Access control decisions must be based on the authenticated user identity and trusted server side information. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation. CVE-2022-42344 is a disclosure identifier tied to a security vulnerability with the following details. Online Birth Certificate Management System version 1.0 suffers from an Insecure Direct Object Reference (IDOR) vulnerability CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection ; CWE 117: Improper Output Sanitization fo CWE 209: Information Exposure Through an CWE 601: Open Redirects ; CWE 639: Insecure Direct Object Referenc .NET. CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection ; CWE 117: Improper Output Sanitization fo CWE 209: Information Exposure Through an CWE 601: Open Redirects ; CWE 639: Insecure Direct Object Referenc .NET. Search Vulnerability Database. 2022-09-23: not yet calculated: CVE-2022-40298 MISC MISC Enter the email address you signed up with and we'll email you a reset link. 1148: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 14. Learn About Buffer Overrun Vulnerabilities, Exploits & Attacks. Try a product name, vendor name, CVE name, or an OVAL query. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. OWASP Top Ten 2017 Category A8 - Insecure Deserialization: MemberOf: Category - a CWE entry that contains a set of other entries that share a common characteristic. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection Do not allow direct references to files or parameters that can be manipulated to grant excessive access. We evaluated FREEWILL on 76 real-world UAF bugs and it successfully confirmed reference miscounting as root causes for 48 bugs and dangling usage for 18 bugs. This attack occurs when untrusted XML input containing a reference Publish Date : 2019-04-20 Last Update Date : 2022-04-06 731: OWASP Top Ten 2004 Category A10 - Insecure Configuration Management: MemberOf: Category - a CWE entry that contains a set of other entries that share a common characteristic. The OWASP Top 10 is the reference standard for the most critical web application security risks. CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection ; CWE 117: Improper Output Sanitization fo CWE 209: Information Exposure Through an CWE 601: Open Redirects ; CWE 639: Insecure Direct Object Referenc .NET. CWE-425: Direct Request ('Forced Browsing') but it does not properly control modifications of attributes of the object prototype. The exploitation of this vulnerability could be triggered via the parse function. CWE-425: Direct Request ('Forced Browsing') but it does not properly control modifications of attributes of the object prototype. 751: 2009 Top 25 - Insecure Interaction Between Components: MemberOf XML eXternal Entity injection (XXE), which is now part of the OWASP Top 10 via the point A4, is a type of attack against an application that parses XML input.. XXE issue is referenced under the ID 611 in the Common Weakness Enumeration referential.. An access control list (ACL) represents who/what has permissions to a given object. XML External Entity Prevention Cheat Sheet Introduction. 864: 2011 Top 25 - Insecure Interaction Between Components: MemberOf: View - a subset of CWE entries that provides a way of examining CWE content. The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. Crestron AirMedia for Windows before 5.5.1.84 has insecure inherited permissions, which leads to a privilege escalation vulnerability found in the AirMedia Windows Application, version 4.3.1.39. To effectively mitigate buffer overflow vulnerabilities, it is important to understand what buffer overflows are, what dangers they pose to your applications, and The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. 751: 2009 Top 25 - Insecure Interaction Between Components: MemberOf CWE-706 Use of Incorrectly-Resolved Name or Reference. CWE-284. Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object. We evaluated FREEWILL on 76 real-world UAF bugs and it successfully confirmed reference miscounting as root causes for 48 bugs and dangling usage for 18 bugs. 731: OWASP Top Ten 2004 Category A10 - Insecure Configuration Management: MemberOf: Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2010 Category A4 - Insecure Direct Object References: MemberOf: Category - a CWE entry that contains a set of other entries that share a common characteristic. Bug Bounty secures applications the agile way with a global community of ethical hackers through private and public programs. The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection Permitting viewing or editing someone else's account, by providing its unique identifier (insecure direct object references) Accessing API with missing access controls for POST, PUT and DELETE. Access control decisions must be based on the authenticated user identity and trusted server side information. This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection ; CWE 117: Improper Output Sanitization fo CWE 209: Information Exposure Through an CWE 601: Open Redirects ; CWE 639: Insecure Direct Object Referenc .NET. Category - a CWE entry that contains a set of other entries that share a common characteristic. Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an improper input validation vulnerability. Do not allow direct references to files or parameters that can be manipulated to grant excessive access. CWE-272 CWE-250. In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver. CVE-2022-42344 is a disclosure identifier tied to a security vulnerability with the following details. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. NOTE: Only vulnerabilities that match ALL keywords will be returned, Linux kernel vulnerabilities are categorized separately from vulnerabilities in specific Linux distributions. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection CWE-706 Use of Incorrectly-Resolved Name or Reference. CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection ; CWE 117: Improper Output Sanitization fo CWE 209: Information Exposure Through an CWE 601: Open Redirects ; CWE 639: Insecure Direct Object Referenc .NET. Then, it identifies the UAF object and related references. A buffer overflow, or buffer overrun, is a common software coding mistake that an attacker could exploit to gain access to your system. 731: OWASP Top Ten 2004 Category A10 - Insecure Configuration Management: MemberOf: Category - a CWE entry that contains a set of other entries that share a common characteristic. CWE-284. CWE-284. Search Vulnerability Database. A low privileged user can initiate a repair of the system and gain a SYSTEM level shell. Different operating systems implement (ACLs) in different ways. CWE-425: Direct Request ('Forced Browsing') but it does not properly control modifications of attributes of the object prototype. CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection ; CWE 117: Improper Output Sanitization fo CWE 209: Information Exposure Through an CWE 601: Open Redirects ; CWE 639: Insecure Direct Object Referenc .NET. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing your software development culture focused on producing secure code. What Is a Buffer Overflow? Learn About Buffer Overrun Vulnerabilities, Exploits & Attacks. CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection ; CWE 117: Improper Output Sanitization fo CWE 209: Information Exposure Through an CWE 601: Open Redirects ; CWE 639: Insecure Direct Object Referenc .NET. Enter the email address you signed up with and we'll email you a reset link. Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an improper input validation vulnerability. Bug Bounty secures applications the agile way with a global community of ethical hackers through private and public programs. 864: 2011 Top 25 - Insecure Interaction Between Components: MemberOf: View - a subset of CWE entries that provides a way of examining CWE content. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing your software development culture focused on producing secure code. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation. A buffer overflow, or buffer overrun, is a common software coding mistake that an attacker could exploit to gain access to your system. 751: 2009 Top 25 - Insecure Interaction Between Components: MemberOf An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ) because of Object.prototype pollution. A buffer overflow, or buffer overrun, is a common software coding mistake that an attacker could exploit to gain access to your system. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection We evaluated FREEWILL on 76 real-world UAF bugs and it successfully confirmed reference miscounting as root causes for 48 bugs and dangling usage for 18 bugs. Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an improper input validation vulnerability. CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection ; CWE 117: Improper Output Sanitization fo CWE 209: Information Exposure Through an CWE 601: Open Redirects ; CWE 639: Insecure Direct Object Referenc .NET. A low privileged user can initiate a repair of the system and gain a SYSTEM level shell. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection Learn About Buffer Overrun Vulnerabilities, Exploits & Attacks. CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection ; CWE 117: Improper Output Sanitization fo CWE 209: Information Exposure Through an CWE 601: Open Redirects ; CWE 639: Insecure Direct Object Referenc .NET. Don't Use Unvalidated Forwards or Redirects If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. CWE-862 Missing Authorization. Crestron AirMedia for Windows before 5.5.1.84 has insecure inherited permissions, which leads to a privilege escalation vulnerability found in the AirMedia Windows Application, version 4.3.1.39. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection To effectively mitigate buffer overflow vulnerabilities, it is important to understand what buffer overflows are, what dangers they pose to your applications, and An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve Then, it identifies the UAF object and related references. The exploitation of this vulnerability could be triggered via the parse function. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection Don't Use Unvalidated Forwards or Redirects - Object storage - Containerization technologies - Resource exhaustion - Cloud malware injection attacks - Denial-of-service attacks - Side-channel attacks - Direct-to-origin attacks Tools - Software development kit (SDK) CompTIA PenTest+ Certification Exam Objectives 4.0 (Exam Number: PT0-002) 2022-09-30: 7.5: CVE-2022-21222 CONFIRM CONFIRM Create an effective vulnerability disclosure strategy for security researchers. Try a product name, vendor name, CVE name, or an OVAL query. Online Birth Certificate Management System version 1.0 suffers from an Insecure Direct Object Reference (IDOR) vulnerability Bug Bounty secures applications the agile way with a global community of ethical hackers through private and public programs. An access control list (ACL) represents who/what has permissions to a given object. CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection ; CWE 117: Improper Output Sanitization fo CWE 209: Information Exposure Through an CWE 601: Open Redirects ; CWE 639: Insecure Direct Object Referenc .NET. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection Finally, FREEWILL compares reference operations with our model to detect reference miscounting. OWASP Top Ten 2010 Category A4 - Insecure Direct Object References: MemberOf: Category - a CWE entry that contains a set of other entries that share a common characteristic. OWASP Top Ten 2017 Category A8 - Insecure Deserialization: MemberOf: Category - a CWE entry that contains a set of other entries that share a common characteristic. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection ; CWE 117: Improper Output Sanitization fo CWE 209: Information Exposure Through an CWE 601: Open Redirects ; CWE 639: Insecure Direct Object Referenc .NET. 744: CERT C Secure Coding Standard (2008) Chapter 11 - Environment (ENV) MemberOf: Category - a CWE entry that contains a set of other entries that share a common characteristic. CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection ; CWE 117: Improper Output Sanitization fo CWE 209: Information Exposure Through an CWE 601: Open Redirects ; CWE 639: Insecure Direct Object Referenc .NET. 751: 2009 Top 25 - Insecure Interaction Between Components: MemberOf Do not allow direct references to files or parameters that can be manipulated to grant excessive access. Don't Use Direct Object References for Access Control Checks. CWE-863 Incorrect Authorization. CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection ; CWE 117: Improper Output Sanitization fo CWE 209: Information Exposure Through an CWE 601: Open Redirects ; CWE 639: Insecure Direct Object Referenc .NET. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection Create an effective vulnerability disclosure strategy for security researchers. Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an improper input validation vulnerability. 2022-09-30: 7.5: CVE-2022-21222 CONFIRM CONFIRM Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object. - Object storage - Containerization technologies - Resource exhaustion - Cloud malware injection attacks - Denial-of-service attacks - Side-channel attacks - Direct-to-origin attacks Tools - Software development kit (SDK) CompTIA PenTest+ Certification Exam Objectives 4.0 (Exam Number: PT0-002) CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection ; CWE 117: Improper Output Sanitization fo CWE 209: Information Exposure Through an CWE 601: Open Redirects ; CWE 639: Insecure Direct Object Referenc .NET. CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection ; CWE 117: Improper Output Sanitization fo CWE 209: Information Exposure Through an CWE 601: Open Redirects ; CWE 639: Insecure Direct Object Referenc .NET. NOTE: Only vulnerabilities that match ALL keywords will be returned, Linux kernel vulnerabilities are categorized separately from vulnerabilities in specific Linux distributions. Description: Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation. Different operating systems implement (ACLs) in different ways. Description: Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous. CWE-326: CWE-1188: Insecure Default Initialization of Resource: The software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure. XML eXternal Entity injection (XXE), which is now part of the OWASP Top 10 via the point A4, is a type of attack against an application that parses XML input.. XXE issue is referenced under the ID 611 in the Common Weakness Enumeration referential.. CWE-863 Incorrect Authorization. CWE-862 Missing Authorization. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection CVE-2022-42067 is a disclosure identifier tied to a security vulnerability with the following details. To effectively mitigate buffer overflow vulnerabilities, it is important to understand what buffer overflows are, what dangers they pose to your applications, and 25 CVE-2022-38054: 384: 2022-09-02 XML External Entity Prevention Cheat Sheet Introduction. Category - a CWE entry that contains a set of other entries that share a common characteristic. CWE-326: CWE-1188: Insecure Default Initialization of Resource: The software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection Enter the email address you signed up with and we'll email you a reset link. jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ) because of Object.prototype pollution. OWASP Top Ten 2017 Category A8 - Insecure Deserialization: MemberOf: Category - a CWE entry that contains a set of other entries that share a common characteristic. NOTE: Only vulnerabilities that match ALL keywords will be returned, Linux kernel vulnerabilities are categorized separately from vulnerabilities in specific Linux distributions. CVE-2022-42344 is a disclosure identifier tied to a security vulnerability with the following details. CWE-862 Missing Authorization. CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection ; CWE 117: Improper Output Sanitization fo CWE 209: Information Exposure Through an CWE 601: Open Redirects ; CWE 639: Insecure Direct Object Referenc .NET. 25 CVE-2022-38054: 384: 2022-09-02 From the CWE perspective, loss of confidentiality is a technical impact that can arise from dozens of different weaknesses, such as insecure file permissions or out-of-bounds read. Permitting viewing or editing someone else's account, by providing its unique identifier (insecure direct object references) Accessing API with missing access controls for POST, PUT and DELETE. An access control list (ACL) represents who/what has permissions to a given object. Publish Date : 2019-04-20 Last Update Date : 2022-04-06 1148: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 14. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection This attack occurs when untrusted XML input containing a reference A low privileged user can initiate a repair of the system and gain a SYSTEM level shell. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection Try a product name, vendor name, CVE name, or an OVAL query. 25 CVE-2022-38054: 384: 2022-09-02 An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve What Is a Buffer Overflow? Don't Use Unvalidated Forwards or Redirects Publish Date : 2019-04-20 Last Update Date : 2022-04-06 Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an improper input validation vulnerability. In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver. Description: Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. CVE-2022-42067 is a disclosure identifier tied to a security vulnerability with the following details. Finally, FREEWILL compares reference operations with our model to detect reference miscounting. 2022-09-30: 7.5: CVE-2022-21222 CONFIRM CONFIRM Crestron AirMedia for Windows before 5.5.1.84 has insecure inherited permissions, which leads to a privilege escalation vulnerability found in the AirMedia Windows Application, version 4.3.1.39. Category - a CWE entry that contains a set of other entries that share a common characteristic. 744: CERT C Secure Coding Standard (2008) Chapter 11 - Environment (ENV) MemberOf: Category - a CWE entry that contains a set of other entries that share a common characteristic. Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an improper input validation vulnerability. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. From the CWE perspective, loss of confidentiality is a technical impact that can arise from dozens of different weaknesses, such as insecure file permissions or out-of-bounds read. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing your software development culture focused on producing secure code. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection Different operating systems implement (ACLs) in different ways. Search Vulnerability Database. 751: 2009 Top 25 - Insecure Interaction Between Components: MemberOf Serialization (SER) MemberOf: View - a subset of CWE entries that provides a way of examining CWE content. CWE-272 CWE-250. Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object. 2022-09-23: not yet calculated: CVE-2022-40298 MISC MISC What Is a Buffer Overflow? 751: 2009 Top 25 - Insecure Interaction Between Components: MemberOf XML eXternal Entity injection (XXE), which is now part of the OWASP Top 10 via the point A4, is a type of attack against an application that parses XML input.. XXE issue is referenced under the ID 611 in the Common Weakness Enumeration referential.. Create an effective vulnerability disclosure strategy for security researchers. Finally, FREEWILL compares reference operations with our model to detect reference miscounting. 2022-09-23: not yet calculated: CVE-2022-40298 MISC MISC 864: 2011 Top 25 - Insecure Interaction Between Components: MemberOf: View - a subset of CWE entries that provides a way of examining CWE content. CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection ; CWE 117: Improper Output Sanitization fo CWE 209: Information Exposure Through an CWE 601: Open Redirects ; CWE 639: Insecure Direct Object Referenc .NET. CWE-863 Incorrect Authorization. The OWASP Top 10 is the reference standard for the most critical web application security risks. Access control decisions must be based on the authenticated user identity and trusted server side information. CWE-706 Use of Incorrectly-Resolved Name or Reference. This attack occurs when untrusted XML input containing a reference In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver. Serialization (SER) MemberOf: View - a subset of CWE entries that provides a way of examining CWE content. Online Birth Certificate Management System version 1.0 suffers from an Insecure Direct Object Reference (IDOR) vulnerability jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ) because of Object.prototype pollution. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection - Object storage - Containerization technologies - Resource exhaustion - Cloud malware injection attacks - Denial-of-service attacks - Side-channel attacks - Direct-to-origin attacks Tools - Software development kit (SDK) CompTIA PenTest+ Certification Exam Objectives 4.0 (Exam Number: PT0-002) This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. CWE-326: CWE-1188: Insecure Default Initialization of Resource: The software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure. 744: CERT C Secure Coding Standard (2008) Chapter 11 - Environment (ENV) MemberOf: Category - a CWE entry that contains a set of other entries that share a common characteristic. The OWASP Top 10 is the reference standard for the most critical web application security risks. Then, it identifies the UAF object and related references. 1148: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 14. CVE-2022-42067 is a disclosure identifier tied to a security vulnerability with the following details. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection Category - a CWE entry that contains a set of other entries that share a common characteristic. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection OWASP Top Ten 2010 Category A4 - Insecure Direct Object References: MemberOf: Category - a CWE entry that contains a set of other entries that share a common characteristic. CWE 73: External Control of File Name or CWE 78: OS Command Injection ; CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection CWE 80: Cross-Site Scripting ; CWE 89: SQL Injection ; CWE 117: Improper Output Sanitization fo CWE 209: Information Exposure Through an CWE 601: Open Redirects ; CWE 639: Insecure Direct Object Referenc .NET. Category - a CWE entry that contains a set of other entries that share a common characteristic. Don't Use Direct Object References for Access Control Checks. Category - a CWE entry that contains a set of other entries that share a common characteristic. XML External Entity Prevention Cheat Sheet Introduction.