CWE-20
Improper Input Validation
Description
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9
CVEs mapped to this weakness (8,003)
page 168 of 401| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-10555 | — | Med | 0.36 | 6.5 | 0.05 | May 31, 2018 | Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually… | |
| CVE-2018-1000040 | Med | 0.36 | 5.5 | 0.01 | May 24, 2018 | In Artifex MuPDF 1.12.0 and earlier, multiple use of uninitialized value bugs in the PDF parser could allow an attacker to cause a denial of service (crash) or influence program flow via a crafted file. | ||
| CVE-2018-1000037 | Med | 0.36 | 5.5 | 0.02 | May 24, 2018 | In Artifex MuPDF 1.12.0 and earlier, multiple reachable assertions in the PDF parser allow an attacker to cause a denial of service (assert crash) via a crafted file. | ||
| CVE-2018-3634 | Med | 0.36 | 5.5 | 0.00 | May 15, 2018 | Parameter corruption in NDIS filter driver in Intel Online Connect Access 1.9.22.0 allows an attacker to cause a denial of service via local access. | ||
| CVE-2018-10072 | Med | 0.36 | 5.5 | 0.00 | Apr 12, 2018 | windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers to cause a denial of service (BSOD) via a 0x953827bf DeviceIoControl call. | ||
| CVE-2018-10071 | Med | 0.36 | 5.5 | 0.00 | Apr 12, 2018 | windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers to cause a denial of service (BSOD) via a 0x953826DB DeviceIoControl call. | ||
| CVE-2018-4176 | Med | 0.36 | 5.5 | 0.01 | Apr 3, 2018 | An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "Disk Images" component. It allows attackers to trigger an app launch upon mounting a crafted disk image. | ||
| CVE-2017-7003 | — | Med | 0.36 | 5.5 | 0.01 | Apr 3, 2018 | An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. tvOS before 10.2.1 is affected. watchOS before 3.2.2 is affected. The issue involves the "CoreText" component. It allows remote attackers to cause a denial of… | |
| CVE-2018-9136 | Med | 0.36 | 5.5 | 0.01 | Mar 30, 2018 | windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers to cause a denial of service (BSOD) via a crafted .exe file, a different vulnerability than CVE-2018-8821. | ||
| CVE-2018-8945 | Med | 0.36 | 5.5 | 0.02 | Mar 22, 2018 | The bfd_section_from_shdr function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (segmentation fault) via a large attribute section. | ||
| CVE-2018-8821 | Med | 0.36 | 5.5 | 0.01 | Mar 20, 2018 | windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers to cause a denial of service (BSOD) via a crafted .exe file. | ||
| CVE-2017-18240 | Med | 0.36 | 5.5 | 0.00 | Mar 19, 2018 | The Gentoo app-admin/collectd package before 5.7.2-r1 sets the ownership of PID file directory to the collectd account, which might allow local users to kill arbitrary processes by leveraging access to this account for PID file modification before a root script sends a SIGKILL… | ||
| CVE-2017-17148 | Med | 0.36 | 5.5 | 0.00 | Mar 9, 2018 | Huawei DP300 V500R002C00 have a DoS vulnerability due to the lack of validation when the malloc is called. An authenticated local attacker can craft specific XML files to the affected products and parse this file, which result in DoS attacks. | ||
| CVE-2017-17138 | Med | 0.36 | 5.5 | 0.00 | Mar 5, 2018 | PEM module of DP300 V500R002C00; IPS Module V500R001C00; V500R001C30; NGFW Module V500R001C00; V500R002C00; NIP6300 V500R001C00; V500R001C30; NIP6600 V500R001C00; V500R001C30; RP200 V500R002C00; V600R006C00; S12700 V200R007C00; V200R007C01; V200R008C00; V200R009C00; V200R010C00;… | ||
| CVE-2017-16813 | Med | 0.36 | 5.5 | 0.01 | Feb 26, 2018 | A denial-of-service issue was discovered in the Foxit MobilePDF app before 6.1 for iOS. This occurs when a user uploads a file that includes a hexadecimal Unicode character in the "filename" parameter via Wi-Fi, since the app could fail to parse this. | ||
| CVE-2011-3477 | Med | 0.36 | 5.5 | 0.01 | Feb 19, 2018 | GEAR Software CD DVD Filter driver (aka GEARAspiWDM.sys), as used in Symantec Backup Exec System Recovery 8.5 and BESR 2010, Symantec System Recovery 2011, Norton 360, and Norton Ghost, allows local users to cause a denial of service (system crash) via unspecified vectors. | ||
| CVE-2017-17201 | Med | 0.36 | 5.5 | 0.01 | Feb 15, 2018 | Some huawei smartphones with software BTV-DL09C233B350, Berlin-L21HNC432B360, Berlin-L22HNC636B360, Berlin-L24HNC567B360, Berlin-L21C10B130, Berlin-L21C185B132, Berlin-L21C464B130, Berlin-L22C346B140, Berlin-L22C636B160, Berlin-L23C605B131, Berlin-L23DOMC109B160,… | ||
| CVE-2018-6759 | Med | 0.36 | 5.5 | 0.02 | Feb 6, 2018 | The bfd_get_debug_link_info_1 function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, has an unchecked strnlen operation. Remote attackers could leverage this vulnerability to cause a denial of service (segmentation… | ||
| CVE-2018-6217 | Med | 0.36 | 5.5 | 0.01 | Jan 25, 2018 | The WStr::_alloc_iostr_data() function in kso.dll in Kingsoft WPS Office 10.1.0.7106 and 10.2.0.5978 allows remote attackers to cause a denial of service (application crash) via a crafted (a) web page, (b) office document, or (c) .rtf file. | ||
| CVE-2018-1047 | — | Med | 0.36 | 5.5 | 0.00 | Jan 24, 2018 | A flaw was found in Wildfly 9.x. A path traversal vulnerability through the org.wildfly.extension.undertow.deployment.ServletResourceManager.getResource method could lead to information disclosure of arbitrary local files. |
- risk 0.36cvss 6.5epss 0.05
Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually…
- risk 0.36cvss 5.5epss 0.01
In Artifex MuPDF 1.12.0 and earlier, multiple use of uninitialized value bugs in the PDF parser could allow an attacker to cause a denial of service (crash) or influence program flow via a crafted file.
- risk 0.36cvss 5.5epss 0.02
In Artifex MuPDF 1.12.0 and earlier, multiple reachable assertions in the PDF parser allow an attacker to cause a denial of service (assert crash) via a crafted file.
- risk 0.36cvss 5.5epss 0.00
Parameter corruption in NDIS filter driver in Intel Online Connect Access 1.9.22.0 allows an attacker to cause a denial of service via local access.
- risk 0.36cvss 5.5epss 0.00
windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers to cause a denial of service (BSOD) via a 0x953827bf DeviceIoControl call.
- risk 0.36cvss 5.5epss 0.00
windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers to cause a denial of service (BSOD) via a 0x953826DB DeviceIoControl call.
- risk 0.36cvss 5.5epss 0.01
An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "Disk Images" component. It allows attackers to trigger an app launch upon mounting a crafted disk image.
- risk 0.36cvss 5.5epss 0.01
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. tvOS before 10.2.1 is affected. watchOS before 3.2.2 is affected. The issue involves the "CoreText" component. It allows remote attackers to cause a denial of…
- risk 0.36cvss 5.5epss 0.01
windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers to cause a denial of service (BSOD) via a crafted .exe file, a different vulnerability than CVE-2018-8821.
- risk 0.36cvss 5.5epss 0.02
The bfd_section_from_shdr function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (segmentation fault) via a large attribute section.
- risk 0.36cvss 5.5epss 0.01
windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers to cause a denial of service (BSOD) via a crafted .exe file.
- risk 0.36cvss 5.5epss 0.00
The Gentoo app-admin/collectd package before 5.7.2-r1 sets the ownership of PID file directory to the collectd account, which might allow local users to kill arbitrary processes by leveraging access to this account for PID file modification before a root script sends a SIGKILL…
- risk 0.36cvss 5.5epss 0.00
Huawei DP300 V500R002C00 have a DoS vulnerability due to the lack of validation when the malloc is called. An authenticated local attacker can craft specific XML files to the affected products and parse this file, which result in DoS attacks.
- risk 0.36cvss 5.5epss 0.00
PEM module of DP300 V500R002C00; IPS Module V500R001C00; V500R001C30; NGFW Module V500R001C00; V500R002C00; NIP6300 V500R001C00; V500R001C30; NIP6600 V500R001C00; V500R001C30; RP200 V500R002C00; V600R006C00; S12700 V200R007C00; V200R007C01; V200R008C00; V200R009C00; V200R010C00;…
- risk 0.36cvss 5.5epss 0.01
A denial-of-service issue was discovered in the Foxit MobilePDF app before 6.1 for iOS. This occurs when a user uploads a file that includes a hexadecimal Unicode character in the "filename" parameter via Wi-Fi, since the app could fail to parse this.
- risk 0.36cvss 5.5epss 0.01
GEAR Software CD DVD Filter driver (aka GEARAspiWDM.sys), as used in Symantec Backup Exec System Recovery 8.5 and BESR 2010, Symantec System Recovery 2011, Norton 360, and Norton Ghost, allows local users to cause a denial of service (system crash) via unspecified vectors.
- risk 0.36cvss 5.5epss 0.01
Some huawei smartphones with software BTV-DL09C233B350, Berlin-L21HNC432B360, Berlin-L22HNC636B360, Berlin-L24HNC567B360, Berlin-L21C10B130, Berlin-L21C185B132, Berlin-L21C464B130, Berlin-L22C346B140, Berlin-L22C636B160, Berlin-L23C605B131, Berlin-L23DOMC109B160,…
- risk 0.36cvss 5.5epss 0.02
The bfd_get_debug_link_info_1 function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, has an unchecked strnlen operation. Remote attackers could leverage this vulnerability to cause a denial of service (segmentation…
- risk 0.36cvss 5.5epss 0.01
The WStr::_alloc_iostr_data() function in kso.dll in Kingsoft WPS Office 10.1.0.7106 and 10.2.0.5978 allows remote attackers to cause a denial of service (application crash) via a crafted (a) web page, (b) office document, or (c) .rtf file.
- risk 0.36cvss 5.5epss 0.00
A flaw was found in Wildfly 9.x. A path traversal vulnerability through the org.wildfly.extension.undertow.deployment.ServletResourceManager.getResource method could lead to information disclosure of arbitrary local files.