An algorithm in a product has an inefficient worst-case
computational complexity that may be detrimental to system performance and can
be triggered by an attacker, typically using crafted manipulations that ensure
that the worst case is being reached.
The software prepares a structured message for communication
with another component, but encoding or escaping of the data is either missing
or done incorrectly. As a result, the intended structure of the message is not
preserved.
The software stores security-critical state information about
its users, or the software itself, in a location that is accessible to
unauthorized actors.
Weaknesses in this category can be used to access files outside
of a restricted directory (path traversal) or to perform operations on files
that would otherwise be restricted (path equivalence).