CVE Defination
Name
.NET Misconfiguration: Use of Impersonation
Access Control (Authorization) Issues
Access Control Bypass Through User-Controlled Key
Access Control Bypass Through User-Controlled SQL Primary Key
Access of Memory Location After End of Buffer
Access of Memory Location Before Start of Buffer
Access to Critical Private Variable via Public Method
Addition of Data Structure Sentinel
Algorithmic Complexity
Allocation of File Descriptors or Handles Without Limits or Throttling
Allocation of Resources Without Limits or Throttling
Always-Incorrect Control Flow Implementation
Apple '.DS_Store'
Argument Injection or Modification
Array Declared Public, Final, and Static
ASP.NET Misconfiguration: Creating Debug Binary
ASP.NET Misconfiguration: Missing Custom Error Page
ASP.NET Misconfiguration: Not Using Input Validation Framework
ASP.NET Misconfiguration: Password in Configuration File
ASP.NET Misconfiguration: Use of Identity Impersonation
Assigning instead of Comparing
Assignment of a Fixed Address to a Pointer
Asymmetric Resource Consumption (Amplification)
Attempt to Access Child of a Non-structure Pointer
Authentication Bypass by Alternate Name
Authentication Bypass by Assumed-Immutable Data
Authentication Bypass by Capture-replay
Authentication Bypass by Primary Weakness
Authentication Bypass by Spoofing
Authentication Bypass Issues
Authentication Bypass Using an Alternate Path or Channel
Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
Behavioral Change in New Version or Environment
Buffer Access Using Size of Source Buffer
Buffer Access with Incorrect Length Value
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Buffer Over-read
Buffer Under-read
Buffer Underwrite ('Buffer Underflow')
Call to Non-ubiquitous API
Call to Thread run() instead of start()
Cleartext Storage of Sensitive Information
Cleartext Transmission of Sensitive Information
Client-Side Enforcement of Server-Side Security
clone() Method Without super.clone()
Coding Standards Violation
Collapse of Data Into Unsafe Value
Command Shell in Externally Accessible Directory
Comparing instead of Assigning
Comparison of Classes by Name
Comparison of Object References Instead of Object Contents
Compiler Optimization Removal or Modification of Security-critical Code
Compiler Removal of Code to Clear Buffers
Containment Errors (Container Errors)
Covert Channel
Covert Storage Channel
Covert Timing Channel
Critical Public Variable Without Final Modifier
Critical Variable Declared Public
Dangerous Handler not Disabled During Sensitive Operations
Dangling Database Cursor ('Cursor Injection')
Data Leak Between Sessions
Dead Code
Declaration of Catch for Generic Exception
Declaration of Throws for Generic Exception
Deletion of Data Structure Sentinel
Deployment of Wrong Handler
DEPRECATED (Duplicate): Covert Timing Channel
DEPRECATED (Duplicate): Failure to provide confidentiality for stored data
DEPRECATED (Duplicate): General Information Management Problems
DEPRECATED (Duplicate): HTTP response splitting
DEPRECATED (Duplicate): Miscalculated Null Termination
DEPRECATED (Duplicate): Proxied Trusted Channel
DEPRECATED: Failure to Protect Stored Data from Modification
DEPRECATED: Improper Sanitization of Custom Special Characters
DEPRECATED: Incorrect Initialization
DEPRECATED: Often Misused: Path Manipulation
Deserialization of Untrusted Data
Detection of Error Condition Without Action
Direct Request ('Forced Browsing')
Direct Use of Unsafe JNI
Divide By Zero
Double Decoding of the Same Data
Double Free
Double-Checked Locking
Doubled Character XSS Manipulations
Download of Code Without Integrity Check
Duplicate Key in Associative List (Alist)
Duplicate Operations on Resource
Dynamic Variable Evaluation
EJB Bad Practices: Use of AWT Swing
EJB Bad Practices: Use of Class Loader
EJB Bad Practices: Use of Java I/O
EJB Bad Practices: Use of Sockets
EJB Bad Practices: Use of Synchronization Primitives
Embedded Malicious Code
Empty Password in Configuration File
Empty Synchronized Block
Encoding Error
Executable Regular Expression Error
Execution with Unnecessary Privileges
Expected Behavior Violation
Explicit Call to Finalize()
Exposed Dangerous Method or Function
Exposed IOCTL with Insufficient Access Control
Exposed Unsafe ActiveX Method
Exposure of Access Control List Files to an Unauthorized Control Sphere
Exposure of Backup File to an Unauthorized Control Sphere
Exposure of Core Dump File to an Unauthorized Control Sphere
Exposure of CVS Repository to an Unauthorized Control Sphere
Exposure of Resource to Wrong Sphere
Exposure of System Data to an Unauthorized Control Sphere
Expression is Always False
Expression is Always True
External Control of Assumed-Immutable Web Parameter
External Control of Critical State Data
External Control of File Name or Path
External Control of System or Configuration Setting
External Influence of Sphere Definition
External Initialization of Trusted Variables or Data Stores
Externally Controlled Reference to a Resource in Another Sphere
Failure to Catch All Exceptions in Servlet
Failure to Clear Heap Memory Before Release ('Heap Inspection')
Failure to Constrain Operations within the Bounds of a Memory Buffer
Failure to Control Generation of Code ('Code Injection')
Failure to Follow Specification
Failure to Fulfill API Contract ('API Abuse')
Failure to Handle Alternate Encoding
Failure to Handle Exceptional Conditions
Failure to Handle Incomplete Element
Failure to Handle Missing Parameter
Failure to Handle Mixed Encoding
Failure to Handle Unicode Encoding
Failure to Handle URL Encoding (Hex Encoding)
Failure to Handle Windows ::DATA Alternate Data Stream
Failure to Change Working Directory in chroot Jail
Failure to Preserve Web Page Structure ('Cross-site Scripting')
Failure to Protect Alternate Path
Failure to Provide Specified Functionality
Failure to Release Memory Before Removing Last Reference ('Memory Leak')
Failure to Report Error in Status Code
Failure to Resolve Case Sensitivity
Failure to Resolve Encoded URI Schemes in a Web Page
Failure to Resolve Equivalent Special Elements into a Different Plane
Failure to Resolve Inconsistent Special Elements
Failure to Sanitize Alternate XSS Syntax
Failure to Sanitize CRLF Sequences ('CRLF Injection')
Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Failure to Sanitize Data into a Different Plane ('Injection')
Failure to Sanitize Data into LDAP Queries ('LDAP Injection')
Failure to Sanitize Delimiters
Failure to Sanitize Input Leaders
Failure to Sanitize Paired Delimiters
Failure to Sanitize Quoting Syntax
Failure to Sanitize Server-Side Includes (SSI) Within a Web Page
Failure to Sanitize Special Element
Failure to Sanitize Special Elements into a Different Plane (Special Element
Injection)
Failure to Use a Standardized Error Handling Mechanism
Failure to Use Complete Mediation
Failure to Use Economy of Mechanism
File and Directory Information Exposure
Files or Directories Accessible to External Parties
finalize() Method Declared Public
finalize() Method Without super.finalize()
Free of Memory not on the Heap
Free of Pointer not at Start of Buffer
Function Call With Incorrect Argument Type
Function Call With Incorrect Number of Arguments
Function Call With Incorrect Order of Arguments
Function Call With Incorrect Variable or Reference as Argument
Function Call With Incorrectly Specified Argument Value
Function Call with Incorrectly Specified Arguments
Guessable CAPTCHA
Heap-based Buffer Overflow
Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Improper Access Control (Authorization)
Improper Access of Indexable Resource ('Range Error')
Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
Improper Authentication
Improper Cleanup on Thrown Exception
Improper Control of a Resource Through its Lifetime
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP
File Inclusion')
Improper Control of Interaction Frequency
Improper Control of Resource Identifiers ('Resource Injection')
Improper Cross-boundary Removal of Sensitive Data
Improper Encoding or Escaping of Output
Improper Enforcement of Message or Data Structure
Improper Filtering of Special Elements
Improper Following of Chain of Trust for Certificate Validation
Improper Handling of Additional Special Element
Improper Handling of Apple HFS+ Alternate Data Stream Path
Improper Handling of Exceptional Conditions
Improper Handling of Extra Parameters
Improper Handling of Extra Values
Improper Handling of File Names that Identify Virtual Resources
Improper Handling of Highly Compressed Data (Data Amplification)
Improper Handling of Incomplete Structural Elements
Improper Handling of Inconsistent Structural Elements
Improper Handling of Insufficient Permissions or Privileges
Improper Handling of Insufficient Privileges
Improper Handling of Length Parameter Inconsistency
Improper Handling of Missing Special Element
Improper Handling of Missing Values
Improper Handling of Structural Elements
Improper Handling of Syntactically Invalid Structure
Improper Handling of Undefined Parameters
Improper Handling of Undefined Values
Improper Handling of Unexpected Data Type
Improper Handling of Values
Improper Handling of Windows Device Names
Improper Check for Certificate Revocation
Improper Check for Dropped Privileges
Improper Check for Unusual or Exceptional Conditions
Improper Initialization
Improper Input Validation
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Improper Link Resolution Before File Access ('Link Following')
Improper Neutralization of Comment Delimiters
Improper Neutralization of Data within XPath Expressions ('XPath injection')
Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Improper Neutralization of Directives in Statically Saved Code ('Static Code
Injection')
Improper Neutralization of Escape, Meta, or Control Sequences
Improper Neutralization of Expression/Command Delimiters
Improper Neutralization of HTTP Headers for Scripting Syntax
Improper Neutralization of Input Terminators
Improper Neutralization of Internal Special Elements
Improper Neutralization of Invalid Characters in Identifiers in Web Pages
Improper Neutralization of Leading Special Elements
Improper Neutralization of Line Delimiters
Improper Neutralization of Macro Symbols
Improper Neutralization of Multiple Internal Special Elements
Improper Neutralization of Multiple Leading Special Elements
Improper Neutralization of Multiple Trailing Special Elements
Improper Neutralization of Null Byte or NUL Character
Improper Neutralization of Parameter/Argument Delimiters
Improper Neutralization of Record Delimiters
Improper Neutralization of Script in Attributes in a Web Page
Improper Neutralization of Section Delimiters
Improper Neutralization of Special Elements
Improper Neutralization of Substitution Characters
Improper Neutralization of Trailing Special Elements
Improper Neutralization of Value Delimiters
Improper Neutralization of Variable Name Delimiters
Improper Neutralization of Whitespace
Improper Neutralization of Wildcards or Matching Symbols
Improper Null Termination
Improper Output Sanitization for Logs
Improper Ownership Management
Improper Preservation of Permissions
Improper Privilege Management
Improper Resolution of Path Equivalence
Improper Resource Shutdown or Release
Improper Restriction of Excessive Authentication Attempts
Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval
Injection')
Improper Sanitization of Script in an Error Message Web Page
Improper Sanitization of Script in Attributes of IMG Tags in a Web Page
Improper Sanitization of Script-Related HTML Tags in a Web Page (Basic XSS)
Improper Sanitization of Special Elements used in a Command ('Command Injection')
Improper Sanitization of Special Elements used in an OS Command ('OS Command
Injection')
Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
Improper Validation of Array Index
Improper Validation of Certificate Expiration
Improper Validation of Host-specific Certificate Data
Improper Validation of Integrity Check Value
Improper Verification of Cryptographic Signature
Improperly Implemented Security Check for Standard
Inadequate Encryption Strength
Incomplete Blacklist
Incomplete Cleanup
Incomplete Filtering of Multiple Instances of Special Elements
Incomplete Filtering of One or More Instances of Special Elements
Incomplete Filtering of Special Elements
Incomplete Identification of Uploaded File Variables (PHP)
Incomplete Model of Endpoint Features
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Incorrect Behavior Order
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
Incorrect Behavior Order: Early Amplification
Incorrect Behavior Order: Early Validation
Incorrect Behavior Order: Validate Before Canonicalize
Incorrect Behavior Order: Validate Before Filter
Incorrect Block Delimitation
Incorrect Calculation
Incorrect Calculation of Buffer Size
Incorrect Calculation of Multi-Byte String Length
Incorrect Control Flow Scoping
Incorrect Conversion between Numeric Types
Incorrect Default Permissions
Incorrect Execution-Assigned Permissions
Incorrect Check of Function Return Value
Incorrect Implementation of Authentication Algorithm
Incorrect Ownership Assignment
Incorrect Permission Assignment for Critical Resource
Incorrect Pointer Scaling
Incorrect Privilege Assignment
Incorrect Regular Expression
Incorrect Resource Transfer Between Spheres
Incorrect Semantic Object Comparison
Incorrect Short Circuit Evaluation
Incorrect Type Conversion or Cast
Incorrect Use of Privileged APIs
Incorrect User Management
Indicator of Poor Code Quality
Information Exposure
Information Exposure Through an Error Message
Information Exposure Through an External Behavioral Inconsistency
Information Exposure Through Behavioral Discrepancy
Information Exposure Through Discrepancy
Information Leak Through Browser Caching
Information Leak Through Caching
Information Leak through Class Cloning
Information Leak Through Cleanup Log Files
Information Leak Through Comments
Information Leak Through Debug Information
Information Leak Through Debug Log Files
Information Leak Through Directory Listing
Information Leak Through Environmental Variables
Information Leak Through Include Source Code
Information Leak Through Indexing of Private Data
Information Leak Through Java Runtime Error Message
Information Leak Through Log Files
Information Leak Through Persistent Cookies
Information Leak Through Query Strings in GET Request
Information Leak Through Sent Data
Information Leak Through Server Error Message
Information Leak Through Server Log Files
Information Leak Through Servlet Runtime Error Message
Information Leak Through Shell Error Message
Information Leak Through Source Code
Information Leak Through Test Code
Information Leak through WSDL File
Information Leak Through XML External Entity File Disclosure
Information Loss or Omission
Insecure Default Variable Initialization
Insecure Inherited Permissions
Insecure Preserved Inherited Permissions
Insufficient Comparison
Insufficient Compartmentalization
Insufficient Control Flow Management
Insufficient Control of Network Message Volume (Network Amplification)
Insufficient Encapsulation
Insufficient Entropy
Insufficient Entropy in PRNG
Insufficient Filtering of File and Other Resource Names for Executable Content
Insufficient Locking
Insufficient Logging
Insufficient Psychological Acceptability
Insufficient Resource Locking
Insufficient Resource Pool
Insufficient Session Expiration
Insufficient Synchronization
Insufficient Verification of Data Authenticity
Insufficiently Protected Credentials
Integer Overflow or Wraparound
Integer Underflow (Wrap or Wraparound)
Intended Information Leak
Interaction Error
Internal Behavioral Inconsistency Information Leak
Interpretation Conflict
J2EE Bad Practices: Direct Management of Connections
J2EE Bad Practices: Direct Use of Sockets
J2EE Bad Practices: Direct Use of Threads
J2EE Bad Practices: Non-serializable Object Stored in Session
J2EE Bad Practices: Use of System.exit()
J2EE Framework: Saving Unserializable Objects to Disk
J2EE Misconfiguration: Data Transmission Without Encryption
J2EE Misconfiguration: Entity Bean Declared Remote
J2EE Misconfiguration: Insufficient Session-ID Length
J2EE Misconfiguration: Missing Custom Error Page
J2EE Misconfiguration: Plaintext Password in Configuration File
J2EE Misconfiguration: Weak Access Permissions for EJB Methods
Lack of Administrator Control over Security
Least Privilege Violation
Leftover Debug Code
Logging of Excessive Data
Logic/Time Bomb
Misinterpretation of Input
Mismatched Memory Management Routines
Missing Authentication for Critical Function
Missing Critical Step in Authentication
Missing Custom Error Page
Missing Default Case in Switch Statement
Missing Encryption of Sensitive Data
Missing Handler
Missing Initialization
Missing Lock Check
Missing Password Field Masking
Missing Reference to Active Allocated Resource
Missing Reference to Active File Descriptor or Handle
Missing Release of File Descriptor or Handle after Effective Lifetime
Missing Release of Resource after Effective Lifetime
Missing XML Validation
Modification of Assumed-Immutable Data (MAID)
Multiple Binds to the Same Port
Multiple Interpretations of UI Input
Multiple Locks of a Critical Resource
Multiple Unlocks of a Critical Resource
Non-exit on Failed Initialization
Non-Replicating Malicious Code
Not Failing Securely ('Failing Open')
Not Using Password Aging
Null Byte Interaction Error (Poison Null Byte)
NULL Pointer Dereference
Numeric Truncation Error
Object Model Violation: Just One of Equals and Hashcode Defined
Obscured Security-relevant Information by Alternate Name
Obsolete Feature in UI
Off-by-one Error
Omission of Security-relevant Information
Omitted Break Statement in Switch
Only Filtering One Instance of a Special Element
Only Filtering Special Elements at a Specified Location
Only Filtering Special Elements at an Absolute Position
Only Filtering Special Elements Relative to a Marker
Operation on a Resource after Expiration or Release
Operation on Resource in Wrong Phase of Lifetime
Operator Precedence Logic Error
Origin Validation Error
Out-of-bounds Read
Out-of-bounds Write
Overly Restrictive Account Lockout Mechanism
Overly Restrictive Regular Expression
Parameter Problems
Partial Comparison
Password Aging with Long Expiration
Password in Configuration File
Path Equivalence: ' filename (Leading Space)
Path Equivalence: '/./' (Single Dot Directory)
Path Equivalence: '//multiple/leading/slash'
Path Equivalence: '/multiple//internal/slash'
Path Equivalence: '/multiple/trailing/slash//'
Path Equivalence: '\multiple\\internal\backslash'
Path Equivalence: 'fakedir/../realdir/filename'
Path Equivalence: 'file name' (Internal Whitespace)
Path Equivalence: 'file...name' (Multiple Internal Dot)
Path Equivalence: 'file.name' (Internal Dot)
Path Equivalence: 'filedir*' (Wildcard)
Path Equivalence: 'filedir\' (Trailing Backslash)
Path Equivalence: 'filename ' (Trailing Space)
Path Equivalence: 'filename....' (Multiple Trailing Dot)
Path Equivalence: 'filename.' (Trailing Dot)
Path Equivalence: 'filename/' (Trailing Slash)
Path Equivalence: Windows 8.3 Filename
Path Traversal: '../filedir'
Path Traversal: '..\filedir'
Path Traversal: '/../filedir'
Path Traversal: '/dir/../filename'
Path Traversal: '\..\filename'
Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
Path Traversal: '\dir\..\filename'
Path Traversal: 'C:dirname'
Path Traversal: 'dir/../../filename'
Path Traversal: 'dir\..\..\filename'
Permissive Regular Expression
Permissive Whitelist
PHP External Variable Modification
Plaintext Storage in a File or on Disk
Plaintext Storage in the Registry
Plaintext Storage of a Password
Privacy Leak through Data Queries
Private Array-Typed Field Returned From A Public Method
Privilege Context Switching Error
Privilege Defined With Unsafe Actions
Privilege Dropping / Lowering Errors
Privilege Chaining
PRNG Seed Error
Process Control
Process Environment Information Leak
Product-External Error Message Information Leak
Product-Generated Error Message Information Leak
Protection Mechanism Failure
Public cloneable() Method Without Final ('Object Hijack')
Public Data Assigned to Private Array-Typed Field
Public Static Field Not Marked Final
Public Static Final Field References Mutable Object
Race Condition
Race Condition During Access to Alternate Channel
Reachable Assertion
Redirect Without Exit
Reflection Attack in an Authentication Protocol
Regular Expression without Anchors
Relative Path Traversal
Release of Invalid Pointer or Reference
Reliance on a Single Factor in a Security Decision
Reliance on Cookies without Validation and Integrity Checking
Reliance on Cookies without Validation and Integrity Checking in a Security
Decision
Reliance on Data/Memory Layout
Reliance on DNS Lookups in a Security Decision
Reliance on File Name or Extension of Externally-Supplied File
Reliance on Obfuscation or Encryption of Security-Relevant Inputs without
Integrity Checking
Reliance on Package-level Scope
Reliance on Security through Obscurity
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Reliance on Untrusted Inputs in a Security Decision
Replicating Malicious Code (Virus or Worm)
Response Discrepancy Information Leak
Return Inside Finally Block
Return of Pointer Value Outside of Expected Range
Return of Stack Variable Address
Return of Wrong Status Code
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Sensitive Data Storage in Improperly Locked Memory
Sensitive Data Under FTP Root
Sensitive Data Under Web Root
Sensitive Information Uncleared Before Release
Serializable Class Containing Sensitive Data
Signed to Unsigned Conversion Error
Spyware
SQL Injection: Hibernate
Stack-based Buffer Overflow
Storing Passwords in a Recoverable Format
Struts: Duplicate Validation Forms
Struts: Form Bean Does Not Extend Validation Class
Struts: Form Field Without Validator
Struts: Incomplete validate() Method Definition
Struts: Non-private Field in ActionForm Class
Struts: Plug-in Framework not in Use
Struts: Unused Validation Form
Struts: Unvalidated Action Form
Struts: Validator Turned Off
Struts: Validator Without Form Field
Suspicious Comment
Symbolic Name not Mapping to Correct Object
The UI Performs the Wrong Action
Time-of-check Time-of-use (TOCTOU) Race Condition
Timing Discrepancy Information Leak
Transmission of Private Resources into a New Sphere ('Resource Leak')
Trapdoor
Trojan Horse
Truncation of Security-relevant Information
Trust Boundary Violation
Trust of OpenSSL Certificate Without Validation
Trusting HTTP Permission Methods on the Server Side
Trusting Self-reported DNS Name
UI Discrepancy for Security Feature
UI Misrepresentation of Critical Information
Uncaught Exception
Uncontrolled Format String
Uncontrolled Memory Allocation
Uncontrolled Recursion
Uncontrolled Resource Consumption ('Resource Exhaustion')
Uncontrolled Search Path Element
Undefined Behavior for Input to API
Unexpected Sign Extension
Unexpected Status Code or Return Value
Unchecked Error Condition
Unchecked Input for Loop Condition
Unchecked Return Value
Unimplemented or Unsupported Feature in UI
Unintended Proxy/Intermediary
UNIX File Descriptor Leak
UNIX Hard Link
Unparsed Raw Web Content Delivery
Unprotected Alternate Channel
Unprotected Primary Channel
Unprotected Transport of Credentials
Unprotected Windows Messaging Channel ('Shatter')
Unquoted Search Path or Element
Unrestricted Externally Accessible Lock
Unrestricted Recursive Entity References in DTDs ('XML Bomb')
Unrestricted Upload of File with Dangerous Type
Unsafe ActiveX Control Marked Safe For Scripting
Unsafe Function Call from a Signal Handler
Unsigned to Signed Conversion Error
Unsynchronized Access to Shared Data
Unused Variable
Unvalidated Function Hook Arguments
Unverified Ownership
Unverified Password Change
URL Redirection to Untrusted Site ('Open Redirect')
Use After Free
Use of a Broken or Risky Cryptographic Algorithm
Use of a Non-reentrant Function in an Unsynchronized Context
Use of a One-Way Hash with a Predictable Salt
Use of a One-Way Hash without a Salt
Use of Client-Side Authentication
Use of Cryptographically Weak PRNG
Use of Dynamic Class Loading
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe
Reflection')
Use of Function with Inconsistent Implementations
Use of getlogin() in Multithreaded Application
Use of Hard-coded Credentials
Use of Hard-coded Password
Use of Hard-coded, Security-relevant Constants
Use of Incorrect Byte Ordering
Use of Incorrect Operator
Use of Incorrectly-Resolved Name or Reference
Use of Inherently Dangerous Function
Use of Inner Class Containing Sensitive Data
Use of Insufficiently Random Values
Use of Low-Level Functionality
Use of Multiple Resources with Duplicate Identifier
Use of Non-Canonical URL Paths for Authorization Decisions
Use of NullPointerException Catch to Detect NULL Pointer Dereference
Use of Obsolete Functions
Use of Password System for Primary Authentication
Use of Path Manipulation Function without Maximum-sized Buffer
Use of Pointer Subtraction to Determine Size
Use of Potentially Dangerous Function
Use of RSA Algorithm without OAEP
Use of Single-factor Authentication
Use of Singleton Pattern in a Non-thread-safe Manner
Use of sizeof() on a Pointer Type
Use of umask() with chmod-style Argument
Use of Uninitialized Variable
Use of Wrong Operator in String Comparison
Using Referer Field for Authentication
Variable Extraction Error
Violation of Secure Design Principles
Weak Cryptography for Passwords
Weak Password Recovery Mechanism for Forgotten Password
Weak Password Requirements
Windows Hard Link
Windows Shortcut Following (.LNK)
Wrap-around Error
Write-what-where Condition
XML Injection (aka Blind XPath Injection)