CWE-249 |
This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785. |
CWE-25 |
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "/../" sequences that can resolve to a location that is outside of that directory. |
CWE-250 |
The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. |
CWE-252 |
The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. |
CWE-253 |
The software incorrectly checks a return value from a function, which prevents the software from detecting errors or exceptional conditions. |
CWE-256 |
Storing a password in plaintext may result in a system compromise. |
CWE-257 |
The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts. |
CWE-258 |
Using an empty string as a password is insecure. |
CWE-259 |
The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. |
CWE-26 |
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "/dir/../filename" sequences that can resolve to a location that is outside of that directory. |