Shopping Cart

No products in the cart.

Quality Clouds Community
Quality Clouds Community

Common Weakness Enumeration (CWE™)

6 min read

Quality Clouds’ rules are based on and link to industry standards. CWE is one of these standards in the area of security.

About CWE #

Common Weakness Enumeration (CWE™) is a community-developed list of common software and hardware weakness types that have security ramifications. 

Weaknesses are flaws, faults, bugs, vulnerabilities, or other errors in software or hardware implementation, code, design, or architecture that if left unaddressed could result in systems, networks, or hardware being vulnerable to attack. 

The CWE List and associated classification taxonomy serve as a language that can be used to identify and describe these weaknesses in terms of CWEs.

CWE in Quality Clouds rules #

Quality Clouds security rules link to the following CWE weaknesses:

CWE IDTitleQuality Clouds rules
CWE-74Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)Salesforce:Protection against reflected cross-site scripting attacks is disabled The browser is not prevented from inferring the MIME type from the document content and from executing malicious files
CWE-95Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection)Salesforce: Avoid Formula Fields with JavaScript code ServiceNow: Business Rules using eval function JavaScript – Avoid use of Function Constructors JavaScript – Avoid use of Function Constructors – UI Policy scriptTrue JavaScript – Avoid use of Function Constructors – UI Policy scriptFalse JavaScript – Avoid use of Function Constructors – Catalog UI Policy scriptTrue JavaScript – Avoid use of Function Constructors – Catalog UI Policy scriptFalse
CWE-150Improper Neutralization of EscapeServiceNow: Anti-CSRF Token setting should be enabled “Allow Javascript tags in Embedded HTML” property should be disabled Old UI enabled or being used HTML Sanitizer property should be enabled Client Generated Scripts Sandbox should be enabled Enable AJAXEvaluate should be disabled Escape XML should be enabled Escape Jelly should be enabled
CWE-259Use of Hard-coded PasswordSalesforce: Avoid hardcoded credentials used in requests to an endpoint ServiceNow: Possible use of private data Possible use of private data – UI Policy scriptTrue Possible use of private data – UI Policy scriptFalse Possible use of private data – Catalog UI Policy scriptTrue Possible use of private data – Catalog UI Policy scriptFalse
CWE-284Improper Access ControlSalesforce: Classes should explicitly declare a sharing mode if DML methods are used Redirects to user-controlled locations should be avoided Accessing endpoints over unencrypted http should be avoided Avoid using untrusted / unescaped variables in DML queries The trusted IP range is too wide The IP addresses in Login IP Ranges are enforced only when a user logs in Visualforce, Salesforce sites, or Communities must use HTTPS Prevent Unauthorized used of session ID HTTPS is not required to log in to or access Salesforce ServiceNow: High Security Settings plugin disabled Contextual Security Plugin disabled The “Security Manager” System Property is set to “Allow Access”
CWE-311Missing Encryption of Sensitive DataSalesforce: Randomly generated IVs and keys should be used for Crypto calls ServiceNow: JavaScript – Avoid making connections on unsafe protocols JavaScript – Avoid making connections on unsafe protocols – UI Policy scriptTrue JavaScript – Avoid making connections on unsafe protocols – UI Policy scriptFalse JavaScript – Avoid making connections on unsafe protocols – Catalog UI Policy scriptTrue JavaScript – Avoid making connections on unsafe protocols – Catalog UI Policy scriptFalse
CWE-327Use of a Broken or Risky Cryptographic AlgorithmServiceNow: SSLv2/SSLv3 should be disabled
CWE-352Cross-Site Request Forgery (CSRF)Salesforce: Cross-Site Request Forgery (CSRF) protection on POST requests on non-setup pages is disabled Cross-Site Request Forgery (CSRF) protection on GET requests on non-setup pages is disabled
CWE-477Use of Obsolete Function
CWE-489Leftover Debug CodeServiceNow: JavaScript – Avoid use of debugger statements JavaScript – Avoid use of debugger statements – UI Policy scriptTrue JavaScript – Avoid use of debugger statements – UI Policy scriptFalse JavaScript – Avoid use of debugger statements – Catalog UI Policy scriptTrue JavaScript – Avoid use of debugger statements – Catalog UI Policy scriptFalse
CWE-512SpywarePossible extra-sensitive PII usage in configuration element – Gender Possible extra-sensitive PII usage in configuration element – Religion Possible PII usage in configuration element – Passport Possible PII usage in configuration element – Nationality Possible PII usage in configuration element – Email Possible PII usage in configuration element – Address Salesforce: Clickjack protection for non-setup Salesforce pages is disabled Clickjack protection for setup pages is disabled Clickjack protection for customer Visualforce pages with standard headers turned on is disabled ServiceNow: Possible extra-sensitive PII usage in table column – Religion Possible extra-sensitive PII usage in table column – Gender Possible PII usage in table column – Passport Possible PII usage in table column – Nationality Possible PII usage in table column – Email Possible PII usage in table column – Address
CWE-521Weak Password RequirementsSalesforce: Password policy complexity too weak – No restrictions Password Policy Expiration too weak – Non-expiring passwords Password Policy Expiration too weak – Password lifetime over 90 days Password Policy Repetition too weak Password Policy Max Login Attempts too wide Password Policy Minimum Password Length too weak Password Policy Expiration too weak – Never Password Policy Expiration too weak – Six months Password Policy Expiration too weak – One year Password Policy Max Login Attempts – Unlimited Password Policy: Obfuscate the Secret Answer for password resets Password Policy Password Hint contains password Password Policy: Password question requirement set to None Password policy complexity too weak – Alphanumeric restriction only Session Policy – Enable Content Security Policy Password Policy: Obfuscate the Secret Answer
CWE-525Use of Web Browser Cache Containing Sensitive Information.ServiceNow: The “glide.login.autocomplete” System Property is set to true
CWE-539Information Exposure Through Persistent cookiesServiceNow: JavaScript – Avoid use of WebDB JavaScript – Avoid use of WebDB – UI Policy scriptTrue JavaScript – Avoid use of WebDB – UI Policy scriptFalse JavaScript – Avoid use of WebDB – Catalog UI Policy scriptTrue JavaScript – Avoid use of WebDB – Catalog UI Policy scriptFalse Javascript – Avoid use of local storage on Client Scripts Javascript – Avoid use of local storage on Catalog Client Scripts
CWE-613Insufficient Session ExpirationSalesforce: Inactivity Time Warning There is no sessions time out for inactive users
CWE-862Missing AuthorizationServiceNow: Basic Auth SOAP Requests setting should be enabled Script Request Authorization should be enabled CSV Request Authorization should be enabled Java Package Collection mode and Collection mode override properties should be disabled “Check UI Action Conditions check before Execution” should be enabled AJAXGlideRecord ACL Checking should be enabled SOAP Request Strict Security should be enabled
CWE-1004Sensitive Cookie Without HttpOnly FlagServiceNow: Cookies – HTTP Only should be enabled
CWE-1021Improper Restriction of Rendered UI Layers or FramesSalesforce Cross-domain session information is exchanged using a GET request instead of a POST request ServiceNow: JavaScript – Avoid unrestricted targetOrigin on cross-domain messaging JavaScript – Avoid unrestricted targetOrigin on cross-domain messaging – UI Policy scriptTrue JavaScript – Avoid unrestricted targetOrigin on cross-domain messaging – UI Policy scriptFalse JavaScript – Avoid unrestricted targetOrigin on cross-domain messaging – Catalog UI Policy scriptTrue JavaScript – Avoid unrestricted targetOrigin on cross-domain messaging – Catalog UI Policy scriptFalse
CWE-1177Use of Prohibited Code
Updated on March 21, 2025
Table of contents
Was it helpful ?

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups

Please allow a few minutes for this process to complete.

Report

You have already reported this .