v1.15.1 - 2025-03-11

Added

• Server Security Misconfiguration - Cache Deception - Varies

Other

• Fixed minor issues with deprecated-node-mapping.json file.
• Adding missing issues from deprecated-node-mapping.json file.

v1.15 - 2025-02-12

Added

• Decentralized Application Misconfiguration - Insecure Data Storage - Plaintext Private Key - P1
• Decentralized Application Misconfiguration - Insecure Data Storage - Sensitive Information Exposure - Varies
• Decentralized Application Misconfiguration - Improper Authorization - Insufficient Signature Validation - Varies
• Decentralized Application Misconfiguration - DeFi Security - Flash Loan Attack - Varies
• Decentralized Application Misconfiguration - DeFi Security - Pricing Oracle Manipulation - Varies
• Decentralized Application Misconfiguration - DeFi Security - Function-Level Accounting Error - Varies
• Decentralized Application Misconfiguration - DeFi Security - Improper Implementation of Governance - Varies
• Decentralized Application Misconfiguration - Marketplace Security - Signer Account Takeover - P1
• Decentralized Application Misconfiguration - Marketplace Security - Unauthorized Asset Transfer - P1
• Decentralized Application Misconfiguration - Marketplace Security - Orderbook Manipulation - P1
• Decentralized Application Misconfiguration - Marketplace Security - Malicious Order Offer - P2
• Decentralized Application Misconfiguration - Marketplace Security - Price or Fee Manipulation - P2
• Decentralized Application Misconfiguration - Marketplace Security - OFAC Bypass - P3
• Decentralized Application Misconfiguration - Marketplace Security - Improper Validation and Checks For Deposits and Withdrawals - Varies
• Decentralized Application Misconfiguration - Marketplace Security - Miscalculated Accounting Logic - Varies
• Decentralized Application Misconfiguration - Marketplace Security - Denial of Service - Varies
• Decentralized Application Misconfiguration - Protocol Security Misconfiguration - Node-level Denial of Service - P1
• Protocol Specific Misconfiguration - Frontrunning-Enabled Attack - P2
• Protocol Specific Misconfiguration - Sandwich-Enabled Attack - P2
• Protocol Specific Misconfiguration - Misconfigured Staking Logic - Varies
• Protocol Specific Misconfiguration - Improper Validation and Finalization Logic - Varies
• Smart Contract Misconfiguration - Reentrancy Attack - P1
• Smart Contract Misconfiguration - Smart Contract Owner Takeover - P1
• Smart Contract Misconfiguration - Uninitialized Variables - P1
• Smart Contract Misconfiguration - Unauthorized Transfer of Funds - P1
• Smart Contract Misconfiguration - Integer Overflow / Underflow - P2
• Smart Contract Misconfiguration - Unauthorized Smart Contract Approval - P2
• Smart Contract Misconfiguration - Irreversible Function Call - P3
• Smart Contract Misconfiguration - Function-level Denial of Service - P3
• Smart Contract Misconfiguration - Malicious Superuser Risk - P3
• Smart Contract Misconfiguration - Improper Fee Implementation - P3
• Smart Contract Misconfiguration - Improper Use of Modifier - P4
• Smart Contract Misconfiguration - Improper Decimals Implementation - P4
• Smart Contract Misconfiguration - Inaccurate Rounding Calculation - Varies
• Smart Contract Misconfiguration - Bypass of Function Modifiers & Checks - Varies
• Zero Knowledge Security Misconfiguration - Missing Constraint - Varies
• Zero Knowledge Security Misconfiguration - Mismatching Bit Lengths - Varies
• Zero Knowledge Security Misconfiguration - Misconfigured Trusted Setup - Varies
• Zero Knowledge Security Misconfiguration - Missing Range Check - Varies
• Zero Knowledge Security Misconfiguration - Improper Proof Validation and Finalization Logic - P1
• Zero Knowledge Security Misconfiguration - Deanonymization of Data - P1
• Blockchain Infrastructure Misconfiguration - Improper Bridge Validation and Verification Logic - Varies
• Broken Authentication and Session Management - SAML Replay - P5

Changed

FROM:

• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Sensitive Information/Iterable Object Identifiers - P1
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Edit/Delete Sensitive Information/Iterable Object Identifiers - P2
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read Sensitive Information/Iterable Object Identifiers - P3
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Sensitive Information/Complex Object Identifiers(GUID) - P4
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Non-Sensitive Information - P5

TO:

• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Modify/View Sensitive Information(Iterable Object Identifiers) - P1
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Modify Sensitive Information(Iterable Object Identifiers) - P2
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - View Sensitive Information(Iterable Object Identifiers) - P3
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Modify/View Sensitive Information(Complex Object Identifiers GUID/UUID) - P4
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - View Non-Sensitive Information - P5

Other

• CVSS Score correction for Server Security Misconfiguration - Mail Server Misconfiguration - Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain - P4.
• All JSONs, i.e., VRT and its mapping JSONs are now alphabetically sorted.
• Internal library changes to add a new helper script that aids in sorting the JSONs.

v1.14.2 - 2024-10-25

Removed

• Server Security Misconfiguration - Misconfigured DNS - High Impact Subdomain Takeover: P2

Changed

From:

• Server Security Misconfiguration - Misconfigured DNS - Basic Subdomain Takeover: P3

To:

• Server Security Misconfiguration - Misconfigured DNS - Subdomain Takeover: P3

v1.14.1 - 2024-07-18

Changed

• vulnerability-rating-taxononomy.json correction

v1.14 - 2024-07-09

Added

• Server Security Misconfiguration - Email verification bypass - P5
• Server Security Misconfiguration - Missing Subresource Integrity - P5
• Sensitive Data Exposure - Token Leakage via Referer - Password Reset Token - P5
• Server Security Misconfiguration - Software Package Takeover - VARIES
• Broken Access Control (BAC) - Privilege Escalation - VARIES
• Data Biases - Representation Bias - VARIES
• Data Biases - Pre-existing Bias - VARIES
• Algorithmic Biases - Processing Bias - VARIES
• Algorithmic Biases - Aggregation Bias - VARIES
• Societal Biases - Confirmation Bias - VARIES
• Societal Biases - Systemic Bias - VARIES
• Misinterpretation Biases - Context Ignorance - VARIES
• Developer Biases - Implicit Bias - VARIES

Removed

• Broken Authentication and Session Management - Privilege Escalation - VARIES

v1.13 - 2024-04-02

Added

• Physical Security Issues - Bypass of physical access control - VARIES
• Physical Security Issues - Weakness in physical access control - Clonable Key - VARIES
• Physical Security Issues - Weakness in physical access control - Master Key Identification - VARIES
• Physical Security Issues - Weakness in physical access control - Commonly Keyed System - P2
• Insecure OS/Firmware - Weakness in Firmware Updates - Firmware cannot be updated - VARIES
• Insecure OS/Firmware - Weakness in Firmware Updates - Firmware does not validate update integrity- P3
• Insecure OS/Firmware - Weakness in Firmware Updates - Firmware is not encrypted- P5
• Insecure OS/Firmware - Kiosk Escape or Breakout - VARIES
• Insecure OS/Firmware - Poorly Configured Disk Encryption - VARIES
• Insecure OS/Firmware - Shared Credentials on Storage - P3
• Insecure OS/Firmware - Over-Permissioned Credentials on Storage - P2
• Insecure OS/Firmware - Local Administrator on default environment - P2
• Insecure OS/Firmware - Poorly Configured Operating System Security - VARIES
• Insecure OS/Firmware - Recovery of Disk Contains Sensitive Material - VARIES
• Insecure OS/Firmware - Failure to Remove Sensitive Artifacts from Disk - VARIES
• Insecure OS/Firmware - Data not encrypted at rest - Sensitive - VARIES
• Insecure OS/Firmware - Data not encrypted at rest - Non sensitive - P5

v1.12 - 2023-12-18

Added

• Application Level DoS - Excessive Resource Consumption - Injection (Prompt) - VARIES
• AI Application Security - Large Language Model (LLM) Security - Prompt Injection - P1
• AI Application Security - Large Language Model (LLM) Security - LLM Output Handling - P1
• AI Application Security - Large Language Model (LLM) Security - Training Data Poisoning - P1
• AI Application Security - Large Language Model (LLM) Security - Excessive Agency/Permission Manipulation - P2

v1.11 - 2023-11-20

Added

• Sensitive Data Exposure - Disclosure of Secrets - PII Leakage/Exposure: VARIES
• Server-Side Injection - Content Spoofing - HTML Content Injection: P5
• Broken Authentication and Session Management - Failure to invalidate session - Permission change: VARIES
• Server Security Misconfiguration - Request Smuggling: VARIES
• Server-Side Injection - LDAP Injection: VARIES
• Cryptographic Weakness - Insufficient Entropy - Limited Random Number Generator (RNG) Entropy Source: P4
• Cryptographic Weakness - Insufficient_Entropy - Use of True Random Number Generator (TRNG) for Non-Security Purpose: P5
• Cryptographic Weakness - Insufficient_Entropy - Pseudo-Random Number Generator (PRNG) Seed Reuse: P5
• Cryptographic Weakness - Insufficient_Entropy - Predictable Pseudo-Random Number Generator (PRNG) Seed: P4
• Cryptographic Weakness - Insufficient_Entropy - Small Seed Space in Pseudo-Random Number Generator (PRNG): P4
• Cryptographic Weakness - Insufficient_Entropy - Initialization Vector (IV) Reuse: P5
• Cryptographic Weakness - Insufficient_Entropy - Predictable Initialization Vector (IV): P4
• Cryptographic Weakness - Insecure Implementation - Missing Cryptographic Step: VARIES
• Cryptographic Weakness - Insecure Implementation - Improper Following of Specification (Other): VARIES
• Cryptographic Weakness - Weak Hash - Lack of Salt: VARIES
• Cryptographic Weakness - Weak Hash - Use of Predictable Salt: P5
• Cryptographic Weakness - Weak Hash - Predictable Hash Collision: VARIES
• Cryptographic Weakness - Insufficient Verification of Data Authenticity - Integrity Check Value (ICV): P4
• Cryptographic Weakness - Insufficient Verification of Data Authenticity - Cryptographic Signature: VARIES
• Cryptographic Weakness - Insecure Key Generation - Improper Asymmetric Prime Selection: VARIES
• Cryptographic Weakness - Insecure Key Generation - Improper Asymmetric Exponent Selection: VARIES
• Cryptographic Weakness - Insecure Key Generation - Insufficient Key Stretching: VARIES
• Cryptographic Weakness - Insecure Key Generation - Insufficient Key Space: P3
• Cryptographic Weakness - Insecure Key Generation - Key Exchage Without Entity Authentication: P3
• Cryptographic Weakness - Key Reuse - Lack of Perfect Forward Secrecy: P4
• Cryptographic Weakness - Key Reuse - Intra-Environment: P5
• Cryptographic Weakness - Key Reuse - Inter-Environment: P2
• Cryptographic Weakness - Side-Channel Attack - Padding Oracle Attack: P4
• Cryptographic Weakness - Side-Channel Attack - Timing Attack: P4
• Cryptographic Weakness - Side-Channel Attack - Power Analysis Attack: P5
• Cryptographic Weakness - Side-Channel Attack - Emanations Attack: P5
• Cryptographic Weakness - Side-Channel Attack - Differential Fault Analysis: VARIES
• Cryptographic Weakness - Use of Expired Cryptographic Key (or Certificate): P4
• Cryptographic Weakness - Incomplete Cleanup of Keying Material: P5
• Cryptographic Weakness - Broken Cryptography - Use of Broken Cryptographic Primitive: P3
• Cryptographic Weakness - Broken Cryptography - Use of Vulnerable Cryptographic Library: P4
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Non-Sensitive Information: P5
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Sensitive Information/GUID/Complex Object Identifiers: P4
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read Sensitive Information/Iterable Object Identifiers: P3
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Edit/Delete Sensitive Information/Iterable Object Identifiers: P2
• Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Sensitive Information (PII)/Iterable Object Identifier: P1

Changed

FROM:

• Cross-Site Scripting (XSS) - IE-Only - Older Version (< IE11): P5

TO:

• Cross-Site Scripting (XSS) - IE-Only: P5

FROM:

• Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal High Impact: P2
• Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact: P3
• Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - External: P4
• Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - DNS Query Only : P5

TO:

• Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal High Impact: P2
• Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact: P3
• Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - Low impact: P5
• Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - DNS Query Only: P5

FROM:

• Automotive Security Misconfiguration - Infotainment, Radio Head Unit - PII Leakage: P1

TO:

• Automotive Security Misconfiguration - Infotainment, Radio Head Unit - Sensitive data Leakage/Exposure: P1

Removed

• Cross-Site Scripting (XSS) - IE-Only - IE11: P4
• Cross-Site Scripting (XSS) - XSS Filter Disabled: P5
• Broken Cryptography - Cryptographic Flaw - Incorrect Usage: P1

v1.10.1

v1.10.1 - 2021-03-29

Changed

• renamed secure code warriors mapping to secure code warrior

v1.10

v1.10 - 2021-03-18

Added

• insufficient_security_configurability.verification_of_contact_method_not_required
• insufficient_security_configurability.weak_two_fa_implementation.two_fa_code_is_not_updated_after_new_code_is_requested
• insufficient_security_configurability.weak_two_fa_implementation.old_two_fa_code_is_not_invalidated_after_new_code_is_generated
• broken_authentication_and_session_management.weak_login_function.over_http
• server_security_misconfiguration.oauth_misconfiguration.account_squatting
• Third-party mapping to Secure Code Warrior trainings
• automotive_security_misconfiguration.can.injection_battery_management_system
• automotive_security_misconfiguration.can.injection_steering_control
• automotive_security_misconfiguration.can.injection_pyrotechnical_device_deployment_tool
• automotive_security_misconfiguration.can.injection_headlights
• automotive_security_misconfiguration.can.injection_sensors
• automotive_security_misconfiguration.can.injection_vehicle_anti_theft_systems
• automotive_security_misconfiguration.can.injection_powertrain
• automotive_security_misconfiguration.can.injection_basic_safety_message
• automotive_security_misconfiguration.battery_management_system
• automotive_security_misconfiguration.battery_management_system.firmware_dump
• automotive_security_misconfiguration.battery_management_system.fraudulent_interface
• automotive_security_misconfiguration.gnss_gps
• automotive_security_misconfiguration.gnss_gps.spoofing
• automotive_security_misconfiguration.immobilizer
• automotive_security_misconfiguration.immobilizer.engine_start
• automotive_security_misconfiguration.abs
• automotive_security_misconfiguration.abs.unintended_acceleration_brake
• automotive_security_misconfiguration.rsu
• automotive_security_misconfiguration.rsu.sybil_attack
• automotive_security_misconfiguration.infotainment_radio_head_unit
• automotive_security_misconfiguration.infotainment_radio_head_unit.pii_leakage
• automotive_security_misconfiguration.infotainment_radio_head_unit.ota_firmware_manipulation
• automotive_security_misconfiguration.infotainment_radio_head_unit.code_execution_can_bus_pivot
• automotive_security_misconfiguration.infotainment_radio_head_unit.code_execution_no_can_bus_pivot
• automotive_security_misconfiguration.infotainment_radio_head_unit.unauthorized_access_to_services
• automotive_security_misconfiguration.infotainment_radio_head_unit.source_code_dump
• automotive_security_misconfiguration.infotainment_radio_head_unit.dos_brick
• automotive_security_misconfiguration.infotainment_radio_head_unit.default_credentials

Removed

• insufficient_security_configurability.lack_of_verification_email
• broken_authentication_and_session_management.weak_login_function.https_not_available_or_http_by_default
• broken_authentication_and_session_management.weak_login_function.http_and_https_available
• broken_authentication_and_session_management.weak_login_function.lan_only
• cross_site_request_forgery_csrf.flash_based.high_impact
• cross_site_request_forgery_csrf.flash_based.low_impact
• automotive_security_misconfiguration.infotainment
• automotive_security_misconfiguration.infotainment.pii_leakage
• automotive_security_misconfiguration.infotainment.code_execution_can_bus_pivot
• automotive_security_misconfiguration.infotainment.code_execution_no_can_bus_pivot
• automotive_security_misconfiguration.infotainment.unauthorized_access_to_services
• automotive_security_misconfiguration.infotainment.source_code_dump
• automotive_security_misconfiguration.infotainment.dos_brick
• automotive_security_misconfiguration.infotainment.default_credentials

Changed

• server_security_misconfiguration.lack_of_security_headers.cache_control_for_a_non_sensitive_page updated remediation advice
• server_security_misconfiguration.lack_of_security_headers.cache_control_for_a_sensitive_page updated remediation advice
• cross_site_scripting_xss.flash_based priority changed from P4 to P5
• cross_site_request_forgery_csrf.flash_based priority changed from null to P5 (due to children removal)
• using_components_with_known_vulnerabilities.rosetta_flash priority changed from P4 to P5