CWE-20
Improper Input Validation
Description
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9
CVEs mapped to this weakness (8,003)
page 180 of 401| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-1000883 | — | Med | 0.35 | 6.5 | 0.01 | Dec 20, 2018 | Elixir Plug Plug version All contains a Header Injection vulnerability in Connection that can result in Given a cookie value, Headers can be added. This attack appear to be exploitable via Crafting a value to be sent as a cookie. This vulnerability appears to have been fixed in… | |
| CVE-2018-8512 | Med | 0.35 | 5.4 | 0.03 | Oct 10, 2018 | A security feature bypass vulnerability exists in Microsoft Edge when the Edge Content Security Policy (CSP) fails to properly validate certain specially crafted documents, aka "Microsoft Edge Security Feature Bypass Vulnerability." This affects Microsoft Edge. This CVE ID is… | ||
| CVE-2018-15429 | Med | 0.35 | 5.3 | 0.01 | Oct 5, 2018 | A vulnerability in the web-based UI of Cisco HyperFlex HX Data Platform Software could allow an unauthenticated, remote attacker to access sensitive information on an affected system. The vulnerability is due to a lack of proper input and authorization of HTTP requests. An… | ||
| CVE-2018-0447 | Med | 0.35 | 5.3 | 0.02 | Oct 5, 2018 | A vulnerability in the anti-spam protection mechanisms of Cisco AsyncOS Software for the Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass certain content filters on an affected device. The vulnerability is due to incomplete input and… | ||
| CVE-2017-15705 | Med | 0.35 | 5.3 | 0.08 | Sep 17, 2018 | A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts. In Apache SpamAssassin, using HTML::Parser, we… | ||
| CVE-2018-8434 | Med | 0.35 | 5.4 | 0.03 | Sep 13, 2018 | An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system, aka "Windows Hyper-V Information Disclosure Vulnerability." This affects Windows 7, Windows… | ||
| CVE-2018-14635 | — | Med | 0.35 | 6.5 | 0.03 | Sep 10, 2018 | When using the Linux bridge ml2 driver, non-privileged tenants are able to create and attach ports without specifying an IP address, bypassing IP address validation. A potential denial of service could occur if an IP address, conflicting with existing guests or routers, is then… | |
| CVE-2018-12807 | Med | 0.35 | 5.3 | 0.05 | Aug 29, 2018 | Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have an input validation bypass vulnerability. Successful exploitation could lead to unauthorized information modification. | ||
| CVE-2018-15876 | Med | 0.35 | 5.3 | 0.01 | Aug 26, 2018 | An issue was discovered in the ajax-bootmodal-login plugin 1.4.3 for WordPress. The register form, login form, and password-recovery form require solving a CAPTCHA to perform actions. However, this is required only once per user session, and therefore one could send as many… | ||
| CVE-2018-1599 | Med | 0.35 | 5.4 | 0.01 | Aug 22, 2018 | IBM API Connect 5.0.0.0 through 5.0.8.3 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch… | ||
| CVE-2018-3776 | Med | 0.35 | 5.3 | 0.01 | Aug 12, 2018 | Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log. | ||
| CVE-2018-12448 | Med | 0.35 | 5.3 | 0.01 | Aug 2, 2018 | Whale Browser before 1.3.48.4 displays no URL information but only a title of a web page on the browser's address bar when visiting a non-http page, which allows an attacker to display a malicious web page with a fake domain name. | ||
| CVE-2016-8624 | Med | 0.35 | 5.3 | 0.06 | Jul 31, 2018 | curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser… | ||
| CVE-2017-7539 | Med | 0.35 | 5.3 | 0.06 | Jul 26, 2018 | An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A… | ||
| CVE-2018-5537 | Med | 0.35 | 5.3 | 0.01 | Jul 25, 2018 | A remote attacker may be able to disrupt services on F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, 11.6.0-11.6.3.1, or 11.2.1-11.5.6 if the TMM virtual server is configured with a HTML or a Rewrite profile. TMM may restart while processing some specially prepared HTML content from… | ||
| CVE-2017-3180 | Med | 0.35 | 5.4 | 0.01 | Jul 24, 2018 | Multiple TIBCO Products are prone to multiple unspecified cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context… | ||
| CVE-2018-14055 | Med | 0.35 | 6.5 | 0.01 | Jul 15, 2018 | ZNC before 1.7.1-rc1 does not properly validate untrusted lines coming from the network, allowing a non-admin user to escalate his privilege and inject rogue values into znc.conf. | ||
| CVE-2018-0034 | Med | 0.35 | 5.3 | 0.02 | Jul 11, 2018 | A Denial of Service vulnerability exists in the Juniper Networks Junos OS JDHCPD daemon which allows an attacker to core the JDHCPD daemon by sending a crafted IPv6 packet to the system. This issue is limited to systems which receives IPv6 DHCP packets on a system configured for… | ||
| CVE-2018-7635 | Med | 0.35 | 5.3 | 0.01 | Jul 3, 2018 | Whale Browser before 1.0.41.8 displays no URL information but only a title of a web page on the browser's address bar when visiting a blank page, which allows an attacker to display a malicious web page with a fake domain name. | ||
| CVE-2018-7787 | Med | 0.35 | 5.3 | 0.01 | Jul 3, 2018 | In Schneider Electric U.motion Builder software versions prior to v1.3.4, this vulnerability is due to improper validation of input of context parameter in HTTP GET request. |
- risk 0.35cvss 6.5epss 0.01
Elixir Plug Plug version All contains a Header Injection vulnerability in Connection that can result in Given a cookie value, Headers can be added. This attack appear to be exploitable via Crafting a value to be sent as a cookie. This vulnerability appears to have been fixed in…
- risk 0.35cvss 5.4epss 0.03
A security feature bypass vulnerability exists in Microsoft Edge when the Edge Content Security Policy (CSP) fails to properly validate certain specially crafted documents, aka "Microsoft Edge Security Feature Bypass Vulnerability." This affects Microsoft Edge. This CVE ID is…
- risk 0.35cvss 5.3epss 0.01
A vulnerability in the web-based UI of Cisco HyperFlex HX Data Platform Software could allow an unauthenticated, remote attacker to access sensitive information on an affected system. The vulnerability is due to a lack of proper input and authorization of HTTP requests. An…
- risk 0.35cvss 5.3epss 0.02
A vulnerability in the anti-spam protection mechanisms of Cisco AsyncOS Software for the Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass certain content filters on an affected device. The vulnerability is due to incomplete input and…
- risk 0.35cvss 5.3epss 0.08
A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts. In Apache SpamAssassin, using HTML::Parser, we…
- risk 0.35cvss 5.4epss 0.03
An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system, aka "Windows Hyper-V Information Disclosure Vulnerability." This affects Windows 7, Windows…
- risk 0.35cvss 6.5epss 0.03
When using the Linux bridge ml2 driver, non-privileged tenants are able to create and attach ports without specifying an IP address, bypassing IP address validation. A potential denial of service could occur if an IP address, conflicting with existing guests or routers, is then…
- risk 0.35cvss 5.3epss 0.05
Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have an input validation bypass vulnerability. Successful exploitation could lead to unauthorized information modification.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in the ajax-bootmodal-login plugin 1.4.3 for WordPress. The register form, login form, and password-recovery form require solving a CAPTCHA to perform actions. However, this is required only once per user session, and therefore one could send as many…
- risk 0.35cvss 5.4epss 0.01
IBM API Connect 5.0.0.0 through 5.0.8.3 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch…
- risk 0.35cvss 5.3epss 0.01
Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log.
- risk 0.35cvss 5.3epss 0.01
Whale Browser before 1.3.48.4 displays no URL information but only a title of a web page on the browser's address bar when visiting a non-http page, which allows an attacker to display a malicious web page with a fake domain name.
- risk 0.35cvss 5.3epss 0.06
curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser…
- risk 0.35cvss 5.3epss 0.06
An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A…
- risk 0.35cvss 5.3epss 0.01
A remote attacker may be able to disrupt services on F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, 11.6.0-11.6.3.1, or 11.2.1-11.5.6 if the TMM virtual server is configured with a HTML or a Rewrite profile. TMM may restart while processing some specially prepared HTML content from…
- risk 0.35cvss 5.4epss 0.01
Multiple TIBCO Products are prone to multiple unspecified cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context…
- risk 0.35cvss 6.5epss 0.01
ZNC before 1.7.1-rc1 does not properly validate untrusted lines coming from the network, allowing a non-admin user to escalate his privilege and inject rogue values into znc.conf.
- risk 0.35cvss 5.3epss 0.02
A Denial of Service vulnerability exists in the Juniper Networks Junos OS JDHCPD daemon which allows an attacker to core the JDHCPD daemon by sending a crafted IPv6 packet to the system. This issue is limited to systems which receives IPv6 DHCP packets on a system configured for…
- risk 0.35cvss 5.3epss 0.01
Whale Browser before 1.0.41.8 displays no URL information but only a title of a web page on the browser's address bar when visiting a blank page, which allows an attacker to display a malicious web page with a fake domain name.
- risk 0.35cvss 5.3epss 0.01
In Schneider Electric U.motion Builder software versions prior to v1.3.4, this vulnerability is due to improper validation of input of context parameter in HTTP GET request.