CWE-20
Improper Input Validation
Description
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9
CVEs mapped to this weakness (6,924)
page 194 of 347| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-49082 | 0.00 | — | 0.01 | Nov 29, 2023 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The… | |||
| CVE-2023-46589 | — | 0.00 | — | 0.03 | Nov 28, 2023 | Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header… | ||
| CVE-2023-48223 | 0.00 | — | 0.01 | Nov 20, 2023 | fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to version 3.3.2, the fast-jwt library does not properly prevent JWT algorithm confusion for all public key types. The 'publicKeyPemMatcher' in 'fast-jwt/src/crypto.js' does not properly match all common PEM… | |||
| CVE-2023-26364 | — | 0.00 | — | 0.01 | Nov 17, 2023 | @adobe/css-tools version 4.3.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a minor denial of service while attempting to parse CSS. Exploitation of this issue does not require user interaction or privileges. | ||
| CVE-2023-40314 | — | 0.00 | — | 0.00 | Nov 16, 2023 | Cross-site scripting in bootstrap.jsp in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Horizon 32.0.5 or newer and Meridian 2023.1.9 or newer Meridian and Horizon… | ||
| CVE-2023-5528 | — | 0.00 | — | 0.04 | Nov 14, 2023 | A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes. | ||
| CVE-2023-36049 | 0.00 | — | 0.13 | Nov 14, 2023 | .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability | |||
| CVE-2023-39913 | 0.00 | — | 0.01 | Nov 8, 2023 | Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0. Users are recommended to upgrade to version 3.5.0, which… | |||
| CVE-2023-3893 | — | 0.00 | — | 0.03 | Nov 3, 2023 | A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes running kubernetes-csi-proxy may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes running … | ||
| CVE-2023-4043 | — | 0.00 | — | 0.01 | Nov 3, 2023 | In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to… | ||
| CVE-2023-5763 | — | 0.00 | — | 0.01 | Nov 3, 2023 | In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners. | ||
| CVE-2023-4197 | 0.00 | — | 0.33 | Nov 1, 2023 | Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code. | |||
| CVE-2023-3955 | — | 0.00 | — | 0.03 | Oct 31, 2023 | A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes. | ||
| CVE-2023-3676 | — | 0.00 | — | 0.12 | Oct 31, 2023 | A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes. | ||
| CVE-2023-5043 | 0.00 | — | 0.02 | Oct 25, 2023 | Ingress nginx annotation injection causes arbitrary command execution. | |||
| CVE-2022-4886 | 0.00 | — | 0.02 | Oct 25, 2023 | Ingress-nginx `path` sanitization can be bypassed with `log_format` directive. | |||
| CVE-2023-45805 | — | 0.00 | — | 0.01 | Oct 20, 2023 | pdm is a Python package and dependency manager supporting the latest PEP standards. It's possible to craft a malicious `pdm.lock` file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another… | ||
| CVE-2023-45128 | 0.00 | — | 0.00 | Oct 16, 2023 | Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow… | |||
| CVE-2023-5571 | 0.00 | — | 0.01 | Oct 13, 2023 | Improper Input Validation in GitHub repository vriteio/vrite prior to 0.3.0. | |||
| CVE-2023-26367 | 0.00 | — | 0.01 | Oct 13, 2023 | Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read by an admin-privilege authenticated attacker.… |
- CVE-2023-49082Nov 29, 2023risk 0.00cvss —epss 0.01
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The…
- CVE-2023-46589Nov 28, 2023risk 0.00cvss —epss 0.03
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header…
- CVE-2023-48223Nov 20, 2023risk 0.00cvss —epss 0.01
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to version 3.3.2, the fast-jwt library does not properly prevent JWT algorithm confusion for all public key types. The 'publicKeyPemMatcher' in 'fast-jwt/src/crypto.js' does not properly match all common PEM…
- CVE-2023-26364Nov 17, 2023risk 0.00cvss —epss 0.01
@adobe/css-tools version 4.3.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a minor denial of service while attempting to parse CSS. Exploitation of this issue does not require user interaction or privileges.
- CVE-2023-40314Nov 16, 2023risk 0.00cvss —epss 0.00
Cross-site scripting in bootstrap.jsp in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Horizon 32.0.5 or newer and Meridian 2023.1.9 or newer Meridian and Horizon…
- CVE-2023-5528Nov 14, 2023risk 0.00cvss —epss 0.04
A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.
- CVE-2023-36049Nov 14, 2023risk 0.00cvss —epss 0.13
.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability
- CVE-2023-39913Nov 8, 2023risk 0.00cvss —epss 0.01
Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0. Users are recommended to upgrade to version 3.5.0, which…
- CVE-2023-3893Nov 3, 2023risk 0.00cvss —epss 0.03
A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes running kubernetes-csi-proxy may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes running …
- CVE-2023-4043Nov 3, 2023risk 0.00cvss —epss 0.01
In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to…
- CVE-2023-5763Nov 3, 2023risk 0.00cvss —epss 0.01
In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners.
- CVE-2023-4197Nov 1, 2023risk 0.00cvss —epss 0.33
Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.
- CVE-2023-3955Oct 31, 2023risk 0.00cvss —epss 0.03
A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.
- CVE-2023-3676Oct 31, 2023risk 0.00cvss —epss 0.12
A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.
- CVE-2023-5043Oct 25, 2023risk 0.00cvss —epss 0.02
Ingress nginx annotation injection causes arbitrary command execution.
- CVE-2022-4886Oct 25, 2023risk 0.00cvss —epss 0.02
Ingress-nginx `path` sanitization can be bypassed with `log_format` directive.
- CVE-2023-45805Oct 20, 2023risk 0.00cvss —epss 0.01
pdm is a Python package and dependency manager supporting the latest PEP standards. It's possible to craft a malicious `pdm.lock` file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another…
- CVE-2023-45128Oct 16, 2023risk 0.00cvss —epss 0.00
Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow…
- CVE-2023-5571Oct 13, 2023risk 0.00cvss —epss 0.01
Improper Input Validation in GitHub repository vriteio/vrite prior to 0.3.0.
- CVE-2023-26367Oct 13, 2023risk 0.00cvss —epss 0.01
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read by an admin-privilege authenticated attacker.…