Knowledge Base - Issues

Our knowledge-base provides a comprehensive collection of information on vulnerabilities related to cyber security.

/ Abuse of Mobile Network Connection

Abuse of Mobile Network Connection is a configuration management vulnerability, which can occur in Android, iOS, and Mobile App applications. According to the CWE directory, this vulnerability occurs when the application connects to a mobile network to access services, but the data is not properly protected, allowing an attacker to...

/ ASP.net Debugging Enabled

ASP.NET debugging enabled is a configuration management vulnerability (CWE-534) that occurs in web and API applications. It occurs when ASP.NET debugging is enabled in a production environment, allowing attackers to access debugging information and potentially exploit the web application. According to the OWASP Testing Guide, "Debugging information can provide an...
Attribute requestLegacyExternalStorage set is a Configuration Management vulnerability, which usually occurs in Android and mobile applications. It is defined in the Common Weakness Enumeration (CWE) directory as "CWE-732: Incorrect Permission Assignment for Critical Resource". This means that the application does not assign the correct permissions to sensitive or critical resources,...
Automatic Reference Counting (ARC) not enforced is a type of Configuration Management vulnerability (CWE-822) that occurs in mobile applications and iOS. It is an issue where a reference count is not correctly enforced and allows memory to be accessed even when the reference count is 0 or less. This can...

/ Backup Mode Disabled

Backup mode disabled is a vulnerability within the Configuration Management category of the Common Weakness Enumeration (CWE-16). It is related to a lack of secure configuration management, where the configuration of a system is not set up correctly. This can lead to the system becoming vulnerable to attack. Specifically, the...
Browser cross-site scripting filter disabled (CWE-79) is a configuration management vulnerability that falls under Web and API category. This vulnerability allows malicious code to be executed in the user’s browser, as the cross-site scripting filter is not enabled. According to the OWASP Testing Guide, cross-site scripting filters are used to...

/ Content Sniffing Not Disabled

Description Content Sniffing not disabled is a Configuration Management vulnerability (CWE-943) that occurs in Web and API applications. It is a type of attack that attempts to exploit potential security flaws in web applications by exploiting the client's ability to interpret data sent from the server. Content Sniffing not disabled can...

/ Content Type Incorrectly Stated

Content type incorrectly stated, also known as CWE-200, is a type of vulnerability related to configuration management in web and API applications. It occurs when an application incorrectly states the content type of a response when the content type is not correctly given by the application. This can be dangerous...

/ Content Type Is Not Specified

Content type is not specified is a vulnerability that falls under the category of Configuration Management in the Common Weakness Enumeration (CWE) directory (CWE-20). This vulnerability occurs when there is no content type specified for data sent via Web and API requests. If a content type is not specified, the...

/ Cookie Issued to Parent Domain

Cookie issued to parent domain is a web application vulnerability in the configuration management category (CWE-20). The vulnerability occurs when a cookie is issued to a parent domain, allowing the cookie to be accessed in the parent domain or other subdomains. This type of cookie injection can be used to...

/ Cross-Domain Post

Cross-domain POST is a type of IT vulnerability which falls under the category of Configuration Management. This vulnerability is primarily found in web applications and APIs, and is defined as the ability to send a request from one domain to another, which is often done by malicious actors. This type...

/ Duplicate Cookies Set

Duplicate cookies set, also known as CWE-614, is a configuration management vulnerability that occurs in web and API applications. It occurs when two or more cookies are set with the same name and different values, resulting in different responses from the server. This vulnerability can be exploited to hijack a...
External Control of System or Configuration Setting (CWE-908) is a vulnerability that occurs when an external user is able to manipulate the system or configuration settings of a system. This type of vulnerability is typically found in web and API applications, as well as in infrastructure components, such as servers...

/ Facebook SDK Debug Mode Enabled

Facebook SDK debug mode enabled is a configuration management vulnerability (CWE-732) that affects Android, iOS and Mobile App software. This vulnerability occurs when the debug mode of the Facebook SDK is enabled, which allows attackers to bypass security measures, modify data, and take control of the application. Reference to the...

/ Flash Cross-Domain Policy

Flash cross-domain policy is an IT vulnerability that affects web and API applications. According to the Common Weakness Enumeration (CWE) directory, this vulnerability is classified as CWE-918: Server-Side Request Forgery (SSRF). It occurs when a web application or API allows a malicious user to send unrestricted cross-domain requests to a...

/ HTML Does Not Specify Charset

HTML does not specify charset is a configuration management vulnerability (CWE-721) which occurs in web and API applications. This vulnerability does not specify a charset in the header of a web page, which can lead to the page being interpreted with the wrong encoding. This can lead to unexpected characters...

/ HTML Uses Unrecognized Charset

Applications may specify a non-standard character set as a result of typographical errors within the code base, or because of intentional usage of an unusual character set that is not universally recognized by browsers. If the browser does not recognize the character set specified by the application, then the browser...

/ Html5 Web Message Manipulation

HTML5 Web Message Manipulation (CWE-734) is a type of vulnerability in which an attacker intercepts and manipulates web messages sent between a client and a server. This vulnerability occurs in web and API services, allowing an attacker to alter web messages sent over HTTP or HTTPS, redirecting users to malicious...

/ HTTP Put Method Is Enabled

HTTP PUT method is enabled vulnerability is a Configuration Management vulnerability (CWE-264) that allows an attacker to modify existing web resources or create new resources via web server. It can be exploited to create malicious files or modify data on a vulnerable server. The vulnerability is categorized as a Security...

/ Insecure Whitelist

Insecure whitelist is a common configuration management vulnerability, listed as CWE-759, which occurs when an application or system incorrectly implements a whitelisting process. This vulnerability is common in Android, iOS and Mobile App environments and can be used to bypass authentication and authorization controls. According to the OWASP Testing Guide,...

/ Insecure Whitelist Configuration

Insecure whitelist configuration is a type of vulnerability in Configuration Management that allows an attacker to access a system by bypassing a whitelist. This vulnerability is registered in the Common Weakness Enumeration (CWE) directory as CWE-639. It is also described in the OWASP Testing Guide. This vulnerability affects Android, iOS,...

/ Missing Content Security Policy

Missing Content Security Policy (CSP) is a configuration management vulnerability that is classified as CWE-676 under the Common Weakness Enumeration (CWE) directory. It is also listed as a Web and API vulnerability in the OWASP Testing Guide. In a nutshell, this vulnerability occurs when an application does not have a...

/ Multiple Content Types Specified

Multiple content types specified (CWE-20) is a vulnerability which occurs when a web application or API is configured to accept multiple content types, but not all content types are valid or secure. This vulnerability may lead to attacks such as Cross-Site Scripting (XSS), SQL injection, and other malicious activities. According...

/ Old Tls Version Enabled

Old TLS version enabled is a vulnerability in the Configuration Management of Web and API applications, as well as Infrastructure. This vulnerability can occur when an old version of the Transport Layer Security (TLS) protocol is enabled on a system, allowing an adversary to exploit known vulnerabilities associated with the...

/ Password Field with Autocomplete Enabled

Password field with autocomplete enabled is a vulnerability related to Configuration Management (CWE-327). It occurs when the web application or API stores user passwords in the web browser's local storage, allowing the browser to autocomplete the password field when the user visits the page again. This can be a security...

/ Path-Relative Style Sheet Import

Path-relative style sheet import (CWE-16) is a vulnerability related to configuration management in web and API applications. It is a type of vulnerability that allows attackers to inject malicious code in a style sheet, which can in turn be used to steal sensitive data. This vulnerability is described in detail...

/ Referer-Dependent Response

Referer-dependent response is an IT vulnerability related to configuration management. It is listed in the Common Weakness Enumeration (CWE) directory under CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’). It is a vulnerability that occurs in Web and API applications, where the server is configured to respond differently to requests...

/ SSL/TLS Cookie without Httponly Flag

SSL/TLS Cookie without HttpOnly Flag is a configuration management vulnerability (CWE-614) that allows an attacker to access cookies that are transmitted over an encrypted SSL/TLS connection. This vulnerability is present when web and API applications are not configured to use the HttpOnly flag on cookies, which prevents the cookie from...

/ SSL/TLS Cookie without Secure Flag

SSL/TLS Cookie without secure flag is a vulnerability that occurs when an application sets an SSL/TLS cookie without the secure flag set, resulting in the cookie being sent in clear text over an unsecured connection. This is a configuration management vulnerability, classified in the CWE directory as CWE-614. The OWASP...

/ Stack Smashing Protection Not Enforced

Stack smashing protection not enforced (CWE-119) is a vulnerability in software or application security that occurs when a program does not enforce some form of stack smashing protection. It is an input validation vulnerability that allows a malicious user to change the application's logic by writing to the stack or...
Strict Transport Security Misconfiguration is a type of Configuration Management vulnerability that occurs in web and API applications. This vulnerability occurs when a server does not properly enforce the usage of Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols, which are used to secure data transmission. This vulnerability...

/ Strict Transport Security Not Enforced

Strict-Transport-Security (STS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should only interact with it using secure HTTPS connections and never via the insecure HTTP protocol. A configuration management vulnerability occurs...

/ Subdomain Takeover

Subdomain Takeover is a type of vulnerability which occurs when a subdomain (subdomain.example.com) is pointing to a service (e.g. Azure, Heroku, Github Pages, etc.) that has been removed or deleted. This leaves the subdomain pointing to a service that no longer exists, resulting in a vulnerability. According to the CWE...

/ TLS Certificate

TLS Certificate is a type of vulnerability that relates to Configuration Management and occurs when an organization is not properly managing their TLS Certificates. This vulnerability is classified as CWE-295: Improper Certificate Validation (https://cwe.mitre.org/data/definitions/295.html) and is also mentioned in the OWASP Testing Guide v4 (https://owasp.org/www-project-web-security-testing-guide/). TLS Certificates are used to...

/ User Agent-Dependent Response

User agent-dependent response is a type of configuration management vulnerability (CWE-16) that can occur in web and API applications. It occurs when a web application or API server responds differently to requests based on the user agent string sent by the client. This can lead to information disclosure, or allow...

/ Weak Content Security Policy (CSP)

Weak Content Security Policy (CSP) is a vulnerability found in web and API configurations that can lead to serious security issues. This vulnerability is classified by the Common Weakness Enumeration (CWE) directory as CWE-79 and is listed in the OWASP Testing Guide as T5: Security Misconfiguration. CSP is a security...

/ Webview Remote Debugging Enabled

Webview Remote Debugging Enabled is a type of configuration management vulnerability listed in the CWE directory as CWE-91. It is related to the OWASP Testing Guide as it can be exploited by malicious actors to gain access to sensitive data. This vulnerability is most commonly found in Android and Mobile...

/ Wsus Misconfiguration

WSUS Misconfiguration is a vulnerability categorized under Configuration Management, and falls under the Infrastructure domain. This vulnerability occurs when an attacker exploits weaknesses in the Windows Server Update Services (WSUS) configuration to gain unauthorized access to the system. This type of attack is tracked as CWE-20 and is defined as...
Showing entries 1 to 38 of 38 entries.