CISQ Data Protection Measures

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the...

The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sens...

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource th...

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but ...

The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neut...

The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neu...

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes spe...

The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes...

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralize...

The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.

The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.

The product does not release or incorrectly releases a resource before it is made available for re-use.

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product ...

The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not ...

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index ref...

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but...

The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting va...

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

The product does not correctly convert an object, resource, or structure from one type to a different type.

The product initializes data using hard-coded values that act as network resource identifiers.

The product does not encrypt sensitive or critical information before storage or transmission.

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.

The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive loo...

The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to exter...

The product uses or accesses a resource that has not been initialized.

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is p...