VYPR

CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (8,003)

page 178 of 401
  • CVE-2024-0710MedMay 2, 2024
    risk 0.35cvss 5.3epss 0.01

    The GP Unique ID plugin for WordPress is vulnerable to Unique ID Modification in all versions up to, and including, 1.5.5. This is due to insufficient input validation. This makes it possible for unauthenticated attackers to tamper with the generation of a unique ID on a form…

  • CVE-2024-4175MedApr 25, 2024
    risk 0.35cvss 5.4epss 0.00

    Unicode transformation vulnerability in Hyperion affecting version 2.0.15. This vulnerability could allow an attacker to send a malicious payload with Unicode characters that will be replaced by ASCII characters.

  • CVE-2024-1481MedApr 10, 2024
    risk 0.35cvss 5.3epss 0.01

    A flaw was found in FreeIPA. This issue may allow a remote attacker to craft a HTTP request with parameters that can be interpreted as command arguments to kinit on the FreeIPA server, which can lead to a denial of service.

  • CVE-2024-21507MedApr 10, 2024
    risk 0.35cvss 6.5epss 0.01

    Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.

  • CVE-2024-2536MedApr 9, 2024
    risk 0.35cvss 6.4epss 0.00

    The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HowTo block attributes in all versions up to, and including, 1.0.214 due to insufficient input sanitization and output escaping on user supplied attributes. This makes…

  • CVE-2024-2226MedApr 9, 2024
    risk 0.35cvss 6.4epss 0.00

    The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the id parameter in the google-map block in all versions up to, and including, 2.6.4 due to insufficient input sanitization and…

  • CVE-2024-31867MedApr 9, 2024
    risk 0.35cvss 6.5epss 0.02

    Improper Input Validation vulnerability in Apache Zeppelin. The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version…

  • CVE-2024-31865MedApr 9, 2024
    risk 0.35cvss 6.5epss 0.02

    Improper Input Validation vulnerability in Apache Zeppelin. The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to…

  • CVE-2024-31860MedApr 9, 2024
    risk 0.35cvss 6.5epss 0.01

    Improper Input Validation vulnerability in Apache Zeppelin. By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access.  This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0. Users are…

  • CVE-2023-6738MedJan 4, 2024
    risk 0.35cvss 5.4epss 0.00

    The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pagelayer_header_code', 'pagelayer_body_open_code', and 'pagelayer_footer_code' meta fields in all versions up to, and including, 1.7.8 due to…

  • CVE-2023-50709MedDec 13, 2023
    risk 0.35cvss 6.5epss 0.01

    Cube is a semantic layer for building data applications. Prior to version 0.34.34, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. The issue has been patched in `v0.34.34` and it's recommended that all…

  • CVE-2023-5104MedSep 21, 2023
    risk 0.35cvss 6.5epss 0.01

    Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0.

  • CVE-2023-41336MedSep 11, 2023
    risk 0.35cvss 6.5epss 0.01

    ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an `EntityType` that is *not* part of the valid choices. The problem has been fixed in `symfony/ux-autocomplete` version…

  • CVE-2023-39530MedAug 7, 2023
    risk 0.35cvss 6.5epss 0.01

    PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds.

  • CVE-2023-36543MedJul 12, 2023
    risk 0.35cvss 6.5epss 0.01

    Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected

  • CVE-2023-22888MedJul 12, 2023
    risk 0.35cvss 6.5epss 0.01

    Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to…

  • CVE-2023-2728MedJul 3, 2023
    risk 0.35cvss 6.5epss 0.02

    Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s…

  • CVE-2023-2727MedJul 3, 2023
    risk 0.35cvss 6.5epss 0.01

    Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.

  • CVE-2023-27043MedApr 19, 2023
    risk 0.35cvss 5.3epss 0.03

    The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which…

  • CVE-2023-25661MedMar 27, 2023
    risk 0.35cvss 6.5epss 0.00

    TensorFlow is an Open Source Machine Learning Framework. In versions prior to 2.11.1 a malicious invalid input crashes a tensorflow model (Check Failed) and can be used to trigger a denial of service attack. A proof of concept can be constructed with the `Convolution3DTranspose`…