Web Application Vulnerabilities Index

This page lists X vulnerabilities classified as CWE-16 that can be detected by Invicti.

Select Category
Critical
High
Medium
Low
Best Practice
Information
Select Vulnerability
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Select Vulnerability
Vulnerability Name
Classification
Severity
An Unsafe Content Security Policy (CSP) Directive in Use
An Unsafe Content Security Policy (CSP) Directive in Use
CWE-16
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Information
Apache Multiple Choices Enabled
Apache Multiple Choices Enabled
CWE-16
, 
ISO27001-A.9.4.1
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-14
, 
Low
Apache MultiViews Enabled
Apache MultiViews Enabled
CWE-16
, 
ISO27001-A.9.4.1
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-14
, 
Low
Apache Server-Info Detected
Apache Server-Info Detected
CAPEC-347
, 
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
, 
CWE-16
, 
ISO27001-A.18.1.3
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-14
, 
Medium
Apache Server-Status Detected
Apache Server-Status Detected
CAPEC-347
, 
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
, 
CWE-16
, 
ISO27001-A.18.1.3
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-14
, 
Medium
ASP.NET Cookieless Authentication Is Enabled
ASP.NET Cookieless Authentication Is Enabled
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Medium
ASP.NET Cookieless Session State Is Enabled
ASP.NET Cookieless Session State Is Enabled
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Medium
ASP.NET CustomErrors Is Disabled
ASP.NET CustomErrors Is Disabled
CWE-16
, 
OWASP 2013-A6
, 
OWASP 2017-A3
, 
Medium
ASP.NET Debugging Enabled
ASP.NET Debugging Enabled
CWE-16
, 
ISO27001-A.9.4.1
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-14
, 
Information
ASP.NET: Failure To Require SSL For Authentication Cookies
ASP.NET: Failure To Require SSL For Authentication Cookies
CWE-16
, 
OWASP 2017-A6
, 
Medium
ASP.NET ValidateRequest Is Globally Disabled
ASP.NET ValidateRequest Is Globally Disabled
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Medium
ASP.NET ViewStateUserKey Is Not Set
ASP.NET ViewStateUserKey Is Not Set
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Low
Autocomplete Enabled (Password Field)
Autocomplete Enabled (Password Field)
CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
, 
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
Autocomplete is Enabled
Autocomplete is Enabled
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Low
Axis Development Mode Enabled in WEB-INF/server-config.wsdd
Axis Development Mode Enabled in WEB-INF/server-config.wsdd
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
, 
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Medium
Axis system configuration listing enabled in WEB-INF/server-config.wsdd
Axis system configuration listing enabled in WEB-INF/server-config.wsdd
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
, 
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Medium
Content Security Policy (CSP) Keywords Not Used Within Single Quotes
Content Security Policy (CSP) Keywords Not Used Within Single Quotes
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
Content Security Policy (CSP) Nonce Value Not Used Within Single Quotes
Content Security Policy (CSP) Nonce Value Not Used Within Single Quotes
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
Content Security Policy (CSP) Nonce Without Matching Script Block
Content Security Policy (CSP) Nonce Without Matching Script Block
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
Content Security Policy (CSP) Not Implemented
Content Security Policy (CSP) Not Implemented
CWE-16
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Best Practice
Content-Security-Policy-Report-Only Cannot Be Declared Between META Tags
Content-Security-Policy-Report-Only Cannot Be Declared Between META Tags
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
Content-Security-Policy-Report-Only Cannot Be Declared Without report-uri Directive
Content-Security-Policy-Report-Only Cannot Be Declared Without report-uri Directive
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
Cookie Not Marked as HttpOnly
Cookie Not Marked as HttpOnly
CAPEC-107
, 
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Low
Custom Error Pages Are Not Configured in WEB-INF/web.xml
Custom Error Pages Are Not Configured in WEB-INF/web.xml
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
, 
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Medium
Database Connection String Detected
Database Connection String Detected
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
, 
CWE-16
, 
HIPAA-164.306(a)
, 
ISO27001-A.18.1.3
, 
OWASP 2013-A5
, 
OWASP 2017-A3
, 
WASC-15
, 
Information
Deprecated Header Instruction Used to Implement Content Security Policy (CSP)
Deprecated Header Instruction Used to Implement Content Security Policy (CSP)
CWE-16
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Information
Django Debug Mode Enabled
Django Debug Mode Enabled
CAPEC-214
, 
CWE-16
, 
ISO27001-A.18.1.3
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
PCI v3.2-6.5.5
, 
WASC-14
, 
Low
Elmah.axd / Errorlog.axd Detected
Elmah.axd / Errorlog.axd Detected
CAPEC-347
, 
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
, 
CWE-16
, 
HIPAA-164.306(a)
, 
HIPAA-164.308(a)
, 
ISO27001-A.18.1.3
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
PCI v3.2-6.5.6
, 
WASC-15
, 
High
Expect-CT Header via HTTP
Expect-CT Header via HTTP
CWE-16
, 
ISO27001-A.14.1.2
, 
WASC-15
, 
Information
Expect-CT Not Enabled
Expect-CT Not Enabled
CWE-16
, 
ISO27001-A.14.1.2
, 
WASC-15
, 
Best Practice
Expect-CT Security Header Errors and Warnings
Expect-CT Security Header Errors and Warnings
CWE-16
, 
ISO27001-A.14.1.2
, 
WASC-15
, 
Information
HTTP Strict Transport Security (HSTS) Errors and Warnings
HTTP Strict Transport Security (HSTS) Errors and Warnings
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Medium
HTTP Strict Transport Security (HSTS) Max-Age Value Too Low
HTTP Strict Transport Security (HSTS) Max-Age Value Too Low
CWE-16
, 
ISO27001-A.14.1.2
, 
WASC-15
, 
Information
HTTP Strict Transport Security (HSTS) via HTTP
HTTP Strict Transport Security (HSTS) via HTTP
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
Incorrect Content Security Policy (CSP) Implementation
Incorrect Content Security Policy (CSP) Implementation
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
Insecure Frame (External)
Insecure Frame (External)
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2017-A6
, 
WASC-15
, 
Low
Insecure Reflected Content
Insecure Reflected Content
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A1
, 
WASC-15
, 
Low
Invalid Content Security Policy (CSP) Directive Identified in meta Elements
Invalid Content Security Policy (CSP) Directive Identified in meta Elements
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Information
JavaMelody Interface Detected
JavaMelody Interface Detected
CAPEC-347
, 
CWE-16
, 
ISO27001-A.18.1.3
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-14
, 
Medium
Java Verb Tampering Via Misconfigured Security Constraint
Java Verb Tampering Via Misconfigured Security Constraint
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
, 
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Medium
Laravel Debug Mode Enabled
Laravel Debug Mode Enabled
CAPEC-214
, 
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
PCI v3.2-6.5.5
, 
WASC-14
, 
Low
Misconfigured Access-Control-Allow-Origin Header
Misconfigured Access-Control-Allow-Origin Header
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
PCI v3.2-6.5.8
, 
WASC-15
, 
Low
Misconfigured Frame
Misconfigured Frame
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2017-A6
, 
WASC-15
, 
Low
Missing Content-Type Header
Missing Content-Type Header
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
PCI v3.2-6.5.7
, 
WASC-15
, 
Low
Missing frame-ancestors in CSP Declaration
Missing frame-ancestors in CSP Declaration
CWE-16
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Information
Missing object-src in CSP Declaration
Missing object-src in CSP Declaration
CWE-16
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Information
Missing X-Content-Type-Options Header
Missing X-Content-Type-Options Header
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Low
Missing X-XSS-Protection Header
Missing X-XSS-Protection Header
CWE-16
, 
HIPAA-164.308(a)
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Best Practice
Multiple Content Security Policy (CSP) Implementation Detected
Multiple Content Security Policy (CSP) Implementation Detected
CWE-16
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Information
No SAML Response Signature Check
No SAML Response Signature Check
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
, 
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
High
Open Policy Crossdomain.xml Detected
Open Policy Crossdomain.xml Detected
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
, 
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Medium
Open Silverlight Client Access Policy
Open Silverlight Client Access Policy
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
, 
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Medium
OPTIONS Method Enabled
OPTIONS Method Enabled
CAPEC-107
, 
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-14
, 
Information
Overly Long Session Timeout
Overly Long Session Timeout
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
, 
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Medium
Phishing by Navigating Browser Tabs
Phishing by Navigating Browser Tabs
CWE-16
, 
ISO27001-A.14.1.2
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
Low
PHP allow_url_fopen Is Enabled
PHP allow_url_fopen Is Enabled
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Low
PHP allow_url_include Is Enabled
PHP allow_url_include Is Enabled
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Low
PHP enable_dl Is Enabled
PHP enable_dl Is Enabled
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
, 
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Medium
PHP magic_quotes_gpc Is Disabled
PHP magic_quotes_gpc Is Disabled
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
, 
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Medium
PHP open_basedir Is Not Configured
PHP open_basedir Is Not Configured
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Low
Retired Hash Function in SAML Response
Retired Hash Function in SAML Response
CWE-16
, 
Information
RoR Development Mode Enabled
RoR Development Mode Enabled
CAPEC-214
, 
CWE-16
, 
ISO27001-A.14.1.1
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
PCI v3.2-6.5.5
, 
WASC-14
, 
Low
SameSite Cookie Not Implemented
SameSite Cookie Not Implemented
CWE-16
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Best Practice
SameSite None Cookie Not Marked as Secure
SameSite None Cookie Not Marked as Secure
CWE-16
, 
ISO27001-A.14.2.5
, 
WASC-15
, 
Best Practice
SAML Response Signature Exclusion
SAML Response Signature Exclusion
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
, 
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
High
SAML Response Without Signature
SAML Response Without Signature
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
, 
CWE-16
, 
ISO27001-A.14.2.5
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
WASC-15
, 
High
Spring Boot Misconfiguration: Actuator endpoint security disabled
Spring Boot Misconfiguration: Actuator endpoint security disabled
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
, 
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Medium
Spring Boot Misconfiguration: Admin MBean enabled
Spring Boot Misconfiguration: Admin MBean enabled
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
, 
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Medium
Spring Boot Misconfiguration: All Spring Boot Actuator endpoints are web exposed
Spring Boot Misconfiguration: All Spring Boot Actuator endpoints are web exposed
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
, 
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Medium
Spring Boot Misconfiguration: Datasource credentials stored in the properties file
Spring Boot Misconfiguration: Datasource credentials stored in the properties file
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
, 
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Medium
Spring Boot Misconfiguration: Developer tools enabled on production
Spring Boot Misconfiguration: Developer tools enabled on production
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
, 
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Medium
Spring Boot Misconfiguration: H2 console enabled
Spring Boot Misconfiguration: H2 console enabled
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
, 
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Medium
Spring Boot Misconfiguration: MongoDB credentials stored in the properties file
Spring Boot Misconfiguration: MongoDB credentials stored in the properties file
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
, 
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Medium
Spring Boot Misconfiguration: Overly long session timeout
Spring Boot Misconfiguration: Overly long session timeout
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
, 
CWE-16
, 
OWASP 2013-A5
, 
OWASP 2017-A6
, 
Medium