CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

MITRE Updates List of 25 Most Dangerous Software Vulnerabilities

MITRE has released an updated CWE Top 25 Most Dangerous Software Weaknesses list, with cross-site scripting (XSS) at the top.

The MITRE Corporation has updated its Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list, which reflects the latest trends in the cyber threat landscape.

The list provides information on the most common and impactful weaknesses that threat actors exploit in attacks to take over systems, steal sensitive information, and cause disruptions.

Cross-site scripting (XSS) vulnerabilities are at the top of this year’s CWE Top 25 list, up from the second position last year, with out-of-bounds write flaws dropping to the second place.

While SQL injection bugs have remained on the third position, cross-site request forgery (CSRF), path traversal, and out-of-bounds read defects went up by five, three, and one place, respectively, displacing OS command injection and use-after-free issues.

The top 10 is rounded by missing authorization, which was eleventh last year, and unrestricted file uploads, stationary on the tenth position. Code injection, which ranked 23 in last year’s list, landed on 11 in the updated one.

New entries on the 2024 CWE Top 25 list include exposure of sensitive information on 14, up from 30 last year, and uncontrolled resource consumption on 24, up from 37 last year. Incorrect default permissions and race condition flaws dropped from the top 25 most dangerous software weaknesses.

The US cybersecurity CISA, which worked with the Homeland Security Systems Engineering and Development Institute (HSSEDI), operated by MITRE, in updating 2024 CWE Top 25, urges organizations to review the list and prioritize these weaknesses in development and procurement processes.

CISA urges software manufacturers and organizations to adopt Secure by Design practices, apply Secure by Demand guidelines, and incorporate the CWE Top 25 list in their vulnerability management and application security processes.

Advertisement. Scroll to continue reading.

“By following CISA’s initiatives, organizations can reduce vulnerabilities and strengthen application and infrastructure security. Incorporating the 2024 CWE Top 25 into cybersecurity and procurement strategies will enhance overall resilience,” the agency says.

Related: How Intelligence Sharing Can Help Keep Major Worldwide Sporting Events on Track

Related: MITRE Updates CWE Top 25 Most Dangerous Software Weaknesses

Related: MITRE Publishes 2022 List of 25 Most Dangerous Vulnerabilities

Related: Researcher Earns $2 Million for Critical Vulnerability in Polygon

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.