A system designed to identify software flaws has published an updated list of threats that need to be addressed by software developers, designers, and cybersecurity experts.
The list was compiled by Common Weakness Enumeration with support from the US Department of Homeland Security. It ranks the 25 most dangerous software errors.
The updated list is the first of its kind in eight years.
|CWE-119||Improper Restriction of Operations within the Bounds of a Memory Buffer||75.56|
|CWE-79||Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')||45.69|
|CWE-20||Improper Input Validation||43.61|
|CWE-89||Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')||24.54|
|CWE-416||Use After Free||17.94|
|CWE-190||Integer Overflow or Wraparound||17.35|
|CWE-352||Cross-Site Request Forgery (CSRF)||15.54|
|CWE-22||Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')||14.1|
|CWE-78||Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')||11.47|
|CWE-476||NULL Pointer Dereference||9.74|
|CWE-732||Incorrect Permission Assignment for Critical Resource||6.33|
|CWE-434||Unrestricted Upload of File with Dangerous Type||5.5|
|CWE-611||Improper Restriction of XML External Entity Reference||5.48|
|CWE-94||Improper Control of Generation of Code ('Code Injection')||5.36|
|CWE-798||Use of Hard-coded Credentials||5.12|
|CWE-400||Uncontrolled Resource Consumption||5.04|
|CWE-772||Missing Release of Resource after Effective Lifetime||5.04|
|CWE-426||Untrusted Search Path||4.4|
|CWE-502||Deserialization of Untrusted Data||4.3|
|CWE-269||Improper Privilege Management||4.23|
|CWE-295||Improper Certificate Validation||4.06|
The CWE team developed a scoring formula to determine rank. The improper restriction of operations within the bounds of a memory buffer vulnerability emerged with the highest calculated score.