CWE-547 |
The program uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. |
CWE-548 |
A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers. |
CWE-549 |
The software does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords. |
CWE-55 |
A software system that accepts path input in the form of single dot directory exploit ('/./') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. |
CWE-550 |
Certain conditions, such as network failure, will cause a server error message to be displayed. |
CWE-551 |
If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection. |
CWE-552 |
The product makes files or directories accessible to unauthorized actors, even though they should not be. |
CWE-553 |
A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server. |
CWE-554 |
The ASP.NET application does not use an input validation framework. |
CWE-555 |
The J2EE application stores a plaintext password in a configuration file. |