Skip to main content

Overview

This reference provides detailed information about each impact category, including which CWEs (Common Weakness Enumeration) map to each impact. Use this to understand what types of vulnerabilities fall under each impact category. For a high-level overview of impacts, see Impacts.

Impact details

Execute arbitrary code or commands.Associated CWEs:
CWEDescription
CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CWE-94Improper Control of Generation of Code (‘Code Injection’)
CWE-95Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
CWE-98Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
CWE-190Integer Overflow or Wraparound
CWE-470Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’)
CWE-489Active Debug Code
CWE-502Deserialization of Untrusted Data
CWE-611Improper Restriction of XML External Entity Reference
CWE-913Improper Control of Dynamically-Managed Code Resources
CWE-917Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)
Authenticate as another user or hijack sessions.Associated CWEs:
CWEDescription
CWE-352Cross-Site Request Forgery (CSRF)
CWE-598Use of GET Request Method With Sensitive Query Strings
CWE-613Insufficient Session Expiration
Bypass authorization or escalate privileges.Associated CWEs:
CWEDescription
CWE-20Improper Input Validation
CWE-90Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)
CWE-287Improper Authentication
CWE-352Cross-Site Request Forgery (CSRF)
CWE-601URL Redirection to Untrusted Site (‘Open Redirect’)
CWE-918Server-Side Request Forgery (SSRF)
Extract credentials or keys for reuse.Associated CWEs:
CWEDescription
CWE-200Exposure of Sensitive Information to an Unauthorized Actor
CWE-321Use of Hard-coded Cryptographic Key
CWE-798Use of Hard-coded Credentials
Read or manipulate structured data.Associated CWEs:
CWEDescription
CWE-15External Control of System or Configuration Setting
CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CWE-89Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
CWE-90Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)
CWE-346Origin Validation Error
CWE-611Improper Restriction of XML External Entity Reference
CWE-643Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)
CWE-918Server-Side Request Forgery (SSRF)
Read or modify files or paths.Associated CWEs:
CWEDescription
CWE-20Improper Input Validation
CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CWE-73External Control of File Name or Path
CWE-502Deserialization of Untrusted Data
CWE-548Exposure of Information Through Directory Listing
CWE-552Files or Directories Accessible to External Parties
CWE-611Improper Restriction of XML External Entity Reference (‘XML External Entity (XXE)‘)
CWE-918Server-Side Request Forgery (SSRF)
Observe or alter data in transit.Associated CWEs:
CWEDescription
CWE-295Improper Certificate Validation
CWE-319Cleartext Transmission of Sensitive Information
CWE-322Key Exchange without Entity Authentication
CWE-326Inadequate Encryption Strength
CWE-327Use of a Broken or Risky Cryptographic Algorithm
CWE-614Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
CWE-780Use of RSA Algorithm without OAEP
Sensitive data at rest is not adequately protected.Associated CWEs:
CWEDescription
CWE-310Cryptographic Issues
CWE-312Cleartext Storage of Sensitive Information
CWE-326Inadequate Encryption Strength
CWE-327Use of a Broken or Risky Cryptographic Algorithm
CWE-328Use of Weak Hash
CWE-329Generation of Predictable IV with CBC Mode
CWE-780Use of RSA Algorithm without OAEP
CWE-916Use of Password Hash With Insufficient Computational Effort
CWE-1004Sensitive Cookie Without ‘HttpOnly’ Flag
CWE-1240Use of a Cryptographic Primitive with a Risky Implementation
Predict or undermine cryptographic controls.Associated CWEs:
CWEDescription
CWE-330Use of Insufficiently Random Values
CWE-338Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CWE-347Improper Verification of Cryptographic Signature
Target end users.Associated CWEs:
CWEDescription
CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE-116Improper Encoding or Escaping of Output
CWE-346Origin Validation Error
CWE-352Cross-Site Request Forgery (CSRF)
CWE-554ASP.NET Misconfiguration: Not Using Input Validation Framework
CWE-601URL Redirection to Untrusted Site (‘Open Redirect’)
CWE-693Protection Mechanism Failure
CWE-918Server-Side Request Forgery (SSRF)
CWE-942Permissive Cross-domain Policy with Untrusted Domains
CWE-1004Sensitive Cookie Without ‘HttpOnly’ Flag
CWE-1275Sensitive Cookie with Improper SameSite Attribute
Learn internal state or configuration.Associated CWEs:
CWEDescription
CWE-11ASP.NET Misconfiguration: Creating Debug Binary
CWE-200Exposure of Sensitive Information to an Unauthorized Actor
CWE-209Generation of Error Message Containing Sensitive Information
CWE-489Active Debug Code
CWE-915Improperly Controlled Modification of Dynamically-Determined Object Attributes
CWE-1323Improper Management of Sensitive Trace Data
Avoid logging or monitoring.Associated CWEs:
CWEDescription
CWE-93Improper Neutralization of CRLF Sequences (‘CRLF Injection’)
Exhaust resources or reduce availability.Associated CWEs:
CWEDescription
CWE-400Uncontrolled Resource Consumption
CWE-409Improper Handling of Highly Compressed Data (Data Amplification)
CWE-502Deserialization of Untrusted Data
CWE-611Improper Restriction of XML External Entity Reference
CWE-1333Inefficient Regular Expression Complexity