The software constructs all or part of a command, data
structure, or record using externally-influenced input from an upstream
component, but it does not neutralize or incorrectly neutralizes special
elements that could modify how it is parsed or interpreted when it is sent to a
downstream component.
Software security is not security software. Here we're
concerned with topics like authentication, access control, confidentiality,
cryptography, and privilege management.
An information exposure is the intentional or unintentional
disclosure of information to an actor that is not explicitly authorized to have
access to that information.
The software does not implement or incorrectly implements one
or more security-relevant checks as specified by the design of a standardized
algorithm, protocol, or technique.
The product uses a fixed or controlled search path to find
resources, but one or more locations in that path can be under the control of
unintended actors.