| CWE-348 |
The software has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack. |
| CWE-349 |
The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. |
| CWE-35 |
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. |
| CWE-350 |
The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname. |
| CWE-351 |
The software does not properly distinguish between different types of elements in a way that leads to insecure behavior. |
| CWE-352 |
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. |
| CWE-353 |
The software uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum. |
| CWE-354 |
The software does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission. |
| CWE-356 |
The software's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system. |
| CWE-357 |
The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention. |
