
335. Define out of band token lifespan
295. Improper certificate validation089. Limit validity of certificates
091. Use internally signed certificates
093. Use consistent certificates
364. Provide extended validation (EV) certificates
297. Improper validation of certificate with host mismatch093. Use consistent certificates
373. Use certificate pinning
298. Improper validation of certificate expiration089. Limit validity of certificates
090. Use valid certificates
364. Provide extended validation (EV) certificates
299. Improper check for certificate revocation088. Request client certificates
089. Limit validity of certificates
090. Use valid certificates
306. Missing authentication for critical function229. Request access credentials
264. Request authentication
265. Restrict access to critical processes
319. Make authentication options equally secure
307. Improper restriction of excessive authentication attempts210. Delete information from mobile devices
237. Ascertain human interaction
327. Set a rate limit
308. Use of single-factor authentication030. Avoid object reutilization
231. Implement a biometric verification component
311. Missing encryption of sensitive data172. Encrypt connection strings
181. Transmit data using secure protocols
185. Encrypt sensitive information
319. Cleartext transmission of sensitive information181. Transmit data using secure protocols
338. Implement perfect forward secrecy
321. Use of hard-coded cryptographic key145. Protect system cryptographic keys
224. Use secure cryptographic mechanisms
322. Key exchange without entity authentication145. Protect system cryptographic keys
323. Reusing a nonce, key Pair in encryption145. Protect system cryptographic keys
324. Use of a key past its expiration date361. Replace cryptographic keys
326. Inadequate encryption strength147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
346. Use initialization vectors once
327. Use of a broken or risky cryptographic algorithm147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
328. Use of weak hash150. Set minimum size for hash functions
330. Use of insufficiently random values223. Uniform distribution in random numbers
331. Insufficient entropy223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
334. Small space of random values223. Uniform distribution in random numbers
340. Generation of predictable numbers or identifiers223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
345. Insufficient verification of data authenticity030. Avoid object reutilization
178. Use digital signatures
238. Establish safe recovery
346. Origin validation error128. Define unique data source
347. Improper verification of cryptographic signature178. Use digital signatures
350. Reliance on reverse DNS resolution for a security-critical action062. Define standard configurations
356. Verify sub-domain names
352. Cross-site request forgery (CSRF)029. Cookies with security attributes
174. Transactions without a distinguishable pattern
353. Missing support for integrity check178. Use digital signatures
262. Verify third-party components
330. Verify Subresource Integrity
359. Exposure of private personal information to an unauthorized actor180. Use mock data
184. Obfuscate application data
261. Avoid exposing sensitive information
300. Mask sensitive data
362. Concurrent execution using shared resource with improper synchronization ("race condition")337. Make critical logic flows thread safe
367. Time-of-check time-of-use (TOCTOU) race condition337. Make critical logic flows thread safe
353. Schedule firmware updates
377. Insecure temporary file036. Do not deploy temporary files
177. Avoid caching and temporary files
384. Session fixation030. Avoid object reutilization
390. Detection of error condition without action075. Record exceptional events in logs
396. Declaration of catch for generic exception359. Avoid using generic exceptions
397. Declaration of throws for generic exception359. Avoid using generic exceptions
400. Uncontrolled resource consumption072. Set maximum response time
158. Use a secure programming language
164. Use optimized structures
173. Discard unsafe inputs
404. Improper resource shutdown or release023. Terminate inactive user sessions
167. Close unused resources
409. Improper handling of highly compressed data (data amplification)039. Define maximum file size
419. Unprotected primary channel033. Restrict administrative access
434. Unrestricted upload of file with dangerous type040. Compare file format and extension
444. Inconsistent interpretation of HTTP requests ("HTTP request smuggling")062. Define standard configurations
173. Discard unsafe inputs
266. Disable insecure functionalities
453. Insecure default variable initialization161. Define secure default options
456. Missing initialization of a variable168. Initialize variables explicitly
457. Use of uninitialized variable168. Initialize variables explicitly
459. Incomplete cleanup183. Delete sensitive data securely
210. Delete information from mobile devices
474. Use of function with inconsistent implementations162. Avoid duplicate code
494. Download of code without integrity check330. Verify Subresource Integrity
497. Exposure of sensitive system information to an unauthorized control sphere078. Disable debugging events
095. Define users with privileges
502. Deserialization of untrusted data321. Avoid deserializing untrusted data
507. Trojan horse155. Application free of malicious code
262. Verify third-party components
509. Replicating malicious code (virus or worm)041. Scan files for malicious code
118. Inspect attachments
510. Trapdoor154. Eliminate backdoors
155. Application free of malicious code
511. Logic/Time bomb155. Application free of malicious code
512. Spyware273. Define a fixed security suite
521. Weak password requirements127. Store hashed passwords
129. Validate previous passwords
130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
332. Prevent the use of breached passwords
522. Insufficiently protected credentials132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
134. Store passwords with salt
135. Passwords with random salt
139. Set minimum OTP length
150. Set minimum size for hash functions
523. Unprotected transport of credentials153. Out of band transactions
181. Transmit data using secure protocols
524. Use of cache containing sensitive information177. Avoid caching and temporary files
209. Manage passwords in cache
525. Use of web browser cache containing sensitive information177. Avoid caching and temporary files
349. Include HTTP security headers
526. Cleartext Storage of Sensitive Information in an Environment Variable185. Encrypt sensitive information
300. Mask sensitive data
532. Insertion of sensitive information into log file083. Avoid logging sensitive data
539. Use of persistent cookies containing sensitive information029. Cookies with security attributes
342. Validate request parameters
540. Inclusion of sensitive information in source code156. Source code without sensitive information
548. Exposure of information through directory listing176. Restrict system objects
266. Disable insecure functionalities
549. Missing password field masking300. Mask sensitive data
561. Dead code162. Avoid duplicate code
598. Use of GET request method with sensitive query strings169. Use parameterized queries
342. Validate request parameters
601. URL redirection to untrusted site ("open redirect")324. Control redirects
602. Client-side enforcement of server-side security266. Disable insecure functionalities
320. Avoid client-side control enforcement
603. Use of client-side authentication264. Request authentication
611. Improper restriction of XML External Entity reference157. Use the strict mode
173. Discard unsafe inputs
613. Insufficient session expiration023. Terminate inactive user sessions
030. Avoid object reutilization
031. Discard user session data
369. Set a maximum lifetime in sessions
614. Sensitive cookie in HTTPS session without 'secure' attribute029. Cookies with security attributes
615. Inclusion of sensitive information in source code comments156. Source code without sensitive information
620. Unverified password change131. Deny multiple password changing attempts
238. Establish safe recovery
301. Notify configuration changes
639. Authorization bypass through user-controlled key035. Manage privilege modifications
176. Restrict system objects
320. Avoid client-side control enforcement
640. Weak password recovery mechanism for forgotten password126. Set a password regeneration mechanism
130. Limit password lifespan
131. Deny multiple password changing attempts
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
238. Establish safe recovery
332. Prevent the use of breached passwords
334. Avoid knowledge-based authentication
367. Proper generation of temporary passwords
642. External control of critical state data026. Encrypt client-side session information
328. Request MFA for critical systems
643. Improper neutralization of data within XPath expressions ("XPath injection")173. Discard unsafe inputs
644. Improper neutralization of HTTP headers for scripting syntax349. Include HTTP security headers
645. Overly restrictive account lockout mechanism226. Avoid account lockouts
646. Reliance on file name or extension of externally-supplied file040. Compare file format and extension
042. Validate file format
340. Use octet stream downloads
651. Exposure of WSDL file containing sensitive information325. Protect WSDL files
693. Protection mechanism failure266. Disable insecure functionalities
326. Detect rooted devices
351. Assign unique keys to each device
352. Enable trusted execution
354. Prevent firmware downgrades
710. Improper adherence to coding standards158. Use a secure programming language
366. Associate type to variables
381. Use of absolute paths
732. Incorrect permission assignment for critical resource186. Use the principle of least privilege
341. Use the principle of deny by default
749. Exposed dangerous method or function041. Scan files for malicious code
266. Disable insecure functionalities
759. Use of a one-way hash without a salt134. Store passwords with salt
135. Passwords with random salt
760. Use of a one-way hash with a predictable salt134. Store passwords with salt
135. Passwords with random salt
770. Allocation of resources without limits or throttling039. Define maximum file size
072. Set maximum response time
327. Set a rate limit
778. Insufficient logging075. Record exceptional events in logs
376. Register severity level
779. Logging of excessive data322. Avoid excessive logging
780. Use of RSA algorithm without OAEP370. Use OAEP padding with RSA
798. Use of hard-coded credentials156. Source code without sensitive information
172. Encrypt connection strings
357. Use stateless session tokens
799. Improper control of interaction frequency237. Ascertain human interaction
327. Set a rate limit
804. Guessable CAPTCHA237. Ascertain human interaction
830. Inclusion of web functionality from an untrusted source050. Control calls to interpreted code
353. Schedule firmware updates
838. Inappropriate encoding for output context348. Use consistent encoding
862. Missing authorization319. Make authentication options equally secure
915. Improperly controlled modification of dynamically-determined object attributes342. Validate request parameters
344. Avoid dynamic code execution
916. Use of password hash with insufficient computational effort127. Store hashed passwords
134. Store passwords with salt
135. Passwords with random salt
333. Store salt values separately
918. Server-side request forgery (SSRF)173. Discard unsafe inputs
324. Control redirects
922. Insecure storage of sensitive information329. Keep client-side storage without sensitive data
339. Avoid storing sensitive files in the web root
923. Improper restriction of communication channel to intended endpoints259. Segment the organization network
273. Define a fixed security suite
1004. Sensitive cookie without 'HttpOnly' flag029. Cookies with security attributes
1021. Improper restriction of rendered UI layers or frames340. Use octet stream downloads
349. Include HTTP security headers
1022. Use of web link to untrusted target with window.opener access324. Control redirects
1041. Use of redundant code171. Remove commented-out code
1085. Invokable control element with excessive volume of commented-out code171. Remove commented-out code
1120. Excessive code complexity379. Keep low McCabe ciclomatic complexity
1121. Excessive McCabe cyclomatic complexity379. Keep low McCabe ciclomatic complexity
1192. System-on-Chip (SoC) using components without unique identifiers352. Enable trusted execution
1204. Generation of weak initialization vector (IV)372. Proper Use of Initialization Vector (IV)
1230. Exposure of sensitive information through metadata045. Remove metadata when sharing files
1233. Improper hardware lock protection for security sensitive controls351. Assign unique keys to each device
352. Enable trusted execution
1262. Improper access control for register interface235. Define credential interface
252. Configure key encryption
1269. Product released in non-release configuration078. Disable debugging events
154. Eliminate backdoors
159. Obfuscate code
1272. Sensitive information uncleared before debug/power state transition360. Remove unnecessary sensitive information
1275. Sensitive cookie with improper sameSite attribute029. Cookies with security attributes
1284. Improper validation of specified quantity in input173. Discard unsafe inputs
1287. Improper validation of specified type of input173. Discard unsafe inputs
1295. Debug messages revealing unnecessary information083. Avoid logging sensitive data
1325. Improperly controlled sequential memory allocation072. Set maximum response time
158. Use a secure programming language
164. Use optimized structures
173. Discard unsafe inputs
1390. Weak Authentication228. Authenticate using standard protocols
264. Request authentication
319. Make authentication options equally secure
334. Avoid knowledge-based authentication
362. Assign MFA mechanisms to a single account
1391. Use of Weak Credentials130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
135. Passwords with random salt
139. Set minimum OTP length
332. Prevent the use of breached passwords
1392. Use of Default Credentials142. Change system default credentials
266. Disable insecure functionalities
1393. Use of Default Password142. Change system default credentials
266. Disable insecure functionalities
1394. Use of Default Cryptographic Key142. Change system default credentials
266. Disable insecure functionalities
1395. Dependency on Vulnerable Third-Party Component262. Verify third-party components
free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.