CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Parents

CWE-707

Children

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (6,924)

page 191 of 347

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2024-28103	Rubyonrails Rails	—	0.01	Jun 4, 2024	Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3.
CVE-2024-37061	Mlflow Mlflow	—	0.01	Jun 4, 2024	Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run.
CVE-2024-3829	Qdrant Qdrant	—	0.01	Jun 3, 2024	qdrant/qdrant version 1.9.0-dev is vulnerable to arbitrary file read and write during the snapshot recovery process. Attackers can exploit this vulnerability by manipulating snapshot files to include symlinks, leading to arbitrary file read by adding a symlink that points to a…
CVE-2024-34009	Moodle Moodle	—	0.00	May 31, 2024	Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilized.
CVE-2024-33999	Moodle Moodle	—	0.01	May 31, 2024	The referrer URL used by MFA required additional sanitizing, rather than being used directly.
CVE-2024-33996	Moodle Moodle	—	0.00	May 31, 2024	Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to.
CVE-2024-3584	Qdrant Qdrant	—	0.01	May 30, 2024	qdrant/qdrant version 1.9.0-dev is vulnerable to path traversal due to improper input validation in the `/collections/{name}/snapshots/upload` endpoint. By manipulating the `name` parameter through URL encoding, an attacker can upload a file to an arbitrary location on the…
CVE-2024-34365	Apache Karaf Cave	—	0.01	May 9, 2024	UNSUPPORTED WHEN ASSIGNED Improper Input Validation vulnerability in Apache Karaf Cave.This issue affects all versions of Apache Karaf Cave. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative…
CVE-2024-32646	Vyperlang Vyper	—	0.00	Apr 25, 2024	Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `.code` and either the `start`…
CVE-2024-32645	Vyperlang Vyper	—	0.00	Apr 25, 2024	Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, incorrect values can be logged when `raw_log` builtin is called with memory or storage arguments to be used as topics. A contract search was performed and no vulnerable…
CVE-2024-20758	Adobe Inc. Commerce	—	0.01	Apr 10, 2024	Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution on the underlying filesystem. Exploitation of this issue does not require user interaction, but…
CVE-2024-21507	—	—	0.01	Apr 10, 2024	Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.
CVE-2024-31867	Apache Zeppelin	—	0.02	Apr 9, 2024	Improper Input Validation vulnerability in Apache Zeppelin. The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version…
CVE-2024-31865	Apache Zeppelin	—	0.02	Apr 9, 2024	Improper Input Validation vulnerability in Apache Zeppelin. The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to…
CVE-2024-31862	Apache Zeppelin	—	0.01	Apr 9, 2024	Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue.
CVE-2022-47894	—	—	0.01	Apr 9, 2024	Improper Input Validation vulnerability in Apache Zeppelin SAP.This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict…
CVE-2024-31860	Apache Zeppelin	—	0.01	Apr 9, 2024	Improper Input Validation vulnerability in Apache Zeppelin. By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access. This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0. Users are…
CVE-2024-29042	Franciscop Translate	—	0.01	Mar 22, 2024	Translate is a package that allows users to convert text to different languages on Node.js and the browser. Prior to version 3.0.0, an attacker controlling the second variable of the `translate` function is able to perform a cache poisoning attack. They can change the outcome of…
CVE-2024-23634	Geoserver Geoserver	—	0.01	Mar 20, 2024	GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file renaming vulnerability exists in versions prior to 2.23.5 and 2.24.2 that enables an authenticated administrator with permissions to modify stores…
CVE-2023-51444	Geoserver Geoserver	—	0.02	Mar 20, 2024	GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file upload vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with permissions to modify coverage…

CVE-2024-28103Jun 4, 2024
Rubyonrails
Rails
risk 0.00cvss —epss 0.01
Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3.
CVE-2024-37061Jun 4, 2024
Mlflow
Mlflow
risk 0.00cvss —epss 0.01
Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run.
CVE-2024-3829Jun 3, 2024
Qdrant
Qdrant
risk 0.00cvss —epss 0.01
qdrant/qdrant version 1.9.0-dev is vulnerable to arbitrary file read and write during the snapshot recovery process. Attackers can exploit this vulnerability by manipulating snapshot files to include symlinks, leading to arbitrary file read by adding a symlink that points to a…
CVE-2024-34009May 31, 2024
Moodle
Moodle
risk 0.00cvss —epss 0.00
Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilized.
CVE-2024-33999May 31, 2024
Moodle
Moodle
risk 0.00cvss —epss 0.01
The referrer URL used by MFA required additional sanitizing, rather than being used directly.
CVE-2024-33996May 31, 2024
Moodle
Moodle
risk 0.00cvss —epss 0.00
Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to.
CVE-2024-3584May 30, 2024
Qdrant
Qdrant
risk 0.00cvss —epss 0.01
qdrant/qdrant version 1.9.0-dev is vulnerable to path traversal due to improper input validation in the `/collections/{name}/snapshots/upload` endpoint. By manipulating the `name` parameter through URL encoding, an attacker can upload a file to an arbitrary location on the…
CVE-2024-34365May 9, 2024
Apache
Karaf Cave
risk 0.00cvss —epss 0.01
** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Karaf Cave.This issue affects all versions of Apache Karaf Cave. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative…
CVE-2024-32646Apr 25, 2024
Vyperlang
Vyper
risk 0.00cvss —epss 0.00
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `.code` and either the `start`…
CVE-2024-32645Apr 25, 2024
Vyperlang
Vyper
risk 0.00cvss —epss 0.00
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, incorrect values can be logged when `raw_log` builtin is called with memory or storage arguments to be used as topics. A contract search was performed and no vulnerable…
CVE-2024-20758Apr 10, 2024
Adobe Inc.
Commerce
risk 0.00cvss —epss 0.01
Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution on the underlying filesystem. Exploitation of this issue does not require user interaction, but…
CVE-2024-21507Apr 10, 2024
risk 0.00cvss —epss 0.01
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.
CVE-2024-31867Apr 9, 2024
Apache
Zeppelin
risk 0.00cvss —epss 0.02
Improper Input Validation vulnerability in Apache Zeppelin. The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version…
CVE-2024-31865Apr 9, 2024
Apache
Zeppelin
risk 0.00cvss —epss 0.02
Improper Input Validation vulnerability in Apache Zeppelin. The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to…
CVE-2024-31862Apr 9, 2024
Apache
Zeppelin
risk 0.00cvss —epss 0.01
Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue.
CVE-2022-47894Apr 9, 2024
risk 0.00cvss —epss 0.01
Improper Input Validation vulnerability in Apache Zeppelin SAP.This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict…
CVE-2024-31860Apr 9, 2024
Apache
Zeppelin
risk 0.00cvss —epss 0.01
Improper Input Validation vulnerability in Apache Zeppelin. By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access. This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0. Users are…
CVE-2024-29042Mar 22, 2024
Franciscop
Translate
risk 0.00cvss —epss 0.01
Translate is a package that allows users to convert text to different languages on Node.js and the browser. Prior to version 3.0.0, an attacker controlling the second variable of the `translate` function is able to perform a cache poisoning attack. They can change the outcome of…
CVE-2024-23634Mar 20, 2024
Geoserver
Geoserver
risk 0.00cvss —epss 0.01
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file renaming vulnerability exists in versions prior to 2.23.5 and 2.24.2 that enables an authenticated administrator with permissions to modify stores…
CVE-2023-51444Mar 20, 2024
Geoserver
Geoserver
risk 0.00cvss —epss 0.02
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file upload vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with permissions to modify coverage…