Blog post · WCC

2023 CWE Top 25 Most Dangerous Software Weaknesses released

CWE or Common Weakness Enumeration table shows what are the typical (most frequent and critical) software vulnerabilities in software based on the US National Vulnerability Database (NVD). As they stated: “An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.” Unfortunately, most of […]

Jul 1, 2023

CWE or Common Weakness Enumeration table shows what are the typical (most frequent and critical) software vulnerabilities in software based on the US National Vulnerability Database (NVD).

As they stated:

“An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.”

Unfortunately, most of these are ages old and can be avoided using well known methods in software development. See our other blog post about it.

Here is the link to the tables:

CWE – 2023 CWE Top 25 Most Dangerous Software Weaknesses (mitre.org)

Every company should check these, including of course, software developers.

Here is the table:

2023 CWE Top 25

×

RankIDNameScoreCVEs in KEVRank Change vs. 2022
1CWE-787Out-of-bounds Write63.72700
2CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)45.5440
3CWE-89Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)34.2760
4CWE-416Use After Free16.7144+3
5CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)15.6523+1
6CWE-20Improper Input Validation15.5035-2
7CWE-125Out-of-bounds Read14.602-2
8CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)14.11160
9CWE-352Cross-Site Request Forgery (CSRF)11.7300
10CWE-434Unrestricted Upload of File with Dangerous Type10.4150
11CWE-862Missing Authorization6.900+5
12CWE-476NULL Pointer Dereference6.590-1
13CWE-287Improper Authentication6.3910+1
14CWE-190Integer Overflow or Wraparound5.894-1
15CWE-502Deserialization of Untrusted Data5.5614-3
16CWE-77Improper Neutralization of Special Elements used in a Command (‘Command Injection’)4.954+1
17CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer4.757+2
18CWE-798Use of Hard-coded Credentials4.572-3
19CWE-918Server-Side Request Forgery (SSRF)4.5616+2
20CWE-306Missing Authentication for Critical Function3.788-2
21CWE-362Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)3.538+1
22CWE-269Improper Privilege Management3.315+7
23CWE-94Improper Control of Generation of Code (‘Code Injection’)3.306+2

About the Author

Jozsef worked as a CISO in a central hospital and in a school district. He is the founder and owner of Torotoro Ltd. He holds the following certifications: Security+ - CompTIA - 2023 Security Consultant - Ministry of Justice NZ - 2023 Certified Cyber Security Professional – Google – 2023 NZPA – NZ Privacy Commissioner – 2022 OPSWAT Certified Cyber Security Associate – OPSWAT – 2022 OSINT training – European Security Academy – 2021 Fortinet NSE – Fortinet - 2020 Virtual Agile Teams – IIL/PMI – 2020 ISO 27001 Lead Auditor – TÜV Rheinland InterCert Germany – 2019 NZQE recognized Level 7 General Informatics Diploma - 1996

Related Posts

Why kiwis are suffering in cyber?
Why kiwis are suffering in cyber?

Many experts say that Kiwis are suffering in cyber.
Especially in the SME sector, which means family and private businesses.
Let us enumerate a few reasons for this.

Subscribe

Comments

0 Comments