VYPR

CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (8,003)

page 12 of 401
  • CVE-2017-18067CriMar 15, 2018
    risk 0.64cvss 9.8epss 0.03

    In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper input validation while processing an encrypted authentication management frame in lim_send_auth_mgmt_frame() leads to buffer overflow.

  • CVE-2017-12194CriMar 14, 2018
    risk 0.64cvss 9.8epss 0.06

    A flaw was found in the way spice-client processed certain messages sent from the server. An attacker, having control of malicious spice-server, could use this flaw to crash the client or execute arbitrary code with permissions of the user running the client. spice-gtk versions…

  • CVE-2018-8711CriMar 14, 2018
    risk 0.64cvss 9.8epss 0.02

    A local file inclusion issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The vulnerability is due to the lack of args/input validation on render_html…

  • CVE-2018-1000125CriMar 13, 2018
    risk 0.64cvss 9.8epss 0.01

    inversoft prime-jwt version prior to version 1.3.0 or prior to commit 0d94dcef0133d699f21d217e922564adbb83a227 contains an input validation vulnerability in JWTDecoder.decode that can result in a JWT that is decoded and thus implicitly validated even if it lacks a valid…

  • CVE-2018-6298CriMar 13, 2018
    risk 0.64cvss 9.8epss 0.04

    Remote code execution in Hanwha Techwin Smartcams

  • CVE-2018-7233CriMar 9, 2018
    risk 0.64cvss 9.8epss 0.02

    A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow execution of commands due to lack of validation of the shell meta characters with the value of 'model_name' or 'mac_address'.

  • CVE-2018-7232CriMar 9, 2018
    risk 0.64cvss 9.8epss 0.02

    A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow execution of commands due to lack of validation of the shell meta characters with the value of 'network.ieee8021x.delete_certs'.

  • CVE-2018-7231CriMar 9, 2018
    risk 0.64cvss 9.8epss 0.02

    A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow execution of commands due to lack of validation of the shell meta characters with the value of 'system.opkg.remove'.

  • CVE-2017-14804CriMar 1, 2018
    risk 0.64cvss 9.9epss 0.02

    The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of the target system,allowing escape out of buildroots.

  • CVE-2015-2081CriFeb 20, 2018
    risk 0.64cvss 9.8epss 0.03

    Datto ALTO and SIRIS devices allow Remote Code Execution via unauthenticated requests to PHP scripts.

  • CVE-2017-8981CriFeb 15, 2018
    risk 0.64cvss 9.8epss 0.09

    A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0506 was found.

  • CVE-2017-13229CriFeb 12, 2018
    risk 0.64cvss 9.8epss 0.02

    A remote code execution vulnerability in the Android media framework (n/a). Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0, 8.1. ID: A-68160703.

  • CVE-2018-6476CriJan 31, 2018
    risk 0.64cvss 9.8epss 0.05

    In SUPERAntiSpyware Professional Trial 6.0.1254, the SASKUTIL.SYS driver allows privilege escalation to NT AUTHORITY\SYSTEM because of not validating input values from IOCtl 0x9C402114 or 0x9C402124 or 0x9C40207c.

  • CVE-2018-5447CriJan 25, 2018
    risk 0.64cvss 9.8epss 0.02

    An Improper Input Validation issue was discovered in Nari PCS-9611 relay. An improper input validation vulnerability has been identified that affects a service within the software that may allow a remote attacker to arbitrarily read/access system resources and affect the…

  • CVE-2017-15697CriJan 23, 2018
    risk 0.64cvss 9.8epss 0.05

    A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade…

  • CVE-2015-9246CriJan 12, 2018
    risk 0.64cvss 9.8epss 0.03

    An issue was discovered in Skybox Platform before 7.5.201. Remote Unauthenticated Code Execution exists via a WAR archive containing a JSP file. The WAR file is sent to /skyboxview-softwareupdate/services/CollectorSoftwareUpdate and the JSP file is reached at…

  • CVE-2017-14914CriDec 5, 2017
    risk 0.64cvss 9.8epss 0.01

    In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, handles in the global client structure can become stale.

  • CVE-2017-14909CriDec 5, 2017
    risk 0.64cvss 9.8epss 0.01

    In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a count value that is read from a file is not properly validated.

  • CVE-2017-14908CriDec 5, 2017
    risk 0.64cvss 9.8epss 0.01

    In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, the SafeSwitch test application does not properly validate the number of blocks to verify.

  • CVE-2017-17086CriDec 1, 2017
    risk 0.64cvss 9.8epss 0.01

    Indeo Otter through 1.7.4 mishandles a "" substring in an initial DP payload, which allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact, as demonstrated by the Plan Editor.