CWE-20
Improper Input Validation
Description
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9
CVEs mapped to this weakness (6,924)
page 199 of 347| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-25692 | 0.00 | — | 0.02 | Feb 24, 2023 | Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0. | |||
| CVE-2023-25691 | 0.00 | — | 0.02 | Feb 24, 2023 | Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0. | |||
| CVE-2023-23934 | 0.00 | — | 0.01 | Feb 14, 2023 | Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like… | |||
| CVE-2023-24816 | 0.00 | — | 0.01 | Feb 10, 2023 | IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This… | |||
| CVE-2022-25906 | — | 0.00 | — | 0.01 | Feb 1, 2023 | All versions of the package is-http2 are vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being employed to the isH2 function. | ||
| CVE-2022-44644 | — | 0.00 | — | 0.01 | Jan 31, 2023 | In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the… | ||
| CVE-2023-0229 | 0.00 | — | 0.01 | Jan 25, 2023 | A flaw was found in github.com/openshift/apiserver-library-go, used in OpenShift 4.12 and 4.11, that contains an issue that can allow low-privileged users to set the seccomp profile for pods they control to "unconfined." By default, the seccomp profile used in the restricted-v2… | |||
| CVE-2023-0434 | 0.00 | — | 0.01 | Jan 22, 2023 | Improper Input Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev40. | |||
| CVE-2023-22730 | — | 0.00 | — | 0.01 | Jan 17, 2023 | Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions It was possible to put the same line item multiple times in the cart using the AP. The Cart Validators checked the line item's individuality and the user was able to bypass… | ||
| CVE-2023-22734 | — | 0.00 | — | 0.01 | Jan 17, 2023 | Shopware is an open source commerce platform based on Symfony Framework and Vue js. The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process. As a result operators may have inconsistencies in their… | ||
| CVE-2023-0299 | 0.00 | — | 0.01 | Jan 14, 2023 | Improper Input Validation in GitHub repository publify/publify prior to 9.2.10. | |||
| CVE-2023-22491 | 0.00 | — | 0.01 | Jan 13, 2023 | Gatsby is a free and open source framework based on React that helps developers build websites and apps. The gatsby-transformer-remark plugin prior to versions 5.25.1 and 6.3.2 passes input through to the `gray-matter` npm package, which is vulnerable to JavaScript injection in… | |||
| CVE-2023-22963 | — | 0.00 | — | 0.00 | Jan 11, 2023 | The personnummer implementation before 3.0.3 for Dart mishandles numbers in which the last four digits match the ^000[0-9]$ regular expression. | ||
| CVE-2023-22465 | — | 0.00 | — | 0.01 | Jan 4, 2023 | Http4s is a Scala interface for HTTP services. Starting with version 0.1.0 and prior to versions 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38, the `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily… | ||
| CVE-2022-45875 | 0.00 | — | 0.03 | Jan 4, 2023 | Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. This attack can be performed only by… | |||
| CVE-2023-22460 | 0.00 | — | 0.01 | Jan 4, 2023 | go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Encoding data which contains a Bytes kind Node will pass a Bytes… | |||
| CVE-2020-36564 | — | 0.00 | — | 0.01 | Dec 27, 2022 | Due to improper validation of caller input, validation is silently disabled if the provided expected token is malformed, causing any user supplied token to be considered valid. | ||
| CVE-2022-40145 | — | 0.00 | — | 0.02 | Dec 21, 2022 | This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName)… | ||
| CVE-2022-25940 | — | 0.00 | — | 0.01 | Dec 21, 2022 | All versions of package lite-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse. | ||
| CVE-2021-28655 | 0.00 | — | 0.02 | Dec 16, 2022 | The improper Input Validation vulnerability in "”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions. |
- CVE-2023-25692Feb 24, 2023risk 0.00cvss —epss 0.02
Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.
- CVE-2023-25691Feb 24, 2023risk 0.00cvss —epss 0.02
Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.
- CVE-2023-23934Feb 14, 2023risk 0.00cvss —epss 0.01
Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like…
- CVE-2023-24816Feb 10, 2023risk 0.00cvss —epss 0.01
IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This…
- CVE-2022-25906Feb 1, 2023risk 0.00cvss —epss 0.01
All versions of the package is-http2 are vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being employed to the isH2 function.
- CVE-2022-44644Jan 31, 2023risk 0.00cvss —epss 0.01
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the…
- CVE-2023-0229Jan 25, 2023risk 0.00cvss —epss 0.01
A flaw was found in github.com/openshift/apiserver-library-go, used in OpenShift 4.12 and 4.11, that contains an issue that can allow low-privileged users to set the seccomp profile for pods they control to "unconfined." By default, the seccomp profile used in the restricted-v2…
- CVE-2023-0434Jan 22, 2023risk 0.00cvss —epss 0.01
Improper Input Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev40.
- CVE-2023-22730Jan 17, 2023risk 0.00cvss —epss 0.01
Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions It was possible to put the same line item multiple times in the cart using the AP. The Cart Validators checked the line item's individuality and the user was able to bypass…
- CVE-2023-22734Jan 17, 2023risk 0.00cvss —epss 0.01
Shopware is an open source commerce platform based on Symfony Framework and Vue js. The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process. As a result operators may have inconsistencies in their…
- CVE-2023-0299Jan 14, 2023risk 0.00cvss —epss 0.01
Improper Input Validation in GitHub repository publify/publify prior to 9.2.10.
- CVE-2023-22491Jan 13, 2023risk 0.00cvss —epss 0.01
Gatsby is a free and open source framework based on React that helps developers build websites and apps. The gatsby-transformer-remark plugin prior to versions 5.25.1 and 6.3.2 passes input through to the `gray-matter` npm package, which is vulnerable to JavaScript injection in…
- CVE-2023-22963Jan 11, 2023risk 0.00cvss —epss 0.00
The personnummer implementation before 3.0.3 for Dart mishandles numbers in which the last four digits match the ^000[0-9]$ regular expression.
- CVE-2023-22465Jan 4, 2023risk 0.00cvss —epss 0.01
Http4s is a Scala interface for HTTP services. Starting with version 0.1.0 and prior to versions 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38, the `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily…
- CVE-2022-45875Jan 4, 2023risk 0.00cvss —epss 0.03
Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. This attack can be performed only by…
- CVE-2023-22460Jan 4, 2023risk 0.00cvss —epss 0.01
go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Encoding data which contains a Bytes kind Node will pass a Bytes…
- CVE-2020-36564Dec 27, 2022risk 0.00cvss —epss 0.01
Due to improper validation of caller input, validation is silently disabled if the provided expected token is malformed, causing any user supplied token to be considered valid.
- CVE-2022-40145Dec 21, 2022risk 0.00cvss —epss 0.02
This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName)…
- CVE-2022-25940Dec 21, 2022risk 0.00cvss —epss 0.01
All versions of package lite-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse.
- CVE-2021-28655Dec 16, 2022risk 0.00cvss —epss 0.02
The improper Input Validation vulnerability in "”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.