| CWE-863 |
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. |
| CWE-87 |
The software does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax. |
| CWE-88 |
The software constructs a string for a command to executed by a separate component
in another control sphere, but it does not properly delimit the
intended arguments, options, or switches within that command string. |
| CWE-89 |
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. |
| CWE-9 |
If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the software system. |
| CWE-90 |
The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component. |
| CWE-908 |
The software uses or accesses a resource that has not been initialized. |
| CWE-909 |
The software does not initialize a critical resource. |
| CWE-91 |
The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. |
| CWE-910 |
The software uses or accesses a file descriptor after it has been closed. |
