The American organization MITER has published its list of the most widespread and critical vulnerabilities in software, many of which are easy to find and can be exploited by cybercriminals.
The 2021 edition of the Top 25 Most Dangerous Software Weaknesses study details the most common and important security issues.
The list is based on data published on the Common Vunerability Exposure (CVE) directories, as well as data from the National Vulnerability Database (NVD) of the National Institute of Standards and Technology (NIST) and CVSS (Common Vulnerability Scoring) scores. System) of the CVEs.
Topping the list with the highest score is CWE-787: Out-of-bounds Write, a vulnerability where software writes after the end, or before the start, of the intended buffer. Like many of the vulnerabilities on the list, it can lead to data corruption and system crashes, as well as the possibility for attackers to execute code.
“These vulnerabilities are dangerous because they are often easy to find, exploit and can allow adversaries to take complete control of a system, steal data or prevent an application from functioning,” Miter said in a report. blog post.
Miter Corporation is an American nonprofit organization that created the MITER ATT & CK framework – a globally accessible database of adversary tactics and techniques, based on real world observations.
The second vulnerability in the list is CWE-79: Improper Neutralization of Input During Web Page Generation, a cross-site scripting vulnerability that does not properly neutralize input before being placed on a website. This can lead attackers to inject malicious scripts and allow them to steal sensitive information and send other malicious requests, especially if they are successful in gaining administrator privileges.
The third point on the list is CWE-125: Out-of-bounds Read, a vulnerability that can allow attackers to read sensitive information from other memory locations or cause a crash.
While many vulnerabilities are potentially very damaging if discovered and exploited by cybercriminals, weaknesses can often be addressed, especially for those for which a security patch is available. Applying security patches to fix known vulnerabilities is one of the key steps organizations can take to protect their networks from cyber attacks and intrusions.
The CWE 2021 Top 25 uses NVD data from the years 2019 and 2020, which consists of approximately 32,500 CVEs associated with a vulnerability. The full list is available on the CWE website.