Home Original page

CWE coverage for C# — CodeQL query help documentation

CWE-11 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information CWE-12 C# cs/web/missing-global-error-handler Missing global error handler CWE-13 C# cs/password-in-configuration Password in configuration file CWE-20 C# cs/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data CWE-20 C# cs/serialization-check-bypass Serialization check bypass CWE-20 C# cs/untrusted-data-to-external-api Untrusted data passed to external API CWE-20 C# cs/xml/missing-validation Missing XML validation CWE-20 C# cs/assembly-path-injection Assembly path injection CWE-22 C# cs/path-injection Uncontrolled data used in path expression CWE-22 C# cs/zipslip Arbitrary file access during archive extraction ("Zip Slip") CWE-22 C# cs/webclient-path-injection Uncontrolled data used in a WebClient CWE-23 C# cs/path-injection Uncontrolled data used in path expression CWE-23 C# cs/webclient-path-injection Uncontrolled data used in a WebClient CWE-36 C# cs/path-injection Uncontrolled data used in path expression CWE-36 C# cs/webclient-path-injection Uncontrolled data used in a WebClient CWE-73 C# cs/path-injection Uncontrolled data used in path expression CWE-73 C# cs/webclient-path-injection Uncontrolled data used in a WebClient CWE-74 C# cs/path-injection Uncontrolled data used in path expression CWE-74 C# cs/command-line-injection Uncontrolled command line CWE-74 C# cs/web/xss Cross-site scripting CWE-74 C# cs/sql-injection SQL query built from user-controlled sources CWE-74 C# cs/ldap-injection LDAP query built from user-controlled sources CWE-74 C# cs/xml-injection XML injection CWE-74 C# cs/code-injection Improper control of generation of code CWE-74 C# cs/resource-injection Resource injection CWE-74 C# cs/uncontrolled-format-string Uncontrolled format string CWE-74 C# cs/xml/xpath-injection XPath injection CWE-74 C# cs/web/disabled-header-checking Header checking disabled CWE-74 C# cs/webclient-path-injection Uncontrolled data used in a WebClient CWE-77 C# cs/command-line-injection Uncontrolled command line CWE-78 C# cs/command-line-injection Uncontrolled command line CWE-79 C# cs/web/xss Cross-site scripting CWE-88 C# cs/command-line-injection Uncontrolled command line CWE-89 C# cs/sql-injection SQL query built from user-controlled sources CWE-90 C# cs/ldap-injection LDAP query built from user-controlled sources CWE-91 C# cs/xml-injection XML injection CWE-91 C# cs/xml/xpath-injection XPath injection CWE-93 C# cs/web/disabled-header-checking Header checking disabled CWE-94 C# cs/code-injection Improper control of generation of code CWE-95 C# cs/code-injection Improper control of generation of code CWE-96 C# cs/code-injection Improper control of generation of code CWE-99 C# cs/path-injection Uncontrolled data used in path expression CWE-99 C# cs/resource-injection Resource injection CWE-99 C# cs/webclient-path-injection Uncontrolled data used in a WebClient CWE-112 C# cs/xml/missing-validation Missing XML validation CWE-113 C# cs/web/disabled-header-checking Header checking disabled CWE-114 C# cs/assembly-path-injection Assembly path injection CWE-116 C# cs/web/xss Cross-site scripting CWE-116 C# cs/log-forging Log entries created from user input CWE-116 C# cs/inappropriate-encoding Inappropriate encoding CWE-117 C# cs/log-forging Log entries created from user input CWE-118 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic CWE-119 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic CWE-120 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic CWE-122 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic CWE-134 C# cs/uncontrolled-format-string Uncontrolled format string CWE-190 C# cs/loss-of-precision Possible loss of precision CWE-193 C# cs/index-out-of-bounds Off-by-one comparison against container length CWE-197 C# cs/loss-of-precision Possible loss of precision CWE-200 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information CWE-200 C# cs/sensitive-data-transmission Information exposure through transmitted data CWE-200 C# cs/information-exposure-through-exception Information exposure through an exception CWE-200 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information CWE-200 C# cs/exposure-of-sensitive-information Exposure of private information CWE-200 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing CWE-200 C# cs/web/persistent-cookie Cookie security: persistent cookie CWE-201 C# cs/sensitive-data-transmission Information exposure through transmitted data CWE-209 C# cs/information-exposure-through-exception Information exposure through an exception CWE-215 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information CWE-221 C# cs/catch-of-all-exceptions Generic catch clause CWE-221 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header CWE-227 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode() CWE-227 C# cs/invalid-dynamic-call Bad dynamic call CWE-227 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header CWE-247 C# cs/user-controlled-bypass User-controlled bypass of sensitive method CWE-248 C# cs/web/missing-global-error-handler Missing global error handler CWE-252 C# cs/unchecked-return-value Unchecked return value CWE-256 C# cs/password-in-configuration Password in configuration file CWE-258 C# cs/empty-password-in-configuration Empty password in configuration file CWE-259 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials CWE-259 C# cs/hardcoded-credentials Hard-coded credentials CWE-260 C# cs/empty-password-in-configuration Empty password in configuration file CWE-260 C# cs/password-in-configuration Password in configuration file CWE-284 C# cs/empty-password-in-configuration Empty password in configuration file CWE-284 C# cs/password-in-configuration Password in configuration file CWE-284 C# cs/web/missing-function-level-access-control Missing function level access control CWE-284 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key CWE-284 C# cs/session-reuse Failure to abandon session CWE-284 C# cs/web/insecure-direct-object-reference Insecure Direct Object Reference CWE-284 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials CWE-284 C# cs/hardcoded-credentials Hard-coded credentials CWE-284 C# cs/user-controlled-bypass User-controlled bypass of sensitive method CWE-284 C# cs/web/broad-cookie-domain Cookie security: overly broad domain CWE-284 C# cs/web/broad-cookie-path Cookie security: overly broad path CWE-285 C# cs/empty-password-in-configuration Empty password in configuration file CWE-285 C# cs/web/missing-function-level-access-control Missing function level access control CWE-285 C# cs/web/insecure-direct-object-reference Insecure Direct Object Reference CWE-287 C# cs/empty-password-in-configuration Empty password in configuration file CWE-287 C# cs/password-in-configuration Password in configuration file CWE-287 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key CWE-287 C# cs/session-reuse Failure to abandon session CWE-287 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials CWE-287 C# cs/hardcoded-credentials Hard-coded credentials CWE-287 C# cs/user-controlled-bypass User-controlled bypass of sensitive method CWE-287 C# cs/web/broad-cookie-domain Cookie security: overly broad domain CWE-287 C# cs/web/broad-cookie-path Cookie security: overly broad path CWE-290 C# cs/user-controlled-bypass User-controlled bypass of sensitive method CWE-311 C# cs/password-in-configuration Password in configuration file CWE-311 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information CWE-311 C# cs/web/cookie-secure-not-set Cookie 'Secure' attribute is not set to true CWE-311 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true CWE-312 C# cs/password-in-configuration Password in configuration file CWE-312 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information CWE-313 C# cs/password-in-configuration Password in configuration file CWE-315 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information CWE-319 C# cs/web/cookie-secure-not-set Cookie 'Secure' attribute is not set to true CWE-319 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true CWE-321 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key CWE-321 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials CWE-321 C# cs/hardcoded-credentials Hard-coded credentials CWE-326 C# cs/insufficient-key-size Weak encryption: Insufficient key size CWE-327 C# cs/adding-cert-to-root-store Do not add certificates to the system root store CWE-327 C# cs/insecure-sql-connection Insecure SQL connection CWE-327 C# cs/ecb-encryption Encryption using ECB CWE-327 C# cs/inadequate-rsa-padding Weak encryption: inadequate RSA padding CWE-327 C# cs/weak-encryption Weak encryption CWE-327 C# cs/azure-storage/unsafe-usage-of-client-side-encryption-version Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187) CWE-327 C# cs/hash-without-salt Use of a hash function without a salt CWE-330 C# cs/random-used-once Random used only once CWE-330 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key CWE-330 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials CWE-330 C# cs/hardcoded-credentials Hard-coded credentials CWE-330 C# cs/insecure-randomness Insecure randomness CWE-335 C# cs/random-used-once Random used only once CWE-338 C# cs/insecure-randomness Insecure randomness CWE-344 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key CWE-344 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials CWE-344 C# cs/hardcoded-credentials Hard-coded credentials CWE-345 C# cs/web/ambiguous-client-variable Value shadowing CWE-345 C# cs/web/ambiguous-server-variable Value shadowing: server variable CWE-345 C# cs/web/missing-token-validation Missing cross-site request forgery token validation CWE-348 C# cs/web/ambiguous-client-variable Value shadowing CWE-348 C# cs/web/ambiguous-server-variable Value shadowing: server variable CWE-350 C# cs/user-controlled-bypass User-controlled bypass of sensitive method CWE-352 C# cs/web/missing-token-validation Missing cross-site request forgery token validation CWE-359 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information CWE-359 C# cs/exposure-of-sensitive-information Exposure of private information CWE-362 C# cs/unsafe-sync-on-field Futile synchronization on field CWE-362 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context CWE-362 C# cs/thread-unsafe-icryptotransform-field-in-class Thread-unsafe use of a static ICryptoTransform field CWE-362 C# cs/thread-unsafe-icryptotransform-captured-in-lambda Thread-unsafe capturing of an ICryptoTransform object CWE-366 C# cs/unsafe-sync-on-field Futile synchronization on field CWE-384 C# cs/session-reuse Failure to abandon session CWE-390 C# cs/empty-catch-block Poor error handling: empty catch block CWE-391 C# cs/empty-catch-block Poor error handling: empty catch block CWE-395 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException CWE-396 C# cs/catch-of-all-exceptions Generic catch clause CWE-398 C# cs/call-to-obsolete-method Call to obsolete method CWE-398 C# cs/todo-comment TODO comment CWE-398 C# cs/dereferenced-value-is-always-null Dereferenced variable is always null CWE-398 C# cs/dereferenced-value-may-be-null Dereferenced variable may be null CWE-398 C# cs/unused-reftype Dead reference types CWE-398 C# cs/useless-assignment-to-local Useless assignment to local variable CWE-398 C# cs/unused-field Unused field CWE-398 C# cs/unused-method Unused method CWE-398 C# cs/useless-cast-to-self Cast to same type CWE-398 C# cs/useless-is-before-as Useless 'is' before 'as' CWE-398 C# cs/coalesce-of-identical-expressions Useless ?? expression CWE-398 C# cs/useless-type-test Useless type test CWE-398 C# cs/useless-upcast Useless upcast CWE-398 C# cs/empty-collection Container contents are never initialized CWE-398 C# cs/unused-collection Container contents are never accessed CWE-398 C# cs/empty-lock-statement Empty lock statement CWE-398 C# cs/linq/useless-select Redundant Select CWE-400 C# cs/redos Denial of Service from comparison of user input against expensive regex CWE-400 C# cs/regex-injection Regular expression injection CWE-404 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution CWE-404 C# cs/member-not-disposed Missing Dispose call CWE-404 C# cs/missing-dispose-method Missing Dispose method CWE-404 C# cs/local-not-disposed Missing Dispose call on local IDisposable CWE-405 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely CWE-405 C# cs/insecure-xml-read XML is read insecurely CWE-409 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely CWE-409 C# cs/insecure-xml-read XML is read insecurely CWE-434 C# cs/web/file-upload Use of file upload CWE-441 C# cs/request-forgery Server-side request forgery CWE-451 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header CWE-457 C# cs/unassigned-field Field is never assigned a non-default value CWE-459 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution CWE-459 C# cs/member-not-disposed Missing Dispose call CWE-459 C# cs/missing-dispose-method Missing Dispose method CWE-459 C# cs/local-not-disposed Missing Dispose call on local IDisposable CWE-460 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution CWE-460 C# cs/local-not-disposed Missing Dispose call on local IDisposable CWE-471 C# cs/web/html-hidden-input Use of HTMLInputHidden CWE-472 C# cs/web/html-hidden-input Use of HTMLInputHidden CWE-476 C# cs/dereferenced-value-is-always-null Dereferenced variable is always null CWE-476 C# cs/dereferenced-value-may-be-null Dereferenced variable may be null CWE-477 C# cs/call-to-obsolete-method Call to obsolete method CWE-480 C# cs/non-short-circuit Potentially dangerous use of non-short-circuit logic CWE-485 C# cs/class-name-comparison Erroneous class compare CWE-485 C# cs/cast-from-abstract-to-concrete-collection Cast from abstract to concrete collection CWE-485 C# cs/expose-implementation Exposing internal representation CWE-485 C# cs/web/debug-code ASP.NET: leftover debug code CWE-486 C# cs/class-name-comparison Erroneous class compare CWE-489 C# cs/web/debug-code ASP.NET: leftover debug code CWE-497 C# cs/information-exposure-through-exception Information exposure through an exception CWE-502 C# cs/deserialized-delegate Deserialized delegate CWE-502 C# cs/unsafe-deserialization Unsafe deserializer CWE-502 C# cs/unsafe-deserialization-untrusted-input Deserialization of untrusted data CWE-521 C# cs/empty-password-in-configuration Empty password in configuration file CWE-522 C# cs/empty-password-in-configuration Empty password in configuration file CWE-522 C# cs/password-in-configuration Password in configuration file CWE-532 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information CWE-538 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information CWE-538 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing CWE-538 C# cs/web/persistent-cookie Cookie security: persistent cookie CWE-539 C# cs/web/persistent-cookie Cookie security: persistent cookie CWE-546 C# cs/todo-comment TODO comment CWE-548 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing CWE-552 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information CWE-552 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing CWE-561 C# cs/unused-reftype Dead reference types CWE-561 C# cs/unused-field Unused field CWE-561 C# cs/unused-method Unused method CWE-561 C# cs/useless-cast-to-self Cast to same type CWE-561 C# cs/useless-is-before-as Useless 'is' before 'as' CWE-561 C# cs/coalesce-of-identical-expressions Useless ?? expression CWE-561 C# cs/useless-type-test Useless type test CWE-561 C# cs/useless-upcast Useless upcast CWE-561 C# cs/empty-collection Container contents are never initialized CWE-561 C# cs/unused-collection Container contents are never accessed CWE-561 C# cs/linq/useless-select Redundant Select CWE-563 C# cs/useless-assignment-to-local Useless assignment to local variable CWE-567 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context CWE-573 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode() CWE-573 C# cs/invalid-dynamic-call Bad dynamic call CWE-581 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode() CWE-582 C# cs/static-array Array constant vulnerable to change CWE-585 C# cs/empty-lock-statement Empty lock statement CWE-592 C# cs/user-controlled-bypass User-controlled bypass of sensitive method CWE-595 C# cs/reference-equality-with-object Reference equality test on System.Object CWE-595 C# cs/reference-equality-on-valuetypes Call to ReferenceEquals(...) on value type expressions CWE-601 C# cs/web/unvalidated-url-redirection URL redirection from remote source CWE-609 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe CWE-610 C# cs/path-injection Uncontrolled data used in path expression CWE-610 C# cs/web/unvalidated-url-redirection URL redirection from remote source CWE-610 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely CWE-610 C# cs/insecure-xml-read XML is read insecurely CWE-610 C# cs/webclient-path-injection Uncontrolled data used in a WebClient CWE-610 C# cs/request-forgery Server-side request forgery CWE-611 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely CWE-611 C# cs/insecure-xml-read XML is read insecurely CWE-614 C# cs/web/cookie-secure-not-set Cookie 'Secure' attribute is not set to true CWE-614 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true CWE-628 C# cs/invalid-dynamic-call Bad dynamic call CWE-639 C# cs/web/insecure-direct-object-reference Insecure Direct Object Reference CWE-642 C# cs/web/html-hidden-input Use of HTMLInputHidden CWE-642 C# cs/path-injection Uncontrolled data used in path expression CWE-642 C# cs/webclient-path-injection Uncontrolled data used in a WebClient CWE-643 C# cs/xml/xpath-injection XPath injection CWE-657 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key CWE-657 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials CWE-657 C# cs/hardcoded-credentials Hard-coded credentials CWE-662 C# cs/unsafe-sync-on-field Futile synchronization on field CWE-662 C# cs/inconsistent-lock-sequence Inconsistent lock sequence CWE-662 C# cs/lock-this Locking the 'this' object in a lock statement CWE-662 C# cs/locked-wait A lock is held during a wait CWE-662 C# cs/unsynchronized-getter Inconsistently synchronized property CWE-662 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe CWE-662 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context CWE-664 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution CWE-664 C# cs/member-not-disposed Missing Dispose call CWE-664 C# cs/missing-dispose-method Missing Dispose method CWE-664 C# cs/local-not-disposed Missing Dispose call on local IDisposable CWE-664 C# cs/class-name-comparison Erroneous class compare CWE-664 C# cs/cast-from-abstract-to-concrete-collection Cast from abstract to concrete collection CWE-664 C# cs/expose-implementation Exposing internal representation CWE-664 C# cs/static-array Array constant vulnerable to change CWE-664 C# cs/web/debug-code ASP.NET: leftover debug code CWE-664 C# cs/web/html-hidden-input Use of HTMLInputHidden CWE-664 C# cs/unsafe-sync-on-field Futile synchronization on field CWE-664 C# cs/inconsistent-lock-sequence Inconsistent lock sequence CWE-664 C# cs/lock-this Locking the 'this' object in a lock statement CWE-664 C# cs/locked-wait A lock is held during a wait CWE-664 C# cs/unsynchronized-getter Inconsistently synchronized property CWE-664 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe CWE-664 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context CWE-664 C# cs/empty-password-in-configuration Empty password in configuration file CWE-664 C# cs/password-in-configuration Password in configuration file CWE-664 C# cs/unassigned-field Field is never assigned a non-default value CWE-664 C# cs/web/file-upload Use of file upload CWE-664 C# cs/catch-of-all-exceptions Generic catch clause CWE-664 C# cs/loss-of-precision Possible loss of precision CWE-664 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information CWE-664 C# cs/path-injection Uncontrolled data used in path expression CWE-664 C# cs/zipslip Arbitrary file access during archive extraction ("Zip Slip") CWE-664 C# cs/code-injection Improper control of generation of code CWE-664 C# cs/sensitive-data-transmission Information exposure through transmitted data CWE-664 C# cs/information-exposure-through-exception Information exposure through an exception CWE-664 C# cs/web/missing-function-level-access-control Missing function level access control CWE-664 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information CWE-664 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key CWE-664 C# cs/exposure-of-sensitive-information Exposure of private information CWE-664 C# cs/session-reuse Failure to abandon session CWE-664 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header CWE-664 C# cs/deserialized-delegate Deserialized delegate CWE-664 C# cs/unsafe-deserialization Unsafe deserializer CWE-664 C# cs/unsafe-deserialization-untrusted-input Deserialization of untrusted data CWE-664 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing CWE-664 C# cs/web/unvalidated-url-redirection URL redirection from remote source CWE-664 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely CWE-664 C# cs/insecure-xml-read XML is read insecurely CWE-664 C# cs/web/insecure-direct-object-reference Insecure Direct Object Reference CWE-664 C# cs/redos Denial of Service from comparison of user input against expensive regex CWE-664 C# cs/regex-injection Regular expression injection CWE-664 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials CWE-664 C# cs/hardcoded-credentials Hard-coded credentials CWE-664 C# cs/user-controlled-bypass User-controlled bypass of sensitive method CWE-664 C# cs/web/broad-cookie-domain Cookie security: overly broad domain CWE-664 C# cs/web/broad-cookie-path Cookie security: overly broad path CWE-664 C# cs/web/persistent-cookie Cookie security: persistent cookie CWE-664 C# cs/webclient-path-injection Uncontrolled data used in a WebClient CWE-664 C# cs/request-forgery Server-side request forgery CWE-665 C# cs/unassigned-field Field is never assigned a non-default value CWE-667 C# cs/locked-wait A lock is held during a wait CWE-667 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe CWE-668 C# cs/static-array Array constant vulnerable to change CWE-668 C# cs/web/html-hidden-input Use of HTMLInputHidden CWE-668 C# cs/empty-password-in-configuration Empty password in configuration file CWE-668 C# cs/password-in-configuration Password in configuration file CWE-668 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information CWE-668 C# cs/path-injection Uncontrolled data used in path expression CWE-668 C# cs/zipslip Arbitrary file access during archive extraction ("Zip Slip") CWE-668 C# cs/sensitive-data-transmission Information exposure through transmitted data CWE-668 C# cs/information-exposure-through-exception Information exposure through an exception CWE-668 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information CWE-668 C# cs/exposure-of-sensitive-information Exposure of private information CWE-668 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing CWE-668 C# cs/web/persistent-cookie Cookie security: persistent cookie CWE-668 C# cs/webclient-path-injection Uncontrolled data used in a WebClient CWE-669 C# cs/web/file-upload Use of file upload CWE-669 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header CWE-669 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely CWE-669 C# cs/insecure-xml-read XML is read insecurely CWE-670 C# cs/non-short-circuit Potentially dangerous use of non-short-circuit logic CWE-671 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key CWE-671 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials CWE-671 C# cs/hardcoded-credentials Hard-coded credentials CWE-674 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely CWE-674 C# cs/insecure-xml-read XML is read insecurely CWE-681 C# cs/loss-of-precision Possible loss of precision CWE-682 C# cs/index-out-of-bounds Off-by-one comparison against container length CWE-682 C# cs/loss-of-precision Possible loss of precision CWE-684 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header CWE-691 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException CWE-691 C# cs/constant-condition Constant condition CWE-691 C# cs/unsafe-sync-on-field Futile synchronization on field CWE-691 C# cs/inconsistent-lock-sequence Inconsistent lock sequence CWE-691 C# cs/lock-this Locking the 'this' object in a lock statement CWE-691 C# cs/locked-wait A lock is held during a wait CWE-691 C# cs/unsynchronized-getter Inconsistently synchronized property CWE-691 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe CWE-691 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context CWE-691 C# cs/catch-of-all-exceptions Generic catch clause CWE-691 C# cs/non-short-circuit Potentially dangerous use of non-short-circuit logic CWE-691 C# cs/thread-unsafe-icryptotransform-field-in-class Thread-unsafe use of a static ICryptoTransform field CWE-691 C# cs/thread-unsafe-icryptotransform-captured-in-lambda Thread-unsafe capturing of an ICryptoTransform object CWE-691 C# cs/linq/inconsistent-enumeration Bad multiple iteration CWE-691 C# cs/code-injection Improper control of generation of code CWE-691 C# cs/web/missing-global-error-handler Missing global error handler CWE-691 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely CWE-691 C# cs/insecure-xml-read XML is read insecurely CWE-693 C# cs/empty-password-in-configuration Empty password in configuration file CWE-693 C# cs/password-in-configuration Password in configuration file CWE-693 C# cs/web/ambiguous-client-variable Value shadowing CWE-693 C# cs/web/ambiguous-server-variable Value shadowing: server variable CWE-693 C# cs/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data CWE-693 C# cs/serialization-check-bypass Serialization check bypass CWE-693 C# cs/untrusted-data-to-external-api Untrusted data passed to external API CWE-693 C# cs/xml/missing-validation Missing XML validation CWE-693 C# cs/assembly-path-injection Assembly path injection CWE-693 C# cs/web/missing-function-level-access-control Missing function level access control CWE-693 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information CWE-693 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key CWE-693 C# cs/adding-cert-to-root-store Do not add certificates to the system root store CWE-693 C# cs/insecure-sql-connection Insecure SQL connection CWE-693 C# cs/web/missing-token-validation Missing cross-site request forgery token validation CWE-693 C# cs/session-reuse Failure to abandon session CWE-693 C# cs/web/cookie-secure-not-set Cookie 'Secure' attribute is not set to true CWE-693 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true CWE-693 C# cs/web/insecure-direct-object-reference Insecure Direct Object Reference CWE-693 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials CWE-693 C# cs/hardcoded-credentials Hard-coded credentials CWE-693 C# cs/user-controlled-bypass User-controlled bypass of sensitive method CWE-693 C# cs/web/broad-cookie-domain Cookie security: overly broad domain CWE-693 C# cs/web/broad-cookie-path Cookie security: overly broad path CWE-693 C# cs/ecb-encryption Encryption using ECB CWE-693 C# cs/inadequate-rsa-padding Weak encryption: inadequate RSA padding CWE-693 C# cs/insufficient-key-size Weak encryption: Insufficient key size CWE-693 C# cs/weak-encryption Weak encryption CWE-693 C# cs/azure-storage/unsafe-usage-of-client-side-encryption-version Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187) CWE-693 C# cs/hash-without-salt Use of a hash function without a salt CWE-697 C# cs/class-name-comparison Erroneous class compare CWE-697 C# cs/reference-equality-with-object Reference equality test on System.Object CWE-697 C# cs/reference-equality-on-valuetypes Call to ReferenceEquals(...) on value type expressions CWE-703 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution CWE-703 C# cs/local-not-disposed Missing Dispose call on local IDisposable CWE-703 C# cs/unchecked-return-value Unchecked return value CWE-703 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException CWE-703 C# cs/empty-catch-block Poor error handling: empty catch block CWE-703 C# cs/catch-of-all-exceptions Generic catch clause CWE-703 C# cs/information-exposure-through-exception Information exposure through an exception CWE-703 C# cs/web/missing-global-error-handler Missing global error handler CWE-704 C# cs/loss-of-precision Possible loss of precision CWE-705 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException CWE-705 C# cs/catch-of-all-exceptions Generic catch clause CWE-705 C# cs/web/missing-global-error-handler Missing global error handler CWE-706 C# cs/path-injection Uncontrolled data used in path expression CWE-706 C# cs/zipslip Arbitrary file access during archive extraction ("Zip Slip") CWE-706 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely CWE-706 C# cs/insecure-xml-read XML is read insecurely CWE-706 C# cs/webclient-path-injection Uncontrolled data used in a WebClient CWE-707 C# cs/path-injection Uncontrolled data used in path expression CWE-707 C# cs/command-line-injection Uncontrolled command line CWE-707 C# cs/web/xss Cross-site scripting CWE-707 C# cs/sql-injection SQL query built from user-controlled sources CWE-707 C# cs/ldap-injection LDAP query built from user-controlled sources CWE-707 C# cs/xml-injection XML injection CWE-707 C# cs/code-injection Improper control of generation of code CWE-707 C# cs/resource-injection Resource injection CWE-707 C# cs/log-forging Log entries created from user input CWE-707 C# cs/uncontrolled-format-string Uncontrolled format string CWE-707 C# cs/xml/xpath-injection XPath injection CWE-707 C# cs/inappropriate-encoding Inappropriate encoding CWE-707 C# cs/web/disabled-header-checking Header checking disabled CWE-707 C# cs/webclient-path-injection Uncontrolled data used in a WebClient CWE-710 C# cs/call-to-obsolete-method Call to obsolete method CWE-710 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode() CWE-710 C# cs/todo-comment TODO comment CWE-710 C# cs/dereferenced-value-is-always-null Dereferenced variable is always null CWE-710 C# cs/dereferenced-value-may-be-null Dereferenced variable may be null CWE-710 C# cs/unused-reftype Dead reference types CWE-710 C# cs/useless-assignment-to-local Useless assignment to local variable CWE-710 C# cs/unused-field Unused field CWE-710 C# cs/unused-method Unused method CWE-710 C# cs/useless-cast-to-self Cast to same type CWE-710 C# cs/useless-is-before-as Useless 'is' before 'as' CWE-710 C# cs/coalesce-of-identical-expressions Useless ?? expression CWE-710 C# cs/useless-type-test Useless type test CWE-710 C# cs/useless-upcast Useless upcast CWE-710 C# cs/empty-collection Container contents are never initialized CWE-710 C# cs/unused-collection Container contents are never accessed CWE-710 C# cs/invalid-dynamic-call Bad dynamic call CWE-710 C# cs/empty-lock-statement Empty lock statement CWE-710 C# cs/linq/useless-select Redundant Select CWE-710 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key CWE-710 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header CWE-710 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials CWE-710 C# cs/hardcoded-credentials Hard-coded credentials CWE-754 C# cs/unchecked-return-value Unchecked return value CWE-755 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution CWE-755 C# cs/local-not-disposed Missing Dispose call on local IDisposable CWE-755 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException CWE-755 C# cs/empty-catch-block Poor error handling: empty catch block CWE-755 C# cs/catch-of-all-exceptions Generic catch clause CWE-755 C# cs/information-exposure-through-exception Information exposure through an exception CWE-755 C# cs/web/missing-global-error-handler Missing global error handler CWE-756 C# cs/web/missing-global-error-handler Missing global error handler CWE-759 C# cs/hash-without-salt Use of a hash function without a salt CWE-776 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely CWE-776 C# cs/insecure-xml-read XML is read insecurely CWE-780 C# cs/inadequate-rsa-padding Weak encryption: inadequate RSA padding CWE-787 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic CWE-788 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic CWE-798 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key CWE-798 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials CWE-798 C# cs/hardcoded-credentials Hard-coded credentials CWE-807 C# cs/user-controlled-bypass User-controlled bypass of sensitive method CWE-820 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context CWE-827 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely CWE-827 C# cs/insecure-xml-read XML is read insecurely CWE-829 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header CWE-829 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely CWE-829 C# cs/insecure-xml-read XML is read insecurely CWE-833 C# cs/locked-wait A lock is held during a wait CWE-834 C# cs/constant-condition Constant condition CWE-834 C# cs/linq/inconsistent-enumeration Bad multiple iteration CWE-834 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely CWE-834 C# cs/insecure-xml-read XML is read insecurely CWE-835 C# cs/constant-condition Constant condition CWE-838 C# cs/inappropriate-encoding Inappropriate encoding CWE-862 C# cs/empty-password-in-configuration Empty password in configuration file CWE-862 C# cs/web/missing-function-level-access-control Missing function level access control CWE-862 C# cs/web/insecure-direct-object-reference Insecure Direct Object Reference CWE-913 C# cs/code-injection Improper control of generation of code CWE-913 C# cs/deserialized-delegate Deserialized delegate CWE-913 C# cs/unsafe-deserialization Unsafe deserializer CWE-913 C# cs/unsafe-deserialization-untrusted-input Deserialization of untrusted data CWE-916 C# cs/hash-without-salt Use of a hash function without a salt CWE-918 C# cs/request-forgery Server-side request forgery CWE-922 C# cs/password-in-configuration Password in configuration file CWE-922 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information CWE-923 C# cs/user-controlled-bypass User-controlled bypass of sensitive method CWE-943 C# cs/sql-injection SQL query built from user-controlled sources CWE-943 C# cs/ldap-injection LDAP query built from user-controlled sources CWE-943 C# cs/xml/xpath-injection XPath injection CWE-1004 C# cs/web/cookie-httponly-not-set Cookie 'HttpOnly' attribute is not set to true CWE-1333 C# cs/redos Denial of Service from comparison of user input against expensive regex