SAST CWE List

CWE-15

CWE-15: External Control of System or Configuration Setting

• Java

• OWASP 2021: A3: Injection

• SANS TOP25: CWE 15: External Control of System or Configuration Setting

Low

CWE-16

CWE-16: Configuration

• Android Java

• Kotlin Mobile

• Xamarin (C#)

• OWASP 2021: A5: Security Misconfiguration

Low

CWE-20

CWE-20: Improper Input Validation

• ASP Classic/Visual Basic/VBScript

• C#

• Go

• Groovy

• Java

• JavaScript

• TypeScript

• Kotlin

• Kotlin Mobile

• PHP

• Python

• VB.Net

• Xamarin (C#)

• CAPEC: CAPEC 134: Email Injection

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• NIST: SC 23: Session Authenticity

• OWASP: A2: Broken Authentication

• OWASP 2021: A3: Injection

• SANS TOP25: CWE 20: Improper Input Validation

• PCIDSS: PCI DSS 6.5.10: Broken Authentication and Session Management

Low

CWE-20

CWE-20: Mail Relay

• Python

• CAPEC: CAPEC 134: Email Injection

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP 2021: A3: Injection

• SANS TOP25: CWE 20: Improper Input Validation

Low

CWE-20

CWE-20: Memcache Injection Vulnerability

• Python

• CAPEC: CAPEC 134: Email Injection

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP 2021: A3: Injection

• SANS TOP25: CWE 20: Improper Input Validation

Low

CWE-22

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

• ABAP

• ASP Classic/Visual Basic/VBScript

• C#

• C/C++ (Beta)

• ColdFusion

• Go

• Groovy

• Java

• JavaScript

• Kotlin

• Kotlin Mobile

• PHP

• PLSQL

• Python

• R

• Ruby

• TypeScript

• VB.Net

• Xamarin (C#)

• CAPEC: CAPEC 126: Path Traversal

• HIPAA: 164.312 (a)(1): Standard: Access control

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP: A5: Broken Access Control

• OWASP 2021: A1: Broken Access Control

• PCIDSS: PCI DSS 6.5.8: Improper Access Control

• SANS TOP25: CWE 22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

High

CWE-59

CWE-59: Improper Link Resolution Before File Access ('Link Following')

• Ruby

• OWASP 2021: A1: Broken Access Control

High

CWE-73

CWE-73: External Control of File Name or Path

• ASP Classic/Visual Basic/VBScript

• C#

• Go

• Groovy

• Java

• Kotlin

• Kotlin Mobile

• PHP

• PLSQL

• Python

• R

• Ruby

• Swift

• VB.Net

• Xamarin (C#)

• iOS Objective-C

• CAPEC: CAPEC 165: File Manipulation

• HIPAA: 164.312 (a)(1): Standard: Access control

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP 2021: A4: Insecure Design

High

CWE-74

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

• Java

• HIPAA: 164.312 (a)(1): Standard: Access control

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP: A1: Injection

• OWASP 2021: A3: Injection

• PCI DSS: PCI DSS 6.5.1: Injection Flaws

High

CWE-78

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

• ABAP

• ASP Classic/Visual Basic/VBScript

• C#

• C/C++ (Beta)

• Cobol

• ColdFusion

• Go

• Groovy

• Java

• JavaScript

• Kotlin

• Kotlin Mobile

• PHP

• Python

• R

• Ruby

• TypeScript

• VB.Net

• Xamarin (C#)

• CAPEC: CAPEC 88: OS Command Injection

• HIPAA: 164.312 (a)(1): Standard: Access control

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP: A1: Injection

• OWASP 2021: A3: Injection

• PCI DSS: PCI DSS 6.5.1: Injection Flaws

• SANS TOP25: CWE 78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)

High

CWE-79

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

• ABAP

• ASP Classic/Visual Basic/VBScript

• C#

• ColdFusion

• Go

• Groovy

• Java

• JavaScript

• Kotlin

• Kotlin Mobile

• PHP

• PLSQL

• Python

• Ruby

• TypeScript

• VB.Net

• CAPEC: CAPEC 63: Cross Site Scripting (XSS)

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP: A7: Cross Site Scripting (XSS)

• OWASP 2021: A3: Injection

• PCI DSS: PCI DSS 6.5.7: Cross Site Scripting (XSS)

• SANS TOP25: CWE 79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)

High

CWE-89

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

• ABAP

• Android Java

• ASP Classic/Visual Basic/VBScript

• Apex

• C#

• C/C++ (Beta)

• Cobol

• ColdFusion

• Go

• Groovy

• iOS Objective-C

• Java

• JavaScript

• Kotlin

• Kotlin Mobile

• PHP

• PLSQL

• Python

• R

• Ruby

• Swift

• TypeScript

• VB.Net

• Xamarin (C#)

• CAPEC: CAPEC 66: SQL Injection

• HIPAA: 164.312 (a)(1): Standard: Access control

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP: A1: Injection

• OWASP 2021: A3: Injection

• PCI DSS: PCI DSS 6.5.1: Injection Flaws

• SANS TOP25: CWE 89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)

High

CWE-90

CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

• C#

• C/C++ (Beta)

• Go

• Groovy

• Java

• JavaScript

• TypeScript

• Kotlin

• Kotlin Mobile

• PHP

• Python

• Ruby

• VB.Net

• Xamarin (C#)

• CAPEC: CAPEC 136: LDAP Injection

• HIPAA: 164.312 (a)(1): Standard: Access control

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP: A1: Injection

• OWASP 2021: A3: Injection

• PCIDSS: PCI DSS 6.5.1: Injection Flaws

Medium

CWE-94

CWE-94: Improper Control of Generation of Code ('Code Injection')

• ABAP

• Android Java

• ASP Classic/Visual Basic/VBScript

• C#

• Groovy

• Java

• JavaScript

• Kotlin

• Kotlin Mobile

• PHP

• Python

• R

• Ruby

• TypeScript

• VB.Net

• Xamarin (C#)

• CAPEC: CAPEC 242: Code Injection

• HIPAA: 164.312 (a)(1): Standard: Access control

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP: A1: Injection

• OWASP 2021: A3: Injection

• PCI DSS: PCI DSS 6.5.1: Injection Flaws

• SANS TOP25: CWE 94: Improper Control of Generation of Code (Code Injection)

High

CWE-98

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

• PHP

• CAPEC: CAPEC 252: PHP Local File Inclusion

• HIPAA: 164.312 (a)(1): Standard: Access control

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP: A1: Injection

• OWASP 2021: A3: Injection

• PCI DSS: PCI DSS 6.5.1: Injection Flaws

High

CWE-113

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

• ASP Classic/Visual Basic/VBScript

• C#

• Go

• Groovy

• Java

• JavaScript

• Kotlin

• Kotlin Mobile

• PHP

• Python

• Ruby

• TypeScript

• VB.Net

• CAPEC: CAPEC 34: HTTP Response Splitting

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP 2021: A3: Injection

Low

CWE-114

CWE-114: Process Control

• C/C++ (Beta)

• CAPEC: CAPEC 159: Redirect Access to Libraries

Low

CWE-117

CWE-117: Improper Output Neutralization for Logs

• ASP Classic/Visual Basic/VBScript

• C#

• Go

• Groovy

• Java

• JavaScript

• Kotlin

• Kotlin Mobile

• Python

• TypeScript

• VB.Net

• Xamarin (C#)

• CAPEC: CAPEC 93: Log Injection Tampering Forging

• NIST: SI 10: Information Input Validation

• OWASP 2021: A9: Security Logging and Monitoring Failures

Low

CWE-121

CWE-121: Stack-based Buffer Overflow

• C/C++ (Beta)

• Cobol

• CAPEC: CAPEC 100: Overflow Buffers

• PCI DSS: PCI DSS 6.5.2: Buffer Overflows

High

CWE-125

CWE-125: Out-of-bounds Read

• C/C++ (Beta)

• CAPEC: CAPEC 540: Overread Buffers

• SANS TOP25: CWE 125: Out of bounds Read

Medium

CWE-134

CWE-134: Use of Externally-Controlled Format String

• C/C++ (Beta)

• Java

• TypeScript

• CAPEC: CAPEC 135: Format String Injection

High

CWE-190

CWE-190: Integer Overflow or Wraparound

• C/C++ (Beta)

• CAPEC: CAPEC 92: Forced Integer Overflow

• SANS TOP25: CWE 190: Integer Overflow or Wraparound

High

CWE-191

CWE-191: Integer Underflow (Wrap or Wraparound)

• C/C++ (Beta)

• Not standard-relevant

Medium

CWE-200

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

• Android Java

• iOS Objective-C

• TypeScript

• Kotlin Mobile

• Swift

• Xamarin (C#)

• CAPEC: CAPEC 124: Shared Resource Manipulation

• OWASP 2021: A1: Broken Access Control

Medium

CWE-209

CWE-209: Information Exposure Through an Error Message

• Android Java

• Apex

• C#

• Groovy

• iOS Objective-C

• Java

• TypeScript

• Kotlin

• Kotlin Mobile

• PHP

• Python

• Swift

• VB.Net

• Xamarin (C#)

• CAPEC: CAPEC 215: Fuzzing and observing application log data/errors for application mapping

• NIST: SI 11: Error Handling

• OWASP: A3: Sensitive Data Exposure

• OWASP 2021: A4: Insecure Design

• PCI DSS: PCI DSS 6.5.5: Improper Error Handling

Medium

CWE-242

CWE-242: Use of Inherently Dangerous Function

• C/C++ (Beta)

• JavaScript

• Swift

• TypeScript

• iOS Objective-C

• Not standard-relevant

Low

CWE-244

CWE-244: Improper Clearing of Heap Memory Before Release ('Heap Inspection')

• Android Java

• Apex

• C#

• C/C++ (Beta)

• Go

• Groovy

• Java

• Kotlin

• Kotlin Mobile

• Python

• Ruby

• VB.Net

• Xamarin (C#)

• Not standard-relevant

Medium

CWE-250

CWE-250: Execution with Unnecessary Privileges

• Xamarin (C#)

• Not standard-relevant

Medium

CWE-295

CWE-295: Improper Certificate Validation

• Android Java

• Go

• TypeScript

• Kotlin Mobile

• Python

• Xamarin (C#)

• CAPEC: CAPEC 94: Man in the Middle Attack

• HIPAA: 164.312 (e)(2)(ii): Transmission Security: Encryption

• OWASP 2021: A7: Identification and Authentication Failures

• SANS TOP25: CWE 295: Improper Certificate Validation

Medium

CWE-297

CWE-297: Improper Validation of Certificate with Host Mismatch

• Java

• CAPEC: CAPEC 475: Signature Spoofing by Improper Validation

• OWASP: A3: Sensitive Data Exposure

• OWASP 2021: A7: Identification and Authentication Failures

Low

CWE-312

CWE-312: Cleartext Storage of Sensitive Information

• Java

• TypeScript

• Xamarin (C#)

• CAPEC: CAPEC 37: Retrieve Embedded Sensitive Data

• HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

• NIST: SC 28: Protection of Information at Rest

• OWASP: A3: Sensitive Data Exposure

• OWASP 2021: A4: Insecure Design

• PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

High

CWE-319

CWE-319: Cleartext Transmission of Sensitive Information

• Android Java

• C#

• Java

• Java

• TypeScript

• Swift

• Xamarin (C#)

• iOS Objective-C

• CAPEC: CAPEC 337: Insufficient Transport Layer Protection

• HIPAA: 164.312 (e)(2)(ii): Transmission Security: Encryption

• OWASP: A6: Security Misconfiguration

• OWASP 2021: A2: Cryptographic Failures

Medium

CWE-321

CWE-321: Use of Hard-coded Cryptographic Key

• Ruby

• NIST: SC 28: Protection of Information at Rest

• OWASP: A3: Sensitive Data Exposure

• OWASP 2021: A2: Cryptographic Failures

• PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Medium

CWE-322

CWE-322: Key Exchange without Entity Authentication

• Go

• CAPEC: CAPEC 94: Man in the Middle Attack

• HIPAA: 164.312 (e)(2)(ii): Transmission Security: Encryption

• OWASP 2021: A2: Cryptographic Failures

Medium

CWE-325

CWE-325: Missing Cryptographic Step

• Java

• CAPEC: CAPEC 97: Cryptanalysis

• HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

• NIST: SC 13: Cryptographic Protection

• OWASP: A3: Sensitive Data Exposure

• OWASP 2021: A2: Cryptographic Failures

• PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Low

CWE-326

CWE-326: Inadequate Encryption Strength

• Android Java

• C#

• Go

• Groovy

• Java

• Kotlin

• Kotlin Mobile

• PHP

• Swift

• VB.Net

• Xamarin (C#)

• iOS Objective-C

• CAPEC: CAPEC 97: Cryptanalysis

• HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

• NIST: SC 13: Cryptographic Protection

• OWASP: A3: Sensitive Data Exposure

• OWASP 2021: A2: Cryptographic Failures

• PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Low

CWE-327

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

• Java

• TypeScript

• Python

• CAPEC: CAPEC 97: Cryptanalysis

• HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

• NIST: SC 13: Cryptographic Protection

• OWASP: A3: Sensitive Data Exposure

• OWASP 2021: A2: Cryptographic Failures

• PCIDSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Medium

CWE-328

CWE-328: Use of Weak Hash

• Java

• TypeScript

• Python

• CAPEC: CAPEC 97: Cryptanalysis

• HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

• NIST: SC 13: Cryptographic Protection

• OWASP: A3: Sensitive Data Exposure

• OWASP 2021: A2: Cryptographic Failures

• PCIDSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Low

CWE-335

CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

• Java

• CAPEC: CAPEC 97: Cryptanalysis

• HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

• NIST: SC 13: Cryptographic Protection

• OWASP: A3: Sensitive Data Exposure

• OWASP 2021: A2: Cryptographic Failures

• PCIDSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Medium

CWE-338

CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

• ASP Classic/Visual Basic/VBScript

• Android Java

• C#

• Go

• Groovy

• Java

• JavaScript

• Kotlin

• Kotlin Mobile

• PHP

• TypeScript

• VB.Net

• Xamarin (C#)

• CAPEC: CAPEC 97: Cryptanalysis

• HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

• NIST: SC 13: Cryptographic Protection

• OWASP: A3: Sensitive Data Exposure

• OWASP 2021: A2: Cryptographic Failures

• PCIDSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Medium

CWE-346

CWE-346: Origin Validation Error

• TypeScript

• HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP: A2: Broken Authentication

• OWASP 2021: A7: Identification and Authentication Failures

High

CWE-347

CWE-347: Improper Verification of Cryptographic Signature

• Java

• TypeScript

• CAPEC: CAPEC 97: Cryptanalysis

• HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

• NIST: SC 13: Cryptographic Protection

• OWASP: A2: Broken Authentication

• OWASP 2021: A2: Cryptographic Failures

Medium

CWE-367

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

• C/C++ (Beta)

• CAPEC: CAPEC 29: Leveraging Time of Check and Time of Use (TOCTOU) Race Conditions

Medium

CWE-369

CWE-369: Divide By Zero

• C/C++ (Beta)

• Not standard-relevant

Low

CWE-377

CWE-377: Insecure Temporary File

• Go

• Python

• OWASP 2021: A1: Broken Access Control

Medium

CWE-384

CWE-384: Session Fixation

• PHP

• NIST: SC 23: Session Authenticity

• OWASP: A2: Broken Authentication

• OWASP 2021: A7: Identification and Authentication Failures

• PCIDSS: PCI DSS 6.5.10: Broken Authentication and Session Management

High

CWE-400

CWE-400: Uncontrolled Resource Consumption

• ABAP

• C#

• Go

• Groovy

• Java

• JavaScript

• Kotlin

• Kotlin Mobile

• PHP

• Python

• TypeScript

• VB.Net

• Xamarin (C#)

• CAPEC: CAPEC 492: Regular Expression Exponential Blowup

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SC 5: Denial of Service Protection (P1)

• SANS TOP25: CWE 400: Uncontrolled Resource Consumption

Medium

CWE-415

CWE-415: Double Free

• C/C++ (Beta)

• Not standard-relevant

High

CWE-416

CWE-416: Use After Free

• C/C++ (Beta)

• SANS TOP25: CWE 416: Use After Free

High

CWE-434

CWE-434: Unrestricted Upload of File with Dangerous Type

• ASP Classic/Visual Basic/VBScript

• C#

• Go

• Groovy

• Java

• TypeScript

• Kotlin

• Kotlin Mobile

• PHP

• Ruby

• VB.Net

• OWASP 2021: A4: Insecure Design

• SANS TOP25: CWE 434: Unrestricted Upload of File with Dangerous Type

Low

CWE-470

CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

• Java

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP 2021: A4: Insecure Design

Medium

CWE-472

CWE-472: External Control of Assumed-Immutable Web Parameter

• ASP Classic/Visual Basic/VBScript

• C#

• Go

• Groovy

• Java

• Kotlin

• Kotlin Mobile

• PHP

• Python

• VB.Net

• OWASP 2021: A4: Insecure Design

Medium

CWE-489

CWE-489: Active Debug Code

• Xamarin (C#)

• Not standard-relevant

Medium

CWE-497

CWE-497: Exposure of System Data to an Unauthorized Control Sphere

• Groovy

• Java

• Kotlin

• Kotlin Mobile

• OWASP 2021: A1: Broken Access Control

Low

CWE-501

CWE-501: Trust Boundary Violation

• Apex

• C#

• Groovy

• Java

• Kotlin

• Kotlin Mobile

• VB.Net

• Xamarin (C#)

• CAPEC: CAPEC 284: Improper Access Control

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP 2021: A4: Insecure Design

Medium

CWE-502

CWE-502: Deserialization of Untrusted Data

• C#

• Groovy

• Java

• TypeScript

• Kotlin

• Kotlin Mobile

• PHP

• Python

• VB.Net

• Xamarin (C#)

• CAPEC: CAPEC 586: Object Injection

• HIPAA: 164.312 (a)(1): Standard: Access control

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP: A8: Insecure Deserialization

• OWASP 2021: A8: Software and Data Integrity Failures

• SANS TOP25: CWE 502: Deserialization of Untrusted Data

High

CWE-530

CWE-530: Exposure of Backup File to an Unauthorized Control Sphere

• ASP Classic/Visual Basic/VBScript

• C#

• Groovy

• Java

• Kotlin

• Kotlin Mobile

• PHP

• Python

• Ruby

• VB.Net

• Not standard-relevant

Low

CWE-532

CWE-532: Insertion of Sensitive Information into Log File

• Java

• CAPEC: CAPEC 215: Fuzzing and observing application log data/errors for application mapping

• OWASP: A10: Insufficient Logging & Monitoring

• OWASP 2021: A9: Security Logging and Monitoring Failures

Low

CWE-598

CWE-598: Use of GET Request Method With Sensitive Query Strings

• TypeScript

• OWASP 2021: A4: Insecure Design

Low

CWE-601

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

• ASP Classic/Visual Basic/VBScript

• C#

• Go

• Groovy

• Java

• JavaScript

• Kotlin

• Kotlin Mobile

• PHP

• Python

• TypeScript

• VB.Net

• CAPEC: CAPEC 194: Fake the Source of Data

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP 2021: A1: Broken Access Control

Low

CWE-611

CWE-611: Improper Restriction of XML External Entity Reference

• C#

• Groovy

• Java

• JavaScript

• TypeScript

• Kotlin

• Kotlin Mobile

• PHP

• Python

• R

• VB.Net

• CAPEC: CAPEC 201: Serialized Data External Linking

• HIPAA: 164.312 (a)(1): Standard: Access control

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• OWASP: A4: XML External Entities (XXE)

• OWASP 2021: A5: Security Misconfiguration

• PCIDSS: PCI DSS 6.5.1: Injection Flaws

• SANS TOP25: CWE 611: Improper Restriction of XML External Entity Reference

Medium

CWE-614

CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

• C#

• TypeScript

• CAPEC: CAPEC 102: Session Sidejacking

• OWASP: A6: Security Misconfiguration

• OWASP 2021: A5: Security Misconfiguration

• PCIDSS: PCI DSS 6.5.10: Broken Authentication and Session Management

Low

CWE-643

CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

• ASP Classic/Visual Basic/VBScript

• C#

• Go

• Groovy

• Java

• TypeScript

• Kotlin

• Kotlin Mobile

• PHP

• Python

• VB.Net

• CAPEC: CAPEC 83: XPath Injection

• HIPAA: 164.312 (a)(1): Standard: Access control

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP: A1: Injection

• OWASP 2021: A3: Injection

• PCI DSS: PCI DSS 6.5.1: Injection Flaws

High

CWE-676

CWE-676: Use of Potentially Dangerous Function

• ASP Classic/Visual Basic/VBScript

• Android Java

• C#

• C/C++ (Beta)

• Go

• Groovy

• iOS Objective-C

• Java

• JavaScript

• Kotlin

• Kotlin Mobile

• PHP

• Python

• R

• Ruby

• Swift

• TypeScript

• VB.Net

• Xamarin (C#)

• Not standard-relevant

Medium

CWE-732

CWE-732: Incorrect Permission Assignment for Critical Resource

• Go

• Python

• SANS TOP25: CWE 732: Incorrect Permission Assignment for Critical Resource

High

CWE-749

CWE-749: Exposed Dangerous Method or Function

• Android Java

• Kotlin Mobile

• Swift

• Xamarin (C#)

• iOS Objective-C

• CAPEC: CAPEC 503: WebView Exposure

Medium

CWE-776

CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

• TypeScript

• CAPEC: CAPEC 197: Exponential Data Expansion

• HIPAA: 164.312 (a)(1): Standard: Access control

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• OWASP: A4: XML External Entities (XXE)

• OWASP 2021: A5: Security Misconfiguration

• PCI DSS: PCI DSS 6.5.1: Injection Flaws

Low

CWE-780

CWE-780: Use of RSA Algorithm without OAEP

• Java

• CAPEC: CAPEC 97: Cryptanalysis

• HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

• NIST: SC 13: Cryptographic Protection

• OWASP: A3: Sensitive Data Exposure

• OWASP 2021: A2: Cryptographic Failures

• PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Medium

CWE-787

CWE-787: Out-of-bounds Write

• C/C++ (Beta)

• CAPEC: CAPEC 123: Buffer Manipulation

• SANS TOP25: CWE 787: Out of bounds Write

High

CWE-789

CWE-789: Uncontrolled Memory Allocation

• C/C++ (Beta)

• Not standard-relevant

Low

CWE-798

CWE-798: Use of Hard-coded Credentials

• Android Java

• Apex

• C#

• Go

• Groovy

• Java

• JavaScript

• Kotlin

• Kotlin Mobile

• PHP

• Python

• R

• Ruby

• TypeScript

• VB.Net

• Xamarin (C#)

• HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

• NIST: SC 28: Protection of Information at Rest

• OWASP: A3: Sensitive Data Exposure

• OWASP 2021: A7: Identification and Authentication Failures

• PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

• SANS TOP25: CWE 798: Use of Hard-coded Credentials

Medium

CWE-915

CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

• Ruby

• OWASP 2021: A8: Software and Data Integrity Failures

High

CWE-916

CWE-916: Use of Password Hash With Insufficient Computational Effort

• C#

• Go

• Groovy

• Java

• Kotlin

• Kotlin Mobile

• Python

• Ruby

• VB.Net

• Xamarin (C#)

• CAPEC: CAPEC 97: Cryptanalysis

• HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

• NIST: SC 13: Cryptographic Protection

• OWASP: A3: Sensitive Data Exposure

• OWASP 2021: A2: Cryptographic Failures

• PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Low

CWE-917

CWE-917: Improper Neutralization of Special Elements Used in an Expression Language Statement ('Expression Language Injection')

• Java

• HIPAA: 164.312 (a)(1): Standard: Access control

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP: A1: Injection

• OWASP 2021: A3: Injection

• PCIDSS: PCI DSS 6.5.1: Injection Flaws

High

CWE-918

CWE-918: Server-Side Request Forgery (SSRF)

• ASP Classic/Visual Basic/VBScript

• Apex

• C#

• Go

• Groovy

• Java

• JavaScript

• TypeScript

• Kotlin

• Kotlin Mobile

• PHP

• Python

• VB.Net

• HIPAA: 164.312 (a)(1): Standard: Access control

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP: A3: Sensitive Data Exposure

• OWASP 2021: A10: Server Side Request Forgery (SSRF)

• PCIDSS: PCI DSS 6.5.8: Improper Access Control

• SANS TOP25: CWE 918: Server Side Request Forgery (SSRF)

High

CWE-926

CWE-926: Improper Export of Android Application Components

• Android Java

• Kotlin Mobile

• Xamarin (C#)

• Not standard-relevant

Medium

CWE-941

CWE-941: Incorrectly Specified Destination in a Communication Channel

• ASP Classic/Visual Basic/VBScript

• C#

• Groovy

• Java

• Kotlin

• Kotlin Mobile

• PHP

• Python

• VB.Net

• CAPEC: CAPEC 134: Email Injection

Low

CWE-943

CWE-943: Improper Neutralization of Special Elements in Data Query Logic

• JavaScript

• Python

• TypeScript

• HIPAA: 164.312 (a)(1): Standard: Access control

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP: A1: Injection

High

CWE-1004

CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

• C#

• Groovy

• Java

• TypeScript

• Kotlin

• Kotlin Mobile

• PHP

• Ruby

• VB.Net

• OWASP 2021: A5: Security Misconfiguration

Low

CWE-1104

CWE-1104: Use of Unmaintained Third Party Components

• Xamarin (C#)

• Not standard-relevant

Low

CWE-1204

CWE-1204: Generation of Weak Initialization Vector (IV)

• Java

• CAPEC: CAPEC 97: Cryptanalysis

• HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

• NIST: SC 13: Cryptographic Protection

• OWASP: A3: Sensitive Data Exposure

• OWASP 2021: A2: Cryptographic Failures

• PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Low

CWE-1327

CWE-1327: Binding to an Unrestricted IP Address

• Go

• Not standard-relevant

Medium

CWE-1333

CWE-1333: Inefficient Regular Expression Complexity

• C#

• TypeScript

• Python

• CAPEC: CAPEC 492: Regular Expression Exponential Blowup

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SC 5: Denial of Service Protection

• SANS TOP25: CWE 1333: Inefficient Regular Expression Complexity

Low

CWE-1336

CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

• C#

• Python

• CAPEC: CAPEC 242: Code Injection

• HIPAA: 164.312 (a)(1): Standard: Access control

• HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

• NIST: SI 10: Information Input Validation

• OWASP: A1: Injection

• OWASP 2021: A3: Injection

• PCI DSS: PCI DSS 6.5.1: Injection Flaws

Medium