TOP 25 Bugs Úvod Graf Katalog Zranitelností OWASP Webové útoky (103) Vulnerebility Web Vul. Top 50 in years CVE Defination TOP Vulnerebility TOP 25 Bugs
Cross-site scripting (XSS) tops the list
The weaknesses listed in MITRE's 2020 CWE Top 25 are dangerous because, besides being easy to find and exploit, attackers can potentially take full control of vulnerable systems, steal sensitive data, or trigger a denial-of-service (DoS) after successful exploitation. The list embedded below is designed to provide insight to the community at large into the most critical and current software security weaknesses.
| Rank | ID | Name | Score |
|---|---|---|---|
|
[1] |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
46.82 |
|
|
[2] |
Out-of-bounds Write |
46.17 |
|
|
[3] |
Improper Input Validation |
33.47 |
|
|
[4] |
Out-of-bounds Read |
26.50 |
|
|
[5] |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
23.73 |
|
|
[6] |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
20.69 |
|
|
[7] |
Exposure of Sensitive Information to an Unauthorized Actor |
19.16 |
|
|
[8] |
Use After Free |
18.87 |
|
|
[9] |
Cross-Site Request Forgery (CSRF) |
17.29 |
|
|
[10] |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
16.44 |
|
|
[11] |
Integer Overflow or Wraparound |
15.81 |
|
|
[12] |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
13.67 |
|
|
[13] |
NULL Pointer Dereference |
8.35 |
|
|
[14] |
Improper Authentication |
8.17 |
|
|
[15] |
Unrestricted Upload of File with Dangerous Type |
7.38 |
|
|
[16] |
Incorrect Permission Assignment for Critical Resource |
6.95 |
|
|
[17] |
Improper Control of Generation of Code ('Code Injection') |
6.53 |
|
|
[18] |
Insufficiently Protected Credentials |
5.49 |
|
|
[19] |
Improper Restriction of XML External Entity Reference |
5.33 |
|
|
[20] |
Use of Hard-coded Credentials |
5.19 |
|
|
[21] |
Deserialization of Untrusted Data |
4.93 |
|
|
[22] |
Improper Privilege Management |
4.87 |
|
|
[23] |
Uncontrolled Resource Consumption |
4.14 |
|
|
[24] |
Missing Authentication for Critical Function |
3.85 |
|
|
[25] |
Missing Authorization |
3.77 |
Top 10 most exploited vulnerabilities since 2016
|
CVE |
Associated Malware |
|
Loki, FormBook, Pony/FAREIT |
|
|
FINSPY, LATENTBOT, Dridex |
|
|
JexBoss |
|
|
Dridex |
|
|
China Chopper |
|
|
Multiple using the EternalSynergy and EternalBlue Exploit Kit |
|
|
DOGCALL |
|
|
FINSPY, FinFisher, WingBird |
|
|
Toshliph, Uwarrior |
|
|
Kitty |