VYPR

CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (8,003)

page 137 of 401
  • CVE-2019-14243HigJul 23, 2019
    risk 0.42cvss 7.5epss 0.04

    headerv2.go in mastercactapus proxyprotocol before 0.0.2, as used in the mastercactapus caddy-proxyprotocol plugin through 0.0.2 for Caddy, allows remote attackers to cause a denial of service (webserver panic and daemon crash) via a crafted HAProxy PROXY v2 request with…

  • CVE-2019-11832HigMay 9, 2019
    risk 0.42cvss 7.5epss 0.04

    TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick.

  • CVE-2019-10742HigMay 7, 2019
    risk 0.42cvss 7.5epss 0.06

    Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

  • CVE-2019-3564HigMay 6, 2019
    risk 0.42cvss 7.5epss 0.02

    Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue…

  • CVE-2018-20835HigApr 30, 2019
    risk 0.42cvss 7.5epss 0.02

    A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file…

  • CVE-2019-11069HigApr 10, 2019
    risk 0.42cvss 7.5epss 0.02

    Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used.

  • CVE-2018-1320HigJan 7, 2019
    risk 0.42cvss 7.5epss 0.08

    Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production…

  • CVE-2018-20301MedDec 20, 2018
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in Steve Pallen Coherence before 0.5.2 that is similar to a Mass Assignment vulnerability. In particular, "registration" endpoints (e.g., creating, editing, updating) allow users to update any coherence_fields data. For example, users can automatically…

  • CVE-2018-11799MedDec 19, 2018
    risk 0.42cvss 6.5epss 0.01

    Vulnerability allows a user of Apache Oozie 3.1.3-incubating to 5.0.0 to impersonate other users. The malicious user can construct an XML that results workflows running in other user's name.

  • CVE-2018-17194HigDec 19, 2018
    risk 0.42cvss 7.5epss 0.03

    When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait…

  • CVE-2014-10077HigNov 6, 2018
    risk 0.42cvss 7.5epss 0.03

    Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 for Ruby allows remote attackers to cause a denial of service (application crash) via a call in a situation where :some_key is present in keep_keys but not present in the hash.

  • CVE-2015-5159HigOct 30, 2018
    risk 0.42cvss 7.5epss 0.02

    python-kdcproxy before 0.3.2 allows remote attackers to cause a denial of service via a large POST request.

  • CVE-2018-12479MedOct 9, 2018
    risk 0.42cvss 6.5epss 0.02

    A Improper Input Validation vulnerability in Open Build Service allows remote attackers to cause DoS by specifying crafted request IDs. Affected releases are openSUSE Open Build Service: versions prior to 01b015ca2a320afc4fae823465d1e72da8bd60df.

  • CVE-2018-1000809HigOct 8, 2018
    risk 0.42cvss 7.5epss 0.02

    privacyIDEA version 2.23.1 and earlier contains a Improper Input Validation vulnerability in token validation api that can result in Denial-of-Service. This attack appear to be exploitable via http request with user=&pass= to /validate/check url. This vulnerability…

  • CVE-2018-13042MedOct 5, 2018
    risk 0.42cvss 5.9epss 0.08

    The 1Password application 6.8 for Android is affected by a Denial Of Service vulnerability. By starting the activity com.agilebits.onepassword.filling.openyolo.OpenYoloDeleteActivity or com.agilebits.onepassword.filling.openyolo.OpenYoloRetrieveActivity from an external…

  • CVE-2018-0197MedOct 5, 2018
    risk 0.42cvss 6.5epss 0.01

    A vulnerability in the VLAN Trunking Protocol (VTP) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to corrupt the internal VTP database on an affected device and cause a denial of service (DoS) condition. The…

  • CVE-2018-11750MedOct 2, 2018
    risk 0.42cvss 6.5epss 0.01

    Previous releases of the Puppet cisco_ios module did not validate a host's identity before starting a SSH connection. As of the 0.4.0 release of cisco_ios, host key checking is enabled by default.

  • CVE-2018-15701MedOct 1, 2018
    risk 0.42cvss 6.5epss 0.01

    The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is vulnerable to a denial of service when an unauthenticated LAN user sends a crafted HTTP header containing an unexpected Cookie field.

  • CVE-2018-15700MedOct 1, 2018
    risk 0.42cvss 6.5epss 0.01

    The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is vulnerable to a denial of service when an unauthenticated LAN user sends a crafted HTTP header containing an unexpected Referer field.

  • CVE-2018-16587MedSep 28, 2018
    risk 0.42cvss 6.5epss 0.02

    In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, and 6.0.x before 6.0.11, an attacker could send a malicious email to an OTRS system. If a user with admin permissions opens it, it causes deletions of arbitrary files that the OTRS web server user has…