CWEs that violate the 2020 CWE Top 25 standard
This table lists all the CWEs that may cause an application to not pass a policy that includes the 2020 CWE Top 25 policy rule.
| CWE ID | CWE name | Static support | Dynamic support | Veracode severity |
|---|---|---|---|---|
| 20 | Improper Input Validation | X | 0 - Informational | |
| 22 | Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) | X | X | 3 - Medium |
| 23 | Relative Path Traversal | |||
| 73 | External Control of File Name or Path | X | 3 - Medium | |
| 78 | Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) | X | X | 5 - Very High |
| 79 | Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) | X | X | 3 - Medium |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | X | X | 3 - Medium |
| 81 | Improper Neutralization of Script in an Error Message Web Page | |||
| 83 | Improper Neutralization of Script in Attributes in a Web Page | X | 3 - Medium | |
| 86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages | X | 3 - Medium | |
| 89 | Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) | X | X | 4 - High |
| 90 | Improper Neutralization of Special Elements used in an LDAP Query (LDAP Injection) | X | 3 - Medium | |
| 91 | XML Injection (aka Blind XPath Injection) | X | X | 3 - Medium |
| 94 | Improper Control of Generation of Code (Code Injection) | X | 3 - Medium | |
| 95 | Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection) | X | X | 5 - Very High |
| 98 | Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion) | X | X | 4 - High |
| 100 | DEPRECATED: Technology-Specific Input Validation Problems | |||
| 103 | Struts: Incomplete validate() Method Definition | X | 3 - Medium | |
| 104 | Struts: Form Bean Does Not Extend Validation Class | X | 3 - Medium | |
| 112 | Missing XML Validation | X | 3 - Medium | |
| 119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | |||
| 120 | Buffer Copy without Checking Size of Input (Classic Buffer Overflow) | |||
| 121 | Stack-based Buffer Overflow | X | 5 - Very High | |
| 125 | Out-of-bounds Read | X | 3 - Medium | |
| 131 | Incorrect Calculation of Buffer Size | |||
| 135 | Incorrect Calculation of Multi-Byte String Length | X | 5 - Very High | |
| 185 | Incorrect Regular Expression | X | 2 - Low | |
| 190 | Integer Overflow or Wraparound | X | 5 - Very High | |
| 200 | Exposure of Sensitive Information to an Unauthorized Actor | X | X | 2 - Low |
| 201 | Insertion of Sensitive Information Into Sent Data | X | 2 - Low | |
| 209 | Generation of Error Message Containing Sensitive Information | X | X | 2 - Low |
| 215 | Insertion of Sensitive Information Into Debugging Code | X | X | 2 - Low |
| 259 | Use of Hard-coded Password | X | X | 3 - Medium |
| 269 | Improper Privilege Management | |||
| 272 | Least Privilege Violation | X | 3 - Medium | |
| 274 | Improper Handling of Insufficient Privileges | X | 0 - Informational | |
| 285 | Improper Authorization | X | X | 3 - Medium |
| 287 | Improper Authentication | X | X | 4 - High |
| 306 | Missing Authentication for Critical Function | |||
| 321 | Use of Hard-coded Cryptographic Key | X | X | 3 - Medium |
| 346 | Origin Validation Error | X | 3 - Medium | |
| 350 | Reliance on Reverse DNS Resolution for a Security-Critical Action | X | 3 - Medium | |
| 352 | Cross-Site Request Forgery (CSRF) | X | X | 3 - Medium |
| 359 | Exposure of Private Personal Information to an Unauthorized Actor | X | 2 - Low | |
| 400 | Uncontrolled Resource Consumption | |||
| 416 | Use After Free | X | 2 - Low | |
| 434 | Unrestricted Upload of File with Dangerous Type | X | 4 - High | |
| 470 | Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection) | X | 3 - Medium | |
| 476 | NULL Pointer Dereference | |||
| 497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | X | 2 - Low | |
| 498 | Cloneable Class Containing Sensitive Information | |||
| 502 | Deserialization of Untrusted Data | X | 3 - Medium | |
| 522 | Insufficiently Protected Credentials | X | X | 3 - Medium |
| 526 | Exposure of Sensitive Information Through Environmental Variables | X | 2 - Low | |
| 530 | Exposure of Backup File to an Unauthorized Control Sphere | X | 2 - Low | |
| 538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | X | 0 - Informational | |
| 548 | Exposure of Information Through Directory Listing | X | 2 - Low | |
| 564 | SQL Injection: Hibernate | X | 4 - High | |
| 566 | Authorization Bypass Through User-Controlled SQL Primary Key | X | 3 - Medium | |
| 601 | URL Redirection to Untrusted Site (Open Redirect) | X | X | 3 - Medium |
| 611 | Improper Restriction of XML External Entity Reference | X | X | 3 - Medium |
| 615 | Inclusion of Sensitive Information in Source Code Comments | X | X | 0 - Informational |
| 618 | Exposed Unsafe ActiveX Method | X | 5 - Very High | |
| 639 | Authorization Bypass Through User-Controlled Key | X | 4 - High | |
| 665 | Improper Initialization | X | 2 - Low | |
| 693 | Protection Mechanism Failure | X | X | 3 - Medium |
| 708 | Incorrect Ownership Assignment | X | 4 - High | |
| 732 | Incorrect Permission Assignment for Critical Resource | X | 3 - Medium | |
| 787 | Out-of-bounds Write | X | 3 - Medium | |
| 798 | Use of Hard-coded Credentials | X | 3 - Medium | |
| 830 | Inclusion of Web Functionality from an Untrusted Source | X | 2 - Low | |
| 862 | Missing Authorization | |||
| 915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | X | 3 - Medium | |
| 918 | Server-Side Request Forgery (SSRF) | X | X | 3 - Medium |
| 942 | Permissive Cross-domain Policy with Untrusted Domains | X | X | 3 - Medium |
| 1174 | ASP.NET Misconfiguration: Improper Model Validation | X | 2 - Low |