Paid content will be excluded from the download.
Matches : 909
An application uses a "blacklist" of prohibited values, but the blacklist is incomplete.
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
The software does not handle or incorrectly handles an exceptional condition.
The application attempts to return a memory resource to the system, but calls the wrong release function or calls the appropriate release function incorrectly.
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
The software does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
Weaknesses in this category are related to improper handling of communication channels and access paths.
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.