CWE-603 |
A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check. |
CWE-605 |
When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed. |
CWE-606 |
The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping. |
CWE-607 |
A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package. |
CWE-608 |
An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter. |
CWE-609 |
The program uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient. |
CWE-61 |
The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. |
CWE-610 |
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. |
CWE-611 |
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
CWE-612 |
The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information. |