Skip to content

Instantly share code, notes, and snippets.

@Lopseg

Lopseg/vuln_list.txt

Created November 9, 2019 09:30
Show Gist options
  • Save Lopseg/3a4907e9ee37e35061fca77160780448 to your computer and use it in GitHub Desktop.
Save Lopseg/3a4907e9ee37e35061fca77160780448 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. Lopseg created this gist Nov 9, 2019.
    154 changes: 154 additions & 0 deletions vuln_list.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,154 @@
    Account Hijacking
    Allocation of Resources Without Limits or Throttling - CWE-770
    Array Index Underflow - CWE-129
    Authentication Bypass Using an Alternate Path or Channel - CWE-288
    Brute Force - CWE-307
    Buffer Over-read - CWE-126
    Buffer Underflow - CWE-124
    Buffer Under-read - CWE-127
    Business Logic Errors - CWE-840
    Classic Buffer Overflow - CWE-120
    Cleartext Storage of Sensitive Information - CWE-312
    Cleartext Transmission of Sensitive Information - CWE-319
    Client-Side Enforcement of Server-Side Security - CWE-602
    Code Injection - CWE-94
    Command Injection - Generic - CWE-77
    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - CWE-362
    CRLF Injection - CWE-93
    Cross-Site Request Forgery (CSRF) - CWE-352
    Cross-site Scripting (XSS) - DOM - CWE-79
    Cross-site Scripting (XSS) - Generic - CWE-79
    Cross-site Scripting (XSS) - Reflected - CWE-79
    Cross-site Scripting (XSS) - Stored - CWE-79
    Cryptographic Issues - Generic - CWE-310
    Denial of Service- CWE-400
    Deserialization of Untrusted Data - CWE-502
    Double Free - CWE-415
    Download of Code Without Integrity Check - CWE-494
    Embedded Malicious Code - CWE-506
    Execution with Unnecessary Privileges - CWE-250
    Exposed Dangerous Method or Function - CWE-749
    External Control of Critical State Data - CWE-642
    Externally Controlled Reference to a Resource in Another Sphere - CWE-610
    Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) - CWE-75
    File and Directory Information Exposure - CWE-538
    Forced Browsing - CWE-425
    Fraud
    Heap Overflow - CWE-122
    HTTP Request Smuggling - CWE-444
    HTTP Response Splitting - CWE-113
    Improper Access Control - Generic - CWE-284
    Improper Authentication
    Improper Authentication - Generic - CWE-287
    Improper Authorization - CWE-285
    Improper Certificate Validation - CWE-295
    Improper Check or Handling of Exceptional Conditions - CWE-703
    Improper Export of Android Application Components - CWE-926
    Improper Following of a Certificate's Chain of Trust - CWE-296
    Improper Handling of Highly Compressed Data (Data Amplification) - CWE-409
    Improper Handling of Insufficient Permissions or Privileges - CWE-280
    Improper Handling of URL Encoding (Hex Encoding) - CWE-177
    Improper Export of Android Application Components - CWE-926
    Improper Following of a Certificate's Chain of Trust - CWE-296
    Improper Handling of Highly Compressed Data (Data Amplification) - CWE-409
    Improper Handling of Insufficient Permissions or Privileges - CWE-280
    Improper Handling of URL Encoding (Hex Encoding) - CWE-177
    Improper Input Validation - CWE-20
    Improper Neutralization of Escape, Meta, or Control Sequences - CWE-150
    Improper Neutralization of HTTP Headers for Scripting Syntax - CWE-644
    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CWE-80
    Improper Null Termination - CWE-170
    Improper Privilege Management - CWE-269
    Inadequate Encryption Strength - CWE-326
    Inclusion of Functionality from Untrusted Control Sphere - CWE-829
    Incomplete Blacklist - CWE-184
    Incorrect Authorization - CWE-863
    Incorrect Calculation of Buffer Size - CWE-131
    Incorrect Comparison - CWE-697
    Incorrect Permission Assignment for Critical Resource - CWE-732
    Information Disclosure - CWE-200
    Information Exposure Through an Error Message - CWE-209
    Information Exposure Through Debug Information - CWE-215
    Information Exposure Through Directory Listing - CWE-548
    Information Exposure Through Discrepancy - CWE-203
    Information Exposure Through Sent Data - CWE-201
    Information Exposure Through Timing Discrepancy - CWE-208
    Insecure Direct Object Reference (IDOR) - CWE-639
    Insecure Storage of Sensitive Information - CWE-922
    Insecure Temporary File - CWE-377
    Insufficient Session Expiration - CWE-613
    Insufficiently Protected Credentials - CWE-522
    Integer Overflow - CWE-190
    Integer Underflow - CWE-191
    Key Exchange without Entity Authentication - CWE-322
    LDAP Injection - CWE-90
    Leftover Debug Code (Backdoor) - CWE-489
    Malware - CAPEC-549
    Man-in-the-Middle - CWE-300
    Memory Corruption - Generic - CWE-119
    Misconfiguration - CWE-16
    Missing Authentication for Critical Function - CWE-306
    Missing Authorization - CWE-862
    Missing Encryption of Sensitive Data - CWE-311
    Missing Required Cryptographic Step - CWE-325
    Modification of Assumed-Immutable Data (MAID) - CWE-471
    NULL Pointer Dereference - CWE-476
    Off-by-one Error - CWE-193
    Open Redirect - CWE-601
    OS Command Injection - CWE-78
    Out-of-bounds Read - CWE-125
    Password in Configuration File - CWE-260
    Path Traversal - CWE-22
    Path Traversal - CWE-35
    Phishing - CAPEC-98
    Plaintext Storage of a Password - CWE-256
    Privacy Violation - CWE-359
    Privilege Escalation - CAPEC-233
    Relative Path Traversal - CWE-23
    Reliance on Cookies without Validation and Integrity Checking in a Security Decision - CWE-784
    Reliance on Reverse DNS Resolution for a Security-Critical Action - CWE-350
    Reliance on Untrusted Inputs in a Security Decision - CWE-807
    Remote File Inclusion - CWE-98
    Replicating Malicious Code (Virus or Worm) - CWE-509
    Resource Injection - CWE-99
    Reusing a Nonce, Key Pair in Encryption - CWE-323
    Reversible One-Way Hash - CWE-328
    Scams
    Security Through Obscurity - CWE-656
    Server-Side Request Forgery (SSRF) - CWE-918
    Session Fixation - CWE-384
    Spam
    SQL Injection - CWE-89
    Stack Overflow - CWE-121
    Storing Passwords in a Recoverable Format - CWE-257
    Time-of-check Time-of-use (TOCTOU) Race Condition - CWE-367
    Trust of System Event Data - CWE-360
    Type Confusion - CWE-843
    UI Redressing (Clickjacking) - CAPEC-103
    Unchecked Error Condition - CWE-391
    Uncontrolled Recursion - CWE-674
    Unprotected Transport of Credentials - CWE-523
    Unrestricted Upload of File with Dangerous Type - CWE-434
    Untrusted Search Path - CWE-426
    Unverified Password Change - CWE-620
    Use After Free - CWE-416
    Use of a Broken or Risky Cryptographic Algorithm - CWE-327
    Use of a Key Past its Expiration Date - CWE-324
    Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) - CWE-338
    Use of Externally-Controlled Format String - CWE-134
    Use of Hard-coded Credentials - CWE-798
    Use of Hard-coded Cryptographic Key - CWE-321
    Use of Hard-coded Password - CWE-259
    Use of Inherently Dangerous Function - CWE-242
    Use of Insufficiently Random Values - CWE-330
    User Interface (UI) Misrepresentation of Critical Information - CWE-451
    Violation of Secure Design Principles - CWE-657
    Weak Cryptography for Passwords - CWE-261
    Weak Password Recovery Mechanism for Forgotten Password - CWE-640
    Wrap-around Error - CWE-128
    Write-what-where Condition - CWE-123
    XML Entity Expansion - CWE-776
    XML External Entities (XXE) - CWE-611
    XML Injection - CWE-91
    XSS - Reflected
    XSS Using MIME Type Mismatch - CAPEC-209