CWE-20
Improper Input Validation
Description
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9
CVEs mapped to this weakness (8,003)
page 12 of 401| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-18067 | Cri | 0.64 | 9.8 | 0.03 | Mar 15, 2018 | In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper input validation while processing an encrypted authentication management frame in lim_send_auth_mgmt_frame() leads to buffer overflow. | ||
| CVE-2017-12194 | Cri | 0.64 | 9.8 | 0.06 | Mar 14, 2018 | A flaw was found in the way spice-client processed certain messages sent from the server. An attacker, having control of malicious spice-server, could use this flaw to crash the client or execute arbitrary code with permissions of the user running the client. spice-gtk versions… | ||
| CVE-2018-8711 | Cri | 0.64 | 9.8 | 0.02 | Mar 14, 2018 | A local file inclusion issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The vulnerability is due to the lack of args/input validation on render_html… | ||
| CVE-2018-1000125 | Cri | 0.64 | 9.8 | 0.01 | Mar 13, 2018 | inversoft prime-jwt version prior to version 1.3.0 or prior to commit 0d94dcef0133d699f21d217e922564adbb83a227 contains an input validation vulnerability in JWTDecoder.decode that can result in a JWT that is decoded and thus implicitly validated even if it lacks a valid… | ||
| CVE-2018-6298 | Cri | 0.64 | 9.8 | 0.04 | Mar 13, 2018 | Remote code execution in Hanwha Techwin Smartcams | ||
| CVE-2018-7233 | Cri | 0.64 | 9.8 | 0.02 | Mar 9, 2018 | A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow execution of commands due to lack of validation of the shell meta characters with the value of 'model_name' or 'mac_address'. | ||
| CVE-2018-7232 | Cri | 0.64 | 9.8 | 0.02 | Mar 9, 2018 | A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow execution of commands due to lack of validation of the shell meta characters with the value of 'network.ieee8021x.delete_certs'. | ||
| CVE-2018-7231 | Cri | 0.64 | 9.8 | 0.02 | Mar 9, 2018 | A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow execution of commands due to lack of validation of the shell meta characters with the value of 'system.opkg.remove'. | ||
| CVE-2017-14804 | Cri | 0.64 | 9.9 | 0.02 | Mar 1, 2018 | The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of the target system,allowing escape out of buildroots. | ||
| CVE-2015-2081 | Cri | 0.64 | 9.8 | 0.03 | Feb 20, 2018 | Datto ALTO and SIRIS devices allow Remote Code Execution via unauthenticated requests to PHP scripts. | ||
| CVE-2017-8981 | — | Cri | 0.64 | 9.8 | 0.09 | Feb 15, 2018 | A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0506 was found. | |
| CVE-2017-13229 | Cri | 0.64 | 9.8 | 0.02 | Feb 12, 2018 | A remote code execution vulnerability in the Android media framework (n/a). Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0, 8.1. ID: A-68160703. | ||
| CVE-2018-6476 | Cri | 0.64 | 9.8 | 0.05 | Jan 31, 2018 | In SUPERAntiSpyware Professional Trial 6.0.1254, the SASKUTIL.SYS driver allows privilege escalation to NT AUTHORITY\SYSTEM because of not validating input values from IOCtl 0x9C402114 or 0x9C402124 or 0x9C40207c. | ||
| CVE-2018-5447 | Cri | 0.64 | 9.8 | 0.02 | Jan 25, 2018 | An Improper Input Validation issue was discovered in Nari PCS-9611 relay. An improper input validation vulnerability has been identified that affects a service within the software that may allow a remote attacker to arbitrarily read/access system resources and affect the… | ||
| CVE-2017-15697 | Cri | 0.64 | 9.8 | 0.05 | Jan 23, 2018 | A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade… | ||
| CVE-2015-9246 | Cri | 0.64 | 9.8 | 0.03 | Jan 12, 2018 | An issue was discovered in Skybox Platform before 7.5.201. Remote Unauthenticated Code Execution exists via a WAR archive containing a JSP file. The WAR file is sent to /skyboxview-softwareupdate/services/CollectorSoftwareUpdate and the JSP file is reached at… | ||
| CVE-2017-14914 | Cri | 0.64 | 9.8 | 0.01 | Dec 5, 2017 | In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, handles in the global client structure can become stale. | ||
| CVE-2017-14909 | Cri | 0.64 | 9.8 | 0.01 | Dec 5, 2017 | In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a count value that is read from a file is not properly validated. | ||
| CVE-2017-14908 | Cri | 0.64 | 9.8 | 0.01 | Dec 5, 2017 | In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, the SafeSwitch test application does not properly validate the number of blocks to verify. | ||
| CVE-2017-17086 | Cri | 0.64 | 9.8 | 0.01 | Dec 1, 2017 | Indeo Otter through 1.7.4 mishandles a "" substring in an initial DP payload, which allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact, as demonstrated by the Plan Editor. |
- risk 0.64cvss 9.8epss 0.03
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improper input validation while processing an encrypted authentication management frame in lim_send_auth_mgmt_frame() leads to buffer overflow.
- risk 0.64cvss 9.8epss 0.06
A flaw was found in the way spice-client processed certain messages sent from the server. An attacker, having control of malicious spice-server, could use this flaw to crash the client or execute arbitrary code with permissions of the user running the client. spice-gtk versions…
- risk 0.64cvss 9.8epss 0.02
A local file inclusion issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The vulnerability is due to the lack of args/input validation on render_html…
- risk 0.64cvss 9.8epss 0.01
inversoft prime-jwt version prior to version 1.3.0 or prior to commit 0d94dcef0133d699f21d217e922564adbb83a227 contains an input validation vulnerability in JWTDecoder.decode that can result in a JWT that is decoded and thus implicitly validated even if it lacks a valid…
- risk 0.64cvss 9.8epss 0.04
Remote code execution in Hanwha Techwin Smartcams
- risk 0.64cvss 9.8epss 0.02
A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow execution of commands due to lack of validation of the shell meta characters with the value of 'model_name' or 'mac_address'.
- risk 0.64cvss 9.8epss 0.02
A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow execution of commands due to lack of validation of the shell meta characters with the value of 'network.ieee8021x.delete_certs'.
- risk 0.64cvss 9.8epss 0.02
A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow execution of commands due to lack of validation of the shell meta characters with the value of 'system.opkg.remove'.
- risk 0.64cvss 9.9epss 0.02
The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of the target system,allowing escape out of buildroots.
- risk 0.64cvss 9.8epss 0.03
Datto ALTO and SIRIS devices allow Remote Code Execution via unauthenticated requests to PHP scripts.
- risk 0.64cvss 9.8epss 0.09
A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0506 was found.
- risk 0.64cvss 9.8epss 0.02
A remote code execution vulnerability in the Android media framework (n/a). Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0, 8.1. ID: A-68160703.
- risk 0.64cvss 9.8epss 0.05
In SUPERAntiSpyware Professional Trial 6.0.1254, the SASKUTIL.SYS driver allows privilege escalation to NT AUTHORITY\SYSTEM because of not validating input values from IOCtl 0x9C402114 or 0x9C402124 or 0x9C40207c.
- risk 0.64cvss 9.8epss 0.02
An Improper Input Validation issue was discovered in Nari PCS-9611 relay. An improper input validation vulnerability has been identified that affects a service within the software that may allow a remote attacker to arbitrarily read/access system resources and affect the…
- risk 0.64cvss 9.8epss 0.05
A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade…
- risk 0.64cvss 9.8epss 0.03
An issue was discovered in Skybox Platform before 7.5.201. Remote Unauthenticated Code Execution exists via a WAR archive containing a JSP file. The WAR file is sent to /skyboxview-softwareupdate/services/CollectorSoftwareUpdate and the JSP file is reached at…
- risk 0.64cvss 9.8epss 0.01
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, handles in the global client structure can become stale.
- risk 0.64cvss 9.8epss 0.01
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a count value that is read from a file is not properly validated.
- risk 0.64cvss 9.8epss 0.01
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, the SafeSwitch test application does not properly validate the number of blocks to verify.
- risk 0.64cvss 9.8epss 0.01
Indeo Otter through 1.7.4 mishandles a "" substring in an initial DP payload, which allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact, as demonstrated by the Plan Editor.