Cross-site scripting has been identified as the most critical software flaw of the past year, according to a recent report from MITRE.
The nonprofit’s latest Top 25 Most Dangerous Software Weaknesses ranking was published on November 20. It covers the most critical flaws listed in the Common Weakness Enumeration (CWEs) catalog between June 2023 and June 2024.
CWEs, The Root Causes of Vulnerabilities
CWE is a list of common software weaknesses or flaws in code, design, or architecture that can lead to vulnerabilities – themselves listed in the Common Vulnerabilities and Exposures (CVE) database.
CWEs are the root causes of these vulnerabilities and “serve as a powerful guide for investments, policies and practices to prevent these vulnerabilities from occurring in the first place,” MITRE said in a blog post accompanying the ranking.
"Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working.”
To define software weaknesses’ criticality level, MITRE analyzed 31,770 CVEs reported across 2023 and 2024 for vulnerabilities that "would benefit from re-mapping analysis."
MITRE then attributed a score to each weakness based on its severity and the frequency of in-the-wild exploits – with a focus on security flaws added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.
2024’s Most Dangerous CWEs
This year, cross-site scripting, also known as ‘Improper Neutralization of Input During Web Page Generation’ (CWE-79) took the first place, with a score of 56.92 and three associated known exploited vulnerabilities.
It replaced last year’s most dangerous CWE, ‘Out-of-bounds Write’ (CWE-787), which ranked second with 18 associated known exploited vulnerabilities but a score of 45.20.
SQL Injection, also known as ‘Improper Neutralization of Special Elements used in an SQL Command’ (CWE-89) remains in third position, with a score of 35.88 and four associated known exploited vulnerabilities.
Strategic Guide to Make Decisions in Software Investment
MITRE said the ranking is not only a valuable resource for developers and security professionals, but it also serves as a strategic guide for organizations aiming to make informed decisions in software, security and risk management investments.
"Organizations are strongly encouraged to review this list and use it to inform their software security strategies. Prioritizing these weaknesses in development and procurement processes helps prevent vulnerabilities at the core of the software lifecycle,” the organization added.
The nonprofit collaborates closely with CISA to run the CVE and CWE programs.
CISA also frequently issues ‘Secure by Design’ alerts to emphasize the persistent presence of well-documented and widely recognized vulnerabilities in software despite the availability of effective mitigations.
Read more: CISA's Jack Cable Discusses US Push for More Secure Software