InfoSecBulletin Cybersecurity for mankind
MITRE identified Cross-site scripting as the most critical software flaw in its recent published report of the past year. The nonprofit published its latest ranking of the Top 25 Most Dangerous Software Weaknesses on November 20, highlighting critical flaws from the Common Weakness Enumeration (CWEs) catalog between June 2023 and June 2024.
CWE is a list of common software weaknesses in code, design, or architecture that can lead to vulnerabilities, which are cataloged in the CVE database.
NVIDIA Releases Security Update For GPU Driver Vulnerabilities
‘SessionShark’ ToolKit Bypasses Microsoft Office 365 MFA
159 CVEs Exploited in Q1 2025 : 28.3% Within 24 Hours of Disclosure
NVIDIA NeMo Framework Vuln Allow Attackers RCE
Cisco Issued Urgent Security Advisories For Multiple Products
SonicWall patched SSLVPN Vuln Allowing Firewall Crashing
GitLab Releases Security Update For Multiple Vulns
ISPAB president “whatsapp” got hacked via phishing link
Zyxel released patches 2 vulns in its USG FLEX H series firewalls
South Korea’s largest SK Telecom Hit by Malware: SIM-related info leaked
MITRE reviewed 31,770 CVEs from 2023 and 2024 to determine the criticality level of software weaknesses that needed re-mapping analysis.
MITRE assigned scores to each weakness based on severity and how often they are exploited, particularly focusing on security flaws in the CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Cross-site scripting, or CWE-79, ranked first this year with a score of 56.92 and three known exploited vulnerabilities. It replaced last year’s most dangerous CWE, ‘Out-of-bounds Write’ (CWE-787), which had 18 known exploited vulnerabilities and a score of 45.20.
SQL Injection, or ‘Improper Neutralization of Special Elements used in an SQL Command’ (CWE-89), ranks third with a score of 35.88 and has four known exploited vulnerabilities.
MITRE stated that the ranking is a useful resource for developers and security professionals and acts as a strategic guide for organizations looking to make informed decisions about software, security, and risk management investments.
“Organizations are strongly encouraged to review this list and use it to inform their software security strategies. Prioritizing these weaknesses in development and procurement processes helps prevent vulnerabilities at the core of the software lifecycle,” the organization added.
The nonprofit works with CISA on the CVE and CWE programs. CISA regularly issues alerts highlighting common software vulnerabilities, despite effective solutions being available.
