Skip to content
ATO Pathways
  Log In

CCI-001310

Checks the validity of organization-defined information inputs to the system.

Logo
1

Rule

Severity: Medium
The A10 Networks ADC, when used for load-balancing web servers, must not allow the HTTP TRACE and OPTIONS methods.
Logo
1

Rule

Severity: Medium
Kona Site Defender must check the validity of all data inputs except those specifically identified by the organization.
Logo
2

Rule

Severity: Medium
The ALG must check the validity of all data inputs except those specifically identified by the organization.
Logo
2

Rule

Severity: Medium
The application server must check the validity of all data inputs to the management interface, except those specifically identified by the organization.
Logo
2

Rule

Severity: High
The application must protect from Cross-Site Scripting (XSS) vulnerabilities.
Logo
2

Rule

Severity: Medium
The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities.
Logo
2

Rule

Severity: High
The application must protect from command injection.
Logo
2

Rule

Severity: Medium
The application must protect from canonical representation vulnerabilities.
Logo
2

Rule

Severity: Medium
The application must validate all input.
Logo
2

Rule

Severity: High
The application must not be vulnerable to SQL Injection.
Logo
2

Rule

Severity: High
The application must not be vulnerable to XML-oriented attacks.
Logo
1

Rule

Severity: Medium
The CA API Gateway must check the validity of all data inputs except those specifically identified by the organization.
Logo
2

Rule

Severity: Medium
IDMS must check the validity of all data input unless the organization says otherwise.
Logo
2

Rule

Severity: Medium
CA IDMS must permit the use of dynamic code execution only in circumstances determined by the organization and limit use of online and batch command facilities from which dynamic statements can be issued.
Logo
2

Rule

Severity: Medium
CA IDMS must limit the use of dynamic statements in applications, procedures, and exits to circumstances determined by the organization.
Logo
2

Rule

Severity: Medium
CA IDMS must limit use of IDMS server used in issuing dynamic statements from client applications circumstances determined by the organization.
Logo
2

Rule

Severity: Medium
CA IDMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
Logo
2

Rule

Severity: Medium
The DNS server implementation must check the validity of all data inputs except those specifically identified by the organization.
Logo
1

Rule

Severity: Medium
The DataPower Gateway must check the validity of all data inputs except those specifically identified by the organization.
Logo
1

Rule

Severity: Medium
DB2 must check the validity of all data inputs except those specifically identified by the organization.
Logo
1

Rule

Severity: Medium
DB2 and associated applications must reserve the use of dynamic code execution for situations that require it.
Logo
1

Rule

Severity: Medium
DB2 and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
Logo
2

Rule

Severity: Medium
The IDPS must, for fragmented packets, either block the packets or properly reassemble the packets before inspecting and forwarding.
Logo
1

Rule

Severity: Medium
When the Jamf Pro EMM server cannot establish a connection to determine the validity of a certificate, the server must not have the option to accept the certificate.
Logo
2

Rule

Severity: Medium
The Mainframe Product must check the validity of all data inputs except those specifically identified by the organization.
Logo
2

Rule

Severity: Medium
Azure SQL Database must check the validity of all data inputs except those specifically identified by the organization.
Logo
2

Rule

Severity: Medium
The Azure SQL Database and associated applications must reserve the use of dynamic code execution for situations that require it.
Logo
2

Rule

Severity: Medium
The Azure SQL Database and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
Logo
3

Rule

Severity: Medium
SQL Server must check the validity of all data inputs except those specifically identified by the organization.
Logo
3

Rule

Severity: Medium
The DBMS and associated applications must reserve the use of dynamic code execution for situations that require it.
Logo
3

Rule

Severity: Medium
The DBMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
Logo
1

Rule

Severity: Medium
The Windows 2012 DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, to include IP ranges and IP versions.
Logo
2

Rule

Severity: Medium
The UEM server must check the validity of all data inputs.
Logo
4

Rule

Severity: Medium
PostgreSQL must check the validity of all data inputs except those specifically identified by the organization.
Logo
4

Rule

Severity: Medium
PostgreSQL and associated applications must reserve the use of dynamic code execution for situations that require it.
Logo
4

Rule

Severity: Medium
PostgreSQL and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
Logo
3

Rule

Severity: Medium
The EDB Postgres Advanced Server must check the validity of all data inputs except those specifically identified by the organization.
Logo
3

Rule

Severity: Medium
The EDB Postgres Advanced Server and associated applications must reserve the use of dynamic code execution for situations that require it.
Logo
3

Rule

Severity: Medium
The EDB Postgres Advanced Server and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
Logo
2

Rule

Severity: Medium
The DBMS must check the validity of all data inputs except those specifically identified by the organization.
Logo
2

Rule

Severity: Medium
MariaDB must check the validity of all data inputs except those specifically identified by the organization.
Logo
2

Rule

Severity: Medium
MariaDB and associated applications must reserve the use of dynamic code execution for situations that require it.
Logo
2

Rule

Severity: Medium
MariaDB and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
Logo
3

Rule

Severity: Medium
MongoDB must check the validity of all data inputs except those specifically identified by the organization.
Logo
3

Rule

Severity: Medium
MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it.
Logo
2

Rule

Severity: Medium
Directory Browsing on the IIS 10.0 website must be disabled.
Logo
2

Rule

Severity: Medium
Directory Browsing on the IIS 10.0 web server must be disabled.
Logo
3

Rule

Severity: Medium
The DBMS must check the validity of data inputs.
Logo
2

Rule

Severity: Medium
The MySQL Database Server 8.0 must check the validity of all data inputs except those specifically identified by the organization.
Logo
2

Rule

Severity: Medium
The MySQL Database Server 8.0 and associated applications must reserve the use of dynamic code execution for situations that require it.
Logo
2

Rule

Severity: Medium
The MySQL Database Server 8.0 and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
Logo
2

Rule

Severity: Medium
Redis Enterprise DBMS and associated applications must reserve the use of dynamic code execution for situations that require it.
Logo
2

Rule

Severity: Medium
Redis Enterprise DBMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
Logo
2

Rule

Severity: Medium
The Automation Controller NGINX web server must limit the character set used for data entry.
Logo
2

Rule

Severity: Medium
The VMM must check the validity of all data inputs except those specifically identified by the organization.
Logo
1

Rule

Severity: Medium
VAMI must set the encoding for all text Multipurpose Internet Mail Extensions (MIME) types to UTF-8.
Logo
1

Rule

Severity: Medium
Performance Charts must set "URIEncoding" to UTF-8.
Logo
1

Rule

Severity: Medium
Performance Charts must use the "setCharacterEncodingFilter" filter.
Logo
1

Rule

Severity: Medium
ESX Agent Manager must set URIEncoding to UTF-8.
Logo
1

Rule

Severity: Medium
ESX Agent Manager must use the "setCharacterEncodingFilter" filter.
Logo
1

Rule

Severity: Medium
Lookup Service must set URIEncoding to UTF-8.
Logo
1

Rule

Severity: Medium
The Security Token Service must set "URIEncoding" to UTF-8.
Logo
1

Rule

Severity: Medium
The Security Token Service must use the "setCharacterEncodingFilter" filter.
Logo
3

Rule

Severity: Medium
The vCenter ESX Agent Manager service must set URIEncoding to UTF-8.
Logo
3

Rule

Severity: Medium
The vCenter ESX Agent Manager service must configure the "setCharacterEncodingFilter" filter.
Logo
3

Rule

Severity: Medium
The vCenter Lookup service must set URIEncoding to UTF-8.
Logo
3

Rule

Severity: Medium
The vCenter Lookup service must configure the "setCharacterEncodingFilter" filter.
Logo
1

Rule

Severity: Medium
vSphere UI must set URIEncoding to UTF-8.
Logo
3

Rule

Severity: Medium
The vCenter Perfcharts service must set URIEncoding to UTF-8.
Logo
3

Rule

Severity: Medium
The vCenter Perfcharts service must configure the "setCharacterEncodingFilter" filter.
Logo
3

Rule

Severity: Medium
The vCenter STS service must set URIEncoding to UTF-8.
Logo
3

Rule

Severity: Medium
The vCenter STS service must configure the "setCharacterEncodingFilter" filter.
Logo
3

Rule

Severity: Medium
The vCenter UI service must set URIEncoding to UTF-8.
Logo
3

Rule

Severity: Medium
The vCenter UI service must configure the "setCharacterEncodingFilter" filter.
Logo
3

Rule

Severity: Medium
The vCenter VAMI service must set the encoding for all text mime types to UTF-8.
Logo
2

Rule

Severity: Medium
The web server must limit the character set used for data entry.
Logo
2

Rule

Severity: Medium
The Windows DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, including IP ranges and IP versions.
Logo
1

Rule

Severity: Medium
The BIG-IP ASM module must check the validity of all data inputs except those specifically identified by the organization.
Logo
1

Rule

Severity: Medium
The BIG-IP Core implementation must be configured to check the validity of all data inputs except those specifically identified by the organization.
Logo
1

Rule

Severity: Medium
The F5 BIG-IP appliance must check the validity of all data inputs except those specifically identified by the organization.
Logo
1

Rule

Severity: Medium
The web server must interpret and normalize ambiguous HTTP requests or terminate the TCP connection.
Logo
1

Rule

Severity: Medium
The web server must terminate the connection if server-level exceptions are triggered when handling requests to prevent HTTP request smuggling attacks.

Patternfly

PatternFly elements

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules