Knowledge Base - Issues

Our knowledge-base provides a comprehensive collection of information on vulnerabilities related to cyber security.
Android Class Load Hijacking is a vulnerability that enables an attacker to gain control of a mobile application's runtime environment by exploiting the application's class loader. This vulnerability is identified in the Common Weakness Enumeration (CWE) directory as CWE-427 and is also described in the OWASP Testing Guide as a...
Android Class Loading Hijacking (CWE-919) is a vulnerability that affects the authorization process in Android and mobile app development. It is a type of vulnerability in which an attacker is able to exploit an application's class loading procedure to inject malicious code into the application. This malicious code can then...

/ Backup File

Backup file is an authorization vulnerability that occurs when an application does not properly restrict access to backup files, such as database backups. This type of vulnerability allows an attacker to gain access to sensitive data, such as passwords and personal information, which can be used to gain further access...
Broadcast receiver dynamic registration is a type of authorization vulnerability that occurs in mobile applications and Android operating systems. This vulnerability occurs when an application registers a broadcast receiver dynamically, and does not properly control the intent filters (CWE-284). This can lead to an attacker sending a malicious intent to...
Bypassing Authorization Schema is an authorization vulnerability that occurs in web and API applications. It is categorized under CWE-285 (Improper Authorization) in the Common Weakness Enumeration (CWE) directory. According to the Open Web Application Security Project (OWASP) Testing Guide, this type of attack occurs when an attacker manages to access...
Call to dynamic code loading API is a type of authorization vulnerability that affects Android, iOS and Mobile Apps. This vulnerability allows attackers to bypass authentication measures, such as user accounts, by loading code into the application dynamically. This type of attack is classified as CWE-285 (Improper Authorization) according to...
Continuous collection of GPS location is a vulnerability affecting mobile app security. It occurs when an app collects user location data over a period of time without user consent or knowledge. This type of data collection can lead to privacy and security risks as it can give an attacker access...
Cross-domain Referer leakage is an authorization vulnerability that occurs when web applications fail to properly validate the HTTP Referer header. This allows attackers to bypass the same origin policy and access resources in another domain. This vulnerability is classified as CWE-352 (Cross-Site Request Forgery (CSRF)) in the Common Weakness Enumeration...
Database connection string disclosed (CWE-209) is a vulnerability that occurs when a database connection string, such as a password, is disclosed in a web or API application or within the infrastructure. This can allow an attacker to gain access to the database and sensitive information stored within it. Furthermore, the...

/ Dependency Confusion

Dependency Confusion is a type of authorization vulnerability where an attacker can use a form of name confusion to insert malicious code into a system. Dependency Confusion occurs when an application looks for a dependency library with a specific name, and an attacker is able to manipulate the library search...
Deserialization of Untrusted Data (CWE-502) is a vulnerability that occurs when an application deserializes untrusted data without proper validation. This vulnerability can be found in web and API applications and can lead to remote code execution and other malicious attacks. The OWASP Testing Guide recommends using a secure deserialization library...
Email verification bypass is an authorization vulnerability that occurs when a system does not properly check that emails are verified when a user attempts to log in (CWE-287). This vulnerability is present in both web applications and APIs (OWASP Testing Guide). When a user is attempting to create an account, they...
External service interaction (HTTP) is a type of authorization vulnerability where external services are exposed to malicious actors. It occurs when a web or API application interacts with an external service over HTTP, such as APIs, databases, web servers, or other services, and has not implemented proper authorization mechanisms. This...
External service interaction (SMTP) refers to a vulnerability in the software application, wherein the application interacts with external mail server services such as Simple Mail Transfer Protocol (SMTP). This vulnerability is classified as a type of authorization issue, as the application is not properly authorized by the user to interact...
Improper Enforcement of Behavioral Workflow is a type of Authorization vulnerability identified in the Common Weakness Enumeration (CWE) directory. It occurs when a web or API application does not properly enforce certain behaviors that are required for secure operation. This can allow attackers to bypass the authorization process, granting them...
Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) is a type of Authorization vulnerability that occurs when a program does not properly limit operations within the bounds of a memory buffer. This can lead to a situation where the program reads from or writes to memory...
Incorrect Default Permissions is a type of authorization vulnerability, in which certain files or directories are given permissions that are too broad or are granted to a wider set of users than is necessary. This type of vulnerability may be found in web and API applications, and is listed as...
Insecure Filesystem Access is a type of authorization vulnerability that occurs when an application does not restrict access to the filesystem of a device, such as a computer or mobile phone. This type of vulnerability can be exploited by malicious actors to access files stored on the device, including confidential...
Insecure Shared Preferences Permissions is a type of Authorization vulnerability as identified in the Common Weakness Enumeration (CWE) directory that affects Android and Mobile App systems. It occurs when access to shared preferences is misconfigured, allowing malicious actors to access and modify shared preferences without authentication or authorization. This can...
Integer Overflow or Wraparound is a type of authorization vulnerability listed in the CWE directory (CWE-190) as an implementation flaw. It occurs when a program uses an integer data type to store a value which is larger than the maximum value the integer data type can hold. This leads to...
iTunes UI File Sharing Enabled is an Authorization vulnerability that allows a user to access sensitive data stored in an iOS application or mobile app. This vulnerability is classified as CWE-284 and is described in the OWASP Testing Guide as “insufficient authorization or authentication for an operation involving sensitive data”....
List of calls to dangerous low-level C functions is a vulnerability related to authorization in iOS and Mobile App. It is defined in the Common Weakness Enumeration (CWE) directory as CWE-415: Double Free, which is a type of memory access error where a program attempts to free the same memory...

/ Mach-O Entitlements

Mach-O Entitlements is a type of IT vulnerability that is classified as an Authorization issue. This vulnerability is present in both iOS and Mobile App operating systems, and it is listed as CWE-269 in the Common Weakness Enumeration directory. According to the OWASP Testing Guide, Mach-O Entitlements is a type...

/ Missing Authorization

Missing Authorization is an authorization vulnerability that occurs when an application fails to appropriately check if a user has the proper permissions to access a certain resource. This type of vulnerability typically occurs in Web and API applications and is ranked at number 18 in the CWE Top 25 (2022)....

/ Notification Spoofing

Notification spoofing is an authorization vulnerability which occurs when a malicious user impersonates another user or an application and sends an unauthorized notification. This type of attack is usually done by sending a malicious notification to a user or application, often in order to gain access to sensitive data or...

/ Null Pointer

NULL Pointer is an Authorization vulnerability, which occurs when a program attempts to access memory without first checking if it is valid. According to the Common Weakness Enumeration (CWE) directory, this vulnerability is classified as CWE-476 and is related to the use of uninitialized pointers. It commonly occurs in web...

/ Out-Of-Bounds Read

Out-of-bounds Read, also known as Out-of-bounds Read Access, is a type of authorization vulnerability that occurs when an application reads data outside the bounds of a buffer. This is a common vulnerability, and is cataloged in the CWE directory as CWE-126. According to OWASP, it is one of the most...

/ Out-Of-Bounds Write

Out-of-bounds Write (CWE-787) is an authorization vulnerability that occurs when a program writes data past the end of the intended buffer. It is listed in the CWE Top 25 (2022), and is commonly found in Web and API applications. According to the OWASP Testing Guide, this type of vulnerability can...

/ Privilege Escalation

Privilege Escalation (CWE-264) is a type of vulnerability that occurs when an attacker is able to gain access to more system resources than what is authorized. This type of attack is often seen in web and API applications, where an attacker can use a vulnerability to access a user's account...

/ Race Condition

Race Condition is a type of IT vulnerability that occurs when two or more processes are reading and writing the same shared data concurrently, and the outcome of the execution depends on the particular order of execution of those processes. It is categorized in the CWE Top 25 (2022) as...
Recorded calls to dangerous WebView settings API is a vulnerability in Android and Mobile App that allows attackers to record audio on the device without authorization. This vulnerability is categorized as an Authorization vulnerability and is identified by the Common Weakness Enumeration (CWE) as CWE-284. According to the OWASP Testing...
Services declared without permissions is a vulnerability of the Authorization category (CWE-285) which affects Android and Mobile App systems. It occurs when an application declares a service in its AndroidManifest.xml file, but does not assign a permission to access the service. This can allow any application to access the service,...

/ Task Hijacking

Task Hijacking is an authorization vulnerability that occurs in Android and Mobile App. It is a type of privilege escalation that allows an attacker to access or manipulate a user’s tasks or threads. This vulnerability is listed in the Common Weakness Enumeration (CWE) directory under ID CWE-270. The OWASP Testing...

/ Task Hijacking

Task hijacking is a type of authorization vulnerability in which an attacker is able to take control of a user's session or task by intercepting the data, such as a session ID, intended for a legitimate user. It is defined in the Common Weakness Enumeration (CWE) directory as CWE-813. This...

/ Undeclared Permissions

Undeclared Permissions is a type of Authorization vulnerability that occurs in Android or a mobile app. This vulnerability occurs when an application requests permissions that are not declared in the manifest file. According to the Common Weakness Enumeration (CWE) directory, this vulnerability falls under CWE-284: Improper Access Control. The OWASP...
Untrusted External Storage File Access is a type of Authorization vulnerability (CWE-862) where an application fails to properly verify the access permissions of external storage files, allowing an attacker to access or modify the data without proper authorization. This is an issue that particularly affects Android and mobile application users,...
Unused permissions (overprivileged) is an authorization vulnerability in Android and mobile apps, where the application has been granted more permissions than it requires for its intended purpose. This type of vulnerability is classified under CWE-284, Improper Access Control, and is described in the OWASP Testing Guide as “Application is granted...

/ Use After Free

Use After Free (UAF) is a type of software bug related to dynamic memory allocation and deallocation. It occurs when a program attempts to access a memory address which has already been freed, causing a segmentation fault or other system failure. UAF vulnerabilities are listed in the CWE Top 25...
Use of Potentially Dangerous Function (CWE-602) is a vulnerability that occurs when an application allows an attacker to use a potentially dangerous function, such as system() or exec(), which allows them to execute arbitrary code. This vulnerability is classified in the Authorization category of the Common Weakness Enumeration (CWE) directory...

/ User Provisioning

User Provisioning is a type of authorization vulnerability (CWE-732) that arises when a user is granted access to services, resources, or information beyond the scope of their job role or authorized permissions. It occurs when an application does not properly validate the access privileges of a user, granting them more...
Showing entries 1 to 40 of 40 entries.