Category: 2009 Top 25 - Insecure Interaction Between Components
Obsolete
Summary
Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-116 | Improper Encoding or Escaping of Output | This vulnerability occurs when an application builds a structured message—like a query, command, or request—for another component but fails to properly encode or escape user-supplied data. Because the output's structure isn't preserved, an attacker can inject malicious instructions that the receiving component will execute. |
| CWE-20 | Improper Input Validation | This vulnerability occurs when an application accepts data from an external source but fails to properly verify that the data is safe and correctly formatted before using it. This missing or flawed validation check allows malicious or malformed inputs to disrupt the application's logic or security. |
| CWE-209 | Generation of Error Message Containing Sensitive Information | This vulnerability occurs when an application reveals sensitive details about its internal systems, user data, or environment within error messages shown to users. |
| CWE-319 | Cleartext Transmission of Sensitive Information | This vulnerability occurs when an application sends sensitive data, such as passwords or personal information, over a network connection without using encryption. Attackers can easily intercept and read this unprotected data as it travels. |
| CWE-352 | Cross-Site Request Forgery (CSRF) | Cross-Site Request Forgery (CSRF) happens when a web application cannot reliably tell if a user actually intended to submit a request, allowing an attacker to trick a user's browser into performing unwanted actions on their behalf. |
| CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | A race condition occurs when multiple processes or threads access a shared resource simultaneously without proper coordination, creating a timing window where the resource's state can be unexpectedly altered, leading to unpredictable behavior or security vulnerabilities. |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | OS Command Injection occurs when an application builds a system command using untrusted, external input without properly sanitizing it. This allows an attacker to inject and execute arbitrary commands on the underlying operating system. |
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | This vulnerability occurs when a web application fails to properly sanitize or encode user-supplied input before displaying it on a webpage viewed by other users. |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | SQL Injection occurs when an application builds a database query using untrusted user input without properly sanitizing it. This allows an attacker to insert malicious SQL code that the database executes, potentially letting them view, modify, or delete sensitive data. |
| CWE-750 | Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors | CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.