3 - Vulnerabilities & Assessment for best viewing this tab should be set at a size of 75%
NOTE: Assessments from basic security checklists to in-depth penetration testing are offered by virtually all of the vendors under Tab 1 - Research Groups
return to main National Vulnerability Database https://nvd.nist.gov/ https://nvd.nist.gov/vuln/search contains >150,000 known vulnerabilites in hardware & software
Google 0-day Tracking Worksheet - vulnerabilities detected in attacks https://googleprojectzero.blogspot.com/p/0day.html
DHS CISA Alerts & other products https://us-cert.cisa.gov/ncas/alerts
MITRE Common Vulnerabilies and Exposures https://cve.mitre.org/ focus on metric/rating of severity ranging from 0 - 10 least to most severe
MITRE Common Weakness Enumeration https://cwe.mitre.org/
Bugtraq https://www.securityfocus.com/
Bitsight https://www.bitsight.com/ provide ratings from 250-900 on 20 categories of cyber security
Security Scorecard
Shodan https://www.shodanhq.com
Nessus Vulnerability Scanner Scripting Language Plugins https://www.tenable.com/plugins for use with Nessus vulnerability scanner to identify specific characteristics of a vulnerability
nMap Nmap Scripting Engine Library https://nmap.org/book/nse.html https://nmap.org/book/nse-library.html#nse-library-list for use with nMap network mapper to identify specific characteristics of a vulnerability
Einstein Continuous Monitoring https://www.cisa.gov/publication/einstein-3-accelerated
DoD HBSS https://en.wikipedia.org/wiki/Host_Based_Security_System
See Attack Analyses Tab for links to Malware & packaged exploits
DHS Computer Security Evaluation Tool (CSET) Assessment  https://us-cert.cisa.gov/ics/Downloading-and-Installing-CSET
Pacific National Lab Industrial Control Systems Assessment Tool https://facilitycyber.labworks.org/assessments/fcf1.1
Google Open Source Vulnerabilities https://osv.dev/
2022 Software Common Weaknesses Enumeration (CWE) Top 25, including the overall score of each. 2020 Software Common Weaknesses Enumeration (CWE) Top 25, including the overall score of each. 2019 Software Common Weaknesses Enumeration (CWE) Top 25, including the overall score of each.
SOURCE: https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html SOURCE: https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html Source: https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html 
Rank ID Name Score Rank ID Name Score Rank ID Name Score
1 CWE-787 Out-of-bounds Write 64.2 [1] CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 46.82 [1] CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 75.56
2 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 45.97 [2] CWE-787 Out-of-bounds Write 46.17 [2] CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 45.69
3 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 22.11 [3] CWE-20 Improper Input Validation 33.47 [3] CWE-20 Improper Input Validation 43.61
4 CWE-20 Improper Input Validation 20.63 [4] CWE-125 Out-of-bounds Read 26.5 [4] CWE-200 Information Exposure 32.12
5 CWE-125 Out-of-bounds Read 17.67 [5] CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 23.73 [5] CWE-125 Out-of-bounds Read 26.53
6 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 17.53 [6] CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 20.69 [6] CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 24.54
7 CWE-416 Use After Free 15.5 [7] CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 19.16 [7] CWE-416 Use After Free 17.94
8 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 14.08 [8] CWE-416 Use After Free 18.87 [8] CWE-190 Integer Overflow or Wraparound 17.35
9 CWE-352 Cross-Site Request Forgery (CSRF) 11.53 [9] CWE-352 Cross-Site Request Forgery (CSRF) 17.29 [9] CWE-352 Cross-Site Request Forgery (CSRF) 15.54
10 CWE-434 Unrestricted Upload of File with Dangerous Type 9.56 [10] CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 16.44 [10] CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 14.10
11 CWE-476 NULL Pointer Dereference 7.15 [11] CWE-190 Integer Overflow or Wraparound 15.81 [11] CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 11.47
12 CWE-502 Deserialization of Untrusted Data 6.68 [12] CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 13.67 [12] CWE-787 Out-of-bounds Write 11.08
13 CWE-190 Integer Overflow or Wraparound 6.53 [13] CWE-476 NULL Pointer Dereference 8.35 [13] CWE-287 Improper Authentication 10.78
14 CWE-287 Improper Authentication 6.35 [14] CWE-287 Improper Authentication 8.17 [14] CWE-476 NULL Pointer Dereference 9.74
15 CWE-798 Use of Hard-coded Credentials 5.66 [15] CWE-434 Unrestricted Upload of File with Dangerous Type 7.38 [15] CWE-732 Incorrect Permission Assignment for Critical Resource 6.33
16 CWE-862 Missing Authorization 5.53 [16] CWE-732 Incorrect Permission Assignment for Critical Resource 6.95 [16] CWE-434 Unrestricted Upload of File with Dangerous Type 5.50
17 CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') 5.42 [17] CWE-94 Improper Control of Generation of Code ('Code Injection') 6.53 [17] CWE-611 Improper Restriction of XML External Entity Reference 5.48
18 CWE-306 Missing Authentication for Critical Function 5.15 [18] CWE-522 Insufficiently Protected Credentials 5.49 [18] CWE-94 Improper Control of Generation of Code ('Code Injection') 5.36
19 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 4.85 [19] CWE-611 Improper Restriction of XML External Entity Reference 5.33 [19] CWE-798 Use of Hard-coded Credentials 5.12
20 CWE-276 Incorrect Default Permissions 4.84 [20] CWE-798 Use of Hard-coded Credentials 5.19 [20] CWE-400 Uncontrolled Resource Consumption 5.04
21 CWE-918 Server-Side Request Forgery (SSRF) 4.27 [21] CWE-502 Deserialization of Untrusted Data 4.93 [21] CWE-772 Missing Release of Resource after Effective Lifetime 5.04
22 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 3.57 [22] CWE-269 Improper Privilege Management 4.87 [22] CWE-426 Untrusted Search Path 4.40
23 CWE-400 Uncontrolled Resource Consumption 3.56 [23] CWE-400 Uncontrolled Resource Consumption 4.14 [23] CWE-502 Deserialization of Untrusted Data 4.30
24 CWE-611 Improper Restriction of XML External Entity Reference 3.38 [24] CWE-306 Missing Authentication for Critical Function 3.85 [24] CWE-269 Improper Privilege Management 4.23
25 CWE-94 Improper Control of Generation of Code ('Code Injection') 3.32 [25] CWE-862 Missing Authorization 3.77 [25] CWE-295 Improper Certificate Validation 4.06
  BACK TO TOP