VYPR

CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (8,003)

page 16 of 401
  • CVE-2016-5178CriMay 23, 2017
    risk 0.64cvss 9.8epss 0.02

    Multiple unspecified vulnerabilities in Google Chrome before 53.0.2785.143 allow remote attackers to cause a denial of service or possibly have other impact via unknown vectors.

  • CVE-2017-5215CriMay 17, 2017
    risk 0.64cvss 9.8epss 0.04

    The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 for Joomla! allows a rename attack that bypasses a "safe file extension" protection mechanism, leading to remote code execution.

  • CVE-2017-6551CriMay 2, 2017
    risk 0.64cvss 9.8epss 0.04

    Pexip Infinity before 14.2 allows remote attackers to cause a denial of service (service restart) or execute arbitrary code via vectors related to Conferencing Nodes.

  • CVE-2016-10243CriMay 2, 2017
    risk 0.64cvss 9.8epss 0.07

    TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf.cnf config file.

  • CVE-2016-2173CriApr 21, 2017
    risk 0.64cvss 9.8epss 0.06

    org.springframework.core.serializer.DefaultDeserializer in Spring AMQP before 1.5.5 allows remote attackers to execute arbitrary code.

  • CVE-2016-4899CriApr 13, 2017
    risk 0.64cvss 9.8epss 0.06

    The datamover module in the Linux version of NovaBACKUP DataCenter before 09.06.03.0353 is vulnerable to remote command execution via unspecified attack vectors.

  • CVE-2016-4898CriApr 13, 2017
    risk 0.64cvss 9.8epss 0.06

    The datamover module in the Linux version of NovaBACKUP DataCenter before 09.06.03.0353 is vulnerable to remote command execution via unspecified attack vectors.

  • CVE-2012-1301CriApr 13, 2017
    risk 0.64cvss 9.8epss 0.03

    The FeedProxy.aspx script in Umbraco 4.7.0 allows remote attackers to proxy requests on their behalf via the "url" parameter.

  • CVE-2017-7280CriApr 12, 2017
    risk 0.64cvss 9.8epss 0.06

    An issue was discovered in api/includes/systems.php in Unitrends Enterprise Backup before 9.0.0. User input is not properly filtered before being sent to a popen function. This allows for remote code execution by sending a specially crafted user variable.

  • CVE-2016-6878CriApr 10, 2017
    risk 0.64cvss 9.8epss 0.01

    The Curve25519 code in botan before 1.11.31, on systems without a native 128-bit integer type, might allow attackers to have unspecified impact via vectors related to undefined behavior, as demonstrated on 32-bit ARM systems compiled by Clang.

  • CVE-2017-2434CriApr 2, 2017
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "HomeKit" component. It allows attackers to have an unspecified impact by leveraging the presence of Home Control on Control Center.

  • CVE-2016-6206CriMar 24, 2017
    risk 0.64cvss 9.8epss 0.04

    Huawei AR3200 routers with software before V200R007C00SPC600 allow remote attackers to cause a denial of service or execute arbitrary code via a crafted packet.

  • CVE-2014-8705CriMar 17, 2017
    risk 0.64cvss 9.8epss 0.01

    PHP remote file inclusion vulnerability in editInplace.php in Wonder CMS 2014 allows remote attackers to execute arbitrary PHP code via a URL in the hook parameter.

  • CVE-2016-7407CriMar 3, 2017
    risk 0.64cvss 9.8epss 0.06

    The dropbearconvert command in Dropbear SSH before 2016.74 allows attackers to execute arbitrary code via a crafted OpenSSH key file.

  • CVE-2017-3792CriFeb 1, 2017
    risk 0.64cvss 9.8epss 0.07

    A vulnerability in a proprietary device driver in the kernel of Cisco TelePresence Multipoint Control Unit (MCU) Software could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition. The vulnerability is due to improper…

  • CVE-2016-9420CriJan 31, 2017
    risk 0.64cvss 9.8epss 0.03

    MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allow remote attackers to have unspecified impact via vectors related to "loose comparison false positives."

  • CVE-2017-3241CriJan 27, 2017
    risk 0.64cvss 9.0epss 0.33

    Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12. Difficult to exploit vulnerability allows…

  • CVE-2015-8212CriJan 19, 2017
    risk 0.64cvss 9.8epss 0.03

    CGI handling flaw in bozohttpd in NetBSD 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows remote attackers to execute arbitrary code via crafted arguments, which are handled by a non-CGI aware program.

  • CVE-2016-7791CriJan 12, 2017
    risk 0.64cvss 9.8epss 0.04

    Exponent CMS 2.3.9 suffers from a remote code execution vulnerability in /install/index.php. An attacker can upload an evil 'exploit.tar.gz' file to the website, then extract it by visiting '/install/index.php?install_sample=../../files/exploit', which leads to arbitrary code…

  • CVE-2016-7790CriJan 12, 2017
    risk 0.64cvss 9.8epss 0.04

    Exponent CMS 2.3.9 suffers from a remote code execution vulnerability in /install/index.php. An attacker can upload 'php' file to the website through uploader_paste.php, then overwrite /framework/conf/config.php, which leads to arbitrary code execution.