Category: Comprehensive Categorization: Insufficient Verification of Data Authenticity
Incomplete
Summary
Weaknesses in this category are related to insufficient verification of data authenticity.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1293 | Missing Source Correlation of Multiple Independent Data | The product relies on one source of data, preventing the ability to detect if an adversary has compromised a data source. |
| CWE-1385 | Missing Origin Validation in WebSockets | The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid. |
| CWE-345 | Insufficient Verification of Data Authenticity | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
| CWE-346 | Origin Validation Error | The product does not properly verify that the source of data or communication is valid. |
| CWE-348 | Use of Less Trusted Source | The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack. |
| CWE-349 | Acceptance of Extraneous Untrusted Data With Trusted Data | The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. |
| CWE-351 | Insufficient Type Distinction | The product does not properly distinguish between different types of elements in a way that leads to insecure behavior. |
| CWE-352 | Cross-Site Request Forgery (CSRF) | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-353 | Missing Support for Integrity Check | The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum. |
| CWE-354 | Improper Validation of Integrity Check Value | The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission. |
| CWE-360 | Trust of System Event Data | Security based on event locations are insecure and can be spoofed. |
| CWE-494 | Download of Code Without Integrity Check | The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. |
| CWE-616 | Incomplete Identification of Uploaded File Variables (PHP) | The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files. |
| CWE-646 | Reliance on File Name or Extension of Externally-Supplied File | The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion. |
| CWE-649 | Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking | The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified. |
| CWE-924 | Improper Enforcement of Message Integrity During Transmission in a Communication Channel | The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.