Category: SFP Secondary Cluster: Tainted Input to Variable
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-15 | External Control of System or Configuration Setting | One or more system settings or configuration elements can be externally controlled by a user. |
| CWE-20 | Improper Input Validation | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-454 | External Initialization of Trusted Variables or Data Stores | The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors. |
| CWE-496 | Public Data Assigned to Private Array-Typed Field | Assigning public data to a private array is equivalent to giving public access to the array. |
| CWE-502 | Deserialization of Untrusted Data | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
| CWE-566 | Authorization Bypass Through User-Controlled SQL Primary Key | The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor. |
| CWE-606 | Unchecked Input for Loop Condition | The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping. |
| CWE-616 | Incomplete Identification of Uploaded File Variables (PHP) | The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.