Category: Comprehensive Categorization: Insufficient Verification of Data Authenticity
Incomplete
Summary
Weaknesses in this category are related to insufficient verification of data authenticity.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1293 | Missing Source Correlation of Multiple Independent Data | This vulnerability occurs when a system trusts a single source of data without verification, making it impossible to detect if that source has been tampered with or compromised by an attacker. |
| CWE-1385 | Missing Origin Validation in WebSockets | This vulnerability occurs when a WebSocket connection is established without verifying the origin of incoming messages, allowing potentially malicious data from untrusted sources. |
| CWE-345 | Insufficient Verification of Data Authenticity | This vulnerability occurs when an application fails to properly check where data comes from or confirm its legitimacy, allowing untrusted or forged information to be processed as valid. |
| CWE-346 | Origin Validation Error | This vulnerability occurs when an application fails to properly confirm the true origin of incoming data or communication, allowing attackers to spoof their source. |
| CWE-348 | Use of Less Trusted Source | This vulnerability occurs when a system has access to multiple sources for the same critical data, but it chooses to rely on the less secure or less trustworthy one. This creates a security gap because the system ignores better-protected alternatives that offer stronger verification or are harder for attackers to compromise. |
| CWE-349 | Acceptance of Extraneous Untrusted Data With Trusted Data | This vulnerability occurs when a system processes both trusted and untrusted data together, but fails to separate them. The application incorrectly treats all incoming data—including the untrusted portion—with the same level of trust as the legitimate data. |
| CWE-351 | Insufficient Type Distinction | This vulnerability occurs when an application fails to properly differentiate between different types of data or objects, leading to unintended and insecure behavior. |
| CWE-352 | Cross-Site Request Forgery (CSRF) | Cross-Site Request Forgery (CSRF) happens when a web application cannot reliably tell if a user actually intended to submit a request, allowing an attacker to trick a user's browser into performing unwanted actions on their behalf. |
| CWE-353 | Missing Support for Integrity Check | This vulnerability occurs when a system uses a communication protocol that lacks built-in integrity verification, such as a checksum or cryptographic hash, to detect if data has been altered or corrupted during transmission. |
| CWE-354 | Improper Validation of Integrity Check Value | This vulnerability occurs when software fails to properly check the integrity of data by validating its checksum or hash value. Without this verification, the application cannot reliably detect if information has been altered, corrupted, or tampered with during storage or transmission. |
| CWE-360 | Trust of System Event Data | This vulnerability occurs when software blindly trusts system event data without verifying its source, allowing attackers to spoof events and manipulate application behavior. |
| CWE-494 | Download of Code Without Integrity Check | This vulnerability occurs when an application fetches and runs code from an external source—like a remote server or CDN—without properly verifying where it came from or ensuring it hasn't been tampered with. |
| CWE-616 | Incomplete Identification of Uploaded File Variables (PHP) | This vulnerability occurs in PHP applications that rely on the deprecated, auto-registered global variables for file uploads (like $varname, $varname_size). Because these variables are not properly validated, an attacker can overwrite them to trick the application into processing malicious or unauthorized files. |
| CWE-646 | Reliance on File Name or Extension of Externally-Supplied File | This vulnerability occurs when an application uses the name or extension of an uploaded file to decide how to handle it. Attackers can manipulate this by uploading files with deceptive names, causing the application to process them incorrectly and potentially dangerously. |
| CWE-649 | Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking | This vulnerability occurs when an application uses obfuscation or encryption to hide security-sensitive data (like tokens or parameters) but fails to verify whether that data has been altered. Without integrity checks, the system cannot detect if an attacker has tampered with these inputs. |
| CWE-924 | Improper Enforcement of Message Integrity During Transmission in a Communication Channel | This vulnerability occurs when an application receives data over a network but fails to properly verify that the information wasn't altered in transit. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.