Improper Neutralization of Expression/Command Delimiters
9
Variant
-
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.
Improper Access Control for Volatile Memory Containing Boot Code
9
Base
-
The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory.
Use of Non-Canonical URL Paths for Authorization Decisions
9
Variant
High
The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.
Incomplete Identification of Uploaded File Variables (PHP)
9
Variant
-
The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.
Authorization Bypass Through User-Controlled SQL Primary Key
8
Variant
-
The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.
The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.
The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.
Assumed-Immutable Data is Stored in Writable Memory
8
Base
-
Immutable data, such as a first-stage bootloader, device identifiers, and "write-once" configuration settings are stored in writable memory that can be re-programmed or updated in the field.
Missing Release of File Descriptor or Handle after Effective Lifetime
7
Variant
-
The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.
The product does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses.