VYPR

CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (8,003)

page 100 of 401
  • CVE-2017-14430HigSep 13, 2017
    risk 0.49cvss 7.5epss 0.01

    D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices allow remote attackers to cause a denial of service (daemon crash) via crafted LAN traffic.

  • CVE-2017-12869HigSep 1, 2017
    risk 0.49cvss 7.5epss 0.02

    The multiauth module in SimpleSAMLphp 1.14.13 and earlier allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input.

  • CVE-2017-14063HigAug 31, 2017
    risk 0.49cvss 7.5epss 0.03

    Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8…

  • CVE-2017-13767HigAug 30, 2017
    risk 0.49cvss 7.5epss 0.02

    In Wireshark 2.4.0, 2.2.0 to 2.2.8, and 2.0.0 to 2.0.14, the MSDP dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-msdp.c by adding length validation.

  • CVE-2017-12775HigAug 29, 2017
    risk 0.49cvss 7.5epss 0.02

    qa-include/qa-install.php in Question2Answer before 1.7.5 allows remote attackers to create multiple user accounts.

  • CVE-2015-5209HigAug 29, 2017
    risk 0.49cvss 7.5epss 0.09

    Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.

  • CVE-2017-13735HigAug 29, 2017
    risk 0.49cvss 7.5epss 0.03

    There is a floating point exception in the kodak_radc_load_raw function in dcraw_common.cpp in LibRaw 0.18.2. It will lead to a remote denial of service attack.

  • CVE-2015-0234HigAug 29, 2017
    risk 0.49cvss 7.5epss 0.01

    Multiple temporary file creation vulnerabilities in pki-core 10.2.0.

  • CVE-2015-1554HigAug 28, 2017
    risk 0.49cvss 7.5epss 0.02

    kgb-bot 1.33-2 allows remote attackers to cause a denial of service (crash).

  • CVE-2017-13709HigAug 27, 2017
    risk 0.49cvss 7.5epss 0.01

    In FlightGear before version 2017.3.1, Main/logger.cxx in the FGLogger subsystem allows one to overwrite any file via a resource that affects the contents of the global Property Tree.

  • CVE-2017-13692HigAug 25, 2017
    risk 0.49cvss 7.5epss 0.01

    In Tidy 5.5.31, the IsURLCodePoint function in attrs.c allows attackers to cause a denial of service (Segmentation Fault), as demonstrated by an invalid ISALNUM argument.

  • CVE-2017-12784HigAug 21, 2017
    risk 0.49cvss 7.5epss 0.02

    In Youngzsoft CCFile (aka CC File Transfer) 3.6, by sending a crafted HTTP request, it is possible for a malicious user to remotely crash the affected software. No authentication is required. An example payload is a malformed request header with many '|' characters. NOTE: some…

  • CVE-2017-12961HigAug 18, 2017
    risk 0.49cvss 7.5epss 0.01

    There is an assertion abort in the function parse_attributes() in data/sys-file-reader.c of the libpspp library in GNU PSPP before 1.0.1 that will lead to remote denial of service.

  • CVE-2016-4456HigAug 8, 2017
    risk 0.49cvss 7.5epss 0.02

    The "GNUTLS_KEYLOGFILE" environment variable in gnutls 3.4.12 allows remote attackers to overwrite and corrupt arbitrary files in the filesystem.

  • CVE-2017-9938HigAug 8, 2017
    risk 0.49cvss 7.5epss 0.03

    A vulnerability was discovered in Siemens SIMATIC Logon (All versions before V1.6) that could allow specially crafted packets sent to the SIMATIC Logon Remote Access service on port 16389/tcp to cause a Denial-of-Service condition. The service restarts automatically.

  • CVE-2015-7692HigAug 7, 2017
    risk 0.49cvss 7.5epss 0.07

    The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash). NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-9750.

  • CVE-2015-7691HigAug 7, 2017
    risk 0.49cvss 7.5epss 0.07

    The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash) via crafted packets containing particular autokey operations. NOTE: This vulnerability exists due to an incomplete fix for…

  • CVE-2017-9801HigAug 7, 2017
    risk 0.49cvss 7.5epss 0.06

    When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers.

  • CVE-2017-6763HigAug 7, 2017
    risk 0.49cvss 7.5epss 0.02

    A vulnerability in the implementation of the H.264 protocol in Cisco Meeting Server (CMS) 2.1.4 could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. The vulnerability exists because the affected application does not…

  • CVE-2017-1460HigJul 31, 2017
    risk 0.49cvss 7.5epss 0.01

    IBM i OSPF 6.1, 7.1, 7.2, and 7.3 is vulnerable when a rogue router spoofs its origin. Routing tables are affected by a missing LSA, which may lead to loss of connectivity. IBM X-Force ID: 128379.