A number of vulnerabilities have been discovered in Phoenix Contact industrial solutions that allow unauthorized…
“These weaknesses are often easy to find and exploit. They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working”, — write MITRE specialists.
Problems from this list have their own CWE identifiers (not to be confused with CVE) – Common Weakness Enumeration. CWEs differ from CVEs, in fact, the former are the forerunners of the latter, so CWEs directly result in vulnerabilities.
CWEs are divided into more than 600 categories, and this year the list was supplemented by CWEs, which combine very extensive classes of various problems, for example, CWE-20 (incorrect input verification), CWE-200 (information disclosure) and CWE-287 ( incorrect authentication).
Read also: IS Research: Small Business Does Not Update Critical Software
The top 10 problems identified by MITER specialists can be seen in the table below. Points were assigned to problems based on how often the CWE serves as a starting point for the actual vulnerability, as well as the severity of its potential exploitation.
Rank | ID | Name | Score |
[1] | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 75,56 |
[2] | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 45,69 |
[3] | CWE-20 | Improper Input Validation | 43,61 |
[4] | CWE-200 | Information Exposure | 32,12 |
[5] | CWE-125 | Out-of-bounds Read | 26,53 |
[6] | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 24,54 |
[7] | CWE-416 | Use After Free | 17,94 |
[8] | CWE-190 | Integer Overflow or Wraparound | 17,35 |
[9] | CWE-352 | Cross-Site Request Forgery (CSRF) | 15,54 |
[10] | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 14,1 |
[11] | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 11,47 |
[12] | CWE-787 | Out-of-bounds Write | 11,08 |
[13] | CWE-287 | Improper Authentication | 10,78 |
[14] | CWE-476 | NULL Pointer Dereference | 9,74 |
[15] | CWE-732 | Incorrect Permission Assignment for Critical Resource | 6,33 |
[16] | CWE-434 | Unrestricted Upload of File with Dangerous Type | 5,5 |
[17] | CWE-611 | Improper Restriction of XML External Entity Reference | 5,48 |
[18] | CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | 5,36 |
[19] | CWE-798 | Use of Hard-coded Credentials | 5,12 |
[20] | CWE-400 | Uncontrolled Resource Consumption | 5,04 |
[21] | CWE-772 | Missing Release of Resource after Effective Lifetime | 5,04 |
[22] | CWE-426 | Untrusted Search Path | 4,4 |
[23] | CWE-502 | Deserialization of Untrusted Data | 4,3 |
[24] | CWE-269 | Improper Privilege Management | 4,23 |
[25] | CWE-296 | Improper Certificate Validation | 4,06 |
Compared to 2011, this year new problems make up about a third of the list. However, most of the threats that were relevant at that time, are still dangerous now.
News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…
Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…
News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…
Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…
News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…
Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…