Common Weakness Enumeration (CWE™)

Quality Clouds' rules are based on and link to industry standards. CWE is one of these standards in the area of security.

About CWE

Common Weakness Enumeration (CWE™) is a community-developed list of common software and hardware weakness types that have security ramifications.
Weaknesses are flaws, faults, bugs, vulnerabilities, or other errors in software or hardware implementation, code, design, or architecture that if left unaddressed could result in systems, networks, or hardware being vulnerable to attack.
The CWE List and associated classification taxonomy serve as a language that can be used to identify and describe these weaknesses in terms of CWEs.

CWE in Quality Clouds rules

Quality Clouds security rules link to the following CWE weaknesses:

CWE ID	Title	Quality Clouds rules
CWE-74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	Salesforce: Protection against reflected cross-site scripting attacks is disabled The browser is not prevented from inferring the MIME type from the document content and from executing malicious files
CWE-95	Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection)	Salesforce: Avoid Formula Fields with JavaScript code ServiceNow: Business Rules using eval function JavaScript - Avoid use of Function Constructors JavaScript - Avoid use of Function Constructors - UI Policy scriptTrue JavaScript - Avoid use of Function Constructors - UI Policy scriptFalse JavaScript - Avoid use of Function Constructors - Catalog UI Policy scriptTrue JavaScript - Avoid use of Function Constructors - Catalog UI Policy scriptFalse
CWE-150	Improper Neutralization of Escape	ServiceNow: Anti-CSRF Token setting should be enabled "Allow Javascript tags in Embedded HTML" property should be disabled Old UI enabled or being used HTML Sanitizer property should be enabled Client Generated Scripts Sandbox should be enabled Enable AJAXEvaluate should be disabled Escape XML should be enabled Escape Jelly should be enabled Escape Jelly should be enabled
CWE-259	Use of Hard-coded Password	Salesforce Avoid hardcoded credentials used in requests to an endpoint ServiceNow: Possible use of private data Possible use of private data - UI Policy scriptTrue Possible use of private data - UI Policy scriptFalse Possible use of private data - Catalog UI Policy scriptTrue Possible use of private data - Catalog UI Policy scriptFalse
CWE-284	Improper Access Control	Salesforce Classes should explicitly declare a sharing mode if DML methods are used Redirects to user-controlled locations should be avoided Accessing endpoints over unencrypted http should be avoided Avoid using untrusted / unescaped variables in DML queries The trusted IP range is too wide The IP addresses in Login IP Ranges are enforced only when a user logs in Visualforce, Salesforce sites, or Communities must use HTTPS Prevent Unauthorized used of session ID HTTPS is not required to log in to or access Salesforce ServiceNow: High Security Settings plugin disabled Contextual Security Plugin disabled The "Security Manager" System Property is set to "Allow Access"
CWE-311	Missing Encryption of Sensitive Data	Salesforce: Randomly generated IVs and keys should be used for Crypto calls ServiceNow: JavaScript - Avoid making connections on unsafe protocols JavaScript - Avoid making connections on unsafe protocols - UI Policy scriptTrue JavaScript - Avoid making connections on unsafe protocols - UI Policy scriptFalse JavaScript - Avoid making connections on unsafe protocols - Catalog UI Policy scriptTrue JavaScript - Avoid making connections on unsafe protocols - Catalog UI Policy scriptFalse
CWE-327	Use of a Broken or Risky Cryptographic Algorithm	ServiceNow: SSLv2/SSLv3 should be disabled
CWE-352	Cross-Site Request Forgery (CSRF)	Salesforce: Cross-Site Request Forgery (CSRF) protection on POST requests on non-setup pages is disabled Cross-Site Request Forgery (CSRF) protection on GET requests on non-setup pages is disabled
CWE-477	Use of Obsolete Function
CWE-489	Leftover Debug Code	ServiceNow: JavaScript - Avoid use of debugger statements JavaScript - Avoid use of debugger statements - UI Policy scriptTrue JavaScript - Avoid use of debugger statements - UI Policy scriptFalse JavaScript - Avoid use of debugger statements - Catalog UI Policy scriptTrue JavaScript - Avoid use of debugger statements - Catalog UI Policy scriptFalse
CWE-512	Spyware	Possible extra-sensitive PII usage in configuration element - Gender Possible extra-sensitive PII usage in configuration element - Religion Possible PII usage in configuration element - Passport Possible PII usage in configuration element - Nationality Possible PII usage in configuration element - Email Possible PII usage in configuration element - Address Salesforce: Clickjack protection for non-setup Salesforce pages is disabled Clickjack protection for setup pages is disabled Clickjack protection for customer Visualforce pages with standard headers turned on is disabled ServiceNow: Possible extra-sensitive PII usage in table column - Religion Possible extra-sensitive PII usage in table column - Gender Possible PII usage in table column - Passport Possible PII usage in table column - Nationality Possible PII usage in table column - Email Possible PII usage in table column - Address
CWE-521	Weak Password Requirements	Salesforce: Password policy complexity too weak - No restrictions Password Policy Expiration too weak - Non-expiring passwords Password Policy Expiration too weak - Password lifetime over 90 days Password Policy Repetition too weak Password Policy Max Login Attempts too wide Password Policy Minimum Password Length too weak Password Policy Expiration too weak - Never Password Policy Expiration too weak - Six months Password Policy Expiration too weak - One year Password Policy Max Login Attempts - Unlimited Password Policy: Obfuscate the Secret Answer for password resets Password Policy Password Hint contains password Password Policy: Password question requirement set to None Password policy complexity too weak - Alphanumeric restriction only Session Policy - Enable Content Security Policy Password Policy: Obfuscate the Secret Answer
CWE-525	Use of Web Browser Cache Containing Sensitive Information.	ServiceNow: The "glide.login.autocomplete" System Property is set to true
CWE-539	Information Exposure Through Persistent cookies	ServiceNow: JavaScript - Avoid use of WebDB JavaScript - Avoid use of WebDB - UI Policy scriptTrue JavaScript - Avoid use of WebDB - UI Policy scriptFalse JavaScript - Avoid use of WebDB - Catalog UI Policy scriptTrue JavaScript - Avoid use of WebDB - Catalog UI Policy scriptFalse Javascript - Avoid use of local storage on Client Scripts Javascript - Avoid use of local storage on Catalog Client Scripts
CWE-613	Insufficient Session Expiration	Salesforce: Inactivity Time Warning There is no sessions time out for inactive users
CWE-862	Missing Authorization	ServiceNow: Basic Auth SOAP Requests setting should be enabled Script Request Authorization should be enabled CSV Request Authorization should be enabled Java Package Collection mode and Collection mode override properties should be disabled "Check UI Action Conditions check before Execution" should be enabled AJAXGlideRecord ACL Checking should be enabled SOAP Request Strict Security should be enabled
CWE-1004	Sensitive Cookie Without HttpOnly Flag	ServiceNow: Cookies - HTTP Only should be enabled
CWE-1021	Improper Restriction of Rendered UI Layers or Frames	Salesforce Cross-domain session information is exchanged using a GET request instead of a POST request ServiceNow: JavaScript - Avoid unrestricted targetOrigin on cross-domain messaging JavaScript - Avoid unrestricted targetOrigin on cross-domain messaging - UI Policy scriptTrue JavaScript - Avoid unrestricted targetOrigin on cross-domain messaging - UI Policy scriptFalse JavaScript - Avoid unrestricted targetOrigin on cross-domain messaging - Catalog UI Policy scriptTrue JavaScript - Avoid unrestricted targetOrigin on cross-domain messaging - Catalog UI Policy scriptFalse
CWE-1177	Use of Prohibited Code

Common Weakness Enumeration (CWE™)

About CWE

CWE in Quality Clouds rules

What's here

Related content