VYPR

CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (6,720)

page 249 of 336
  • CVE-2013-2191Feb 8, 2014
    Fedoraproject
    Fedora
    risk 0.00cvss epss 0.00

    python-bugzilla before 0.9.0 does not validate X.509 certificates, which allows man-in-the-middle attackers to spoof Bugzilla servers via a crafted certificate.

  • CVE-2012-5524Feb 8, 2014
    Gajim
    Gajim
    risk 0.00cvss epss 0.00

    The _ssl_verify_callback function in tls_nb.py in Gajim before 0.15.3 does not properly verify SSL certificates, which allows remote attackers to conduct man-in-the-middle (MITM) attacks and spoof servers via an arbitrary certificate from a trusted CA.

  • CVE-2014-0038Feb 6, 2014
    Linux
    Kernel
    risk 0.00cvss epss 0.52

    The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.

  • CVE-2013-6482Feb 6, 2014
    Pidgin (software)
    Pidgin
    risk 0.00cvss epss 0.01

    Pidgin before 2.10.8 allows remote MSN servers to cause a denial of service (NULL pointer dereference and crash) via a crafted (1) SOAP response, (2) OIM XML response, or (3) Content-Length header.

  • CVE-2013-2038Feb 6, 2014
    Gpsd
    Gpsd
    risk 0.00cvss epss 0.02

    The NMEA0183 driver in gpsd before 3.9 allows remote attackers to cause a denial of service (daemon termination) and possibly execute arbitrary code via a GPS packet with a malformed $GPGGA interpreted sentence that lacks certain fields and a terminator. NOTE: a separate issue…

  • CVE-2014-0020Feb 6, 2014
    Pidgin (software)
    Pidgin
    risk 0.00cvss epss 0.04

    The IRC protocol plugin in libpurple in Pidgin before 2.10.8 does not validate argument counts, which allows remote IRC servers to cause a denial of service (application crash) via a crafted message.

  • CVE-2013-6486Feb 6, 2014
    Pidgin (software)
    Pidgin
    risk 0.00cvss epss 0.01

    gtkutils.c in Pidgin before 2.10.8 on Windows allows user-assisted remote attackers to execute arbitrary programs via a message containing a file: URL that is improperly handled during construction of an explorer.exe command. NOTE: this vulnerability exists because of an…

  • CVE-2013-6484Feb 6, 2014
    Pidgin (software)
    Pidgin
    risk 0.00cvss epss 0.01

    The STUN protocol implementation in libpurple in Pidgin before 2.10.8 allows remote STUN servers to cause a denial of service (out-of-bounds write operation and application crash) by triggering a socket read error.

  • CVE-2013-6483Feb 6, 2014
    Pidgin (software)
    Pidgin
    risk 0.00cvss epss 0.01

    The XMPP protocol plugin in libpurple in Pidgin before 2.10.8 does not properly determine whether the from address in an iq reply is consistent with the to address in an iq request, which allows remote attackers to spoof iq traffic or cause a denial of service (NULL pointer…

  • CVE-2013-6478Feb 6, 2014
    Pidgin (software)
    Pidgin
    risk 0.00cvss epss 0.03

    gtkimhtml.c in Pidgin before 2.10.8 does not properly interact with underlying library support for wide Pango layouts, which allows user-assisted remote attackers to cause a denial of service (application crash) via a long URL that is examined with a tooltip.

  • CVE-2012-6152Feb 6, 2014
    Pidgin (software)
    Pidgin
    risk 0.00cvss epss 0.01

    The Yahoo! protocol plugin in libpurple in Pidgin before 2.10.8 does not properly validate UTF-8 data, which allows remote attackers to cause a denial of service (application crash) via crafted byte sequences.

  • CVE-2014-0834Feb 4, 2014
    IBM
    General Parallel File System
    risk 0.00cvss epss 0.01

    IBM General Parallel File System (GPFS) 3.4 through 3.4.0.27 and 3.5 through 3.5.0.16 allows attackers to cause a denial of service (daemon crash) via crafted arguments to a setuid program.

  • CVE-2013-6032Feb 4, 2014
    Lexmark
    25xxn
    risk 0.00cvss epss 0.01

    cgi-bin/postpf/cgi-bin/dynamic/config/config.html on Lexmark X94x before LC.BR.P142, X85x through LC4.BE.P487, X644 and X646 before LC2.MC.P374, X642 through LC2.MB.P318, W840 through LS.HA.P252, T64x before LS.ST.P344, X64xef through LC2.TI.P325, C935dn through LC.JO.P091, C920…

  • CVE-2013-7177Feb 1, 2014
    Fail2ban
    Fail2ban
    risk 0.00cvss epss 0.01

    config/filter.d/cyrus-imap.conf in the cyrus-imap filter in Fail2ban before 0.8.11 allows remote attackers to trigger the blocking of an arbitrary IP address via a crafted e-mail address that matches an improperly designed regular expression.

  • CVE-2013-7176Feb 1, 2014
    Fail2ban
    Fail2ban
    risk 0.00cvss epss 0.01

    config/filter.d/postfix.conf in the postfix filter in Fail2ban before 0.8.11 allows remote attackers to trigger the blocking of an arbitrary IP address via a crafted e-mail address that matches an improperly designed regular expression.

  • CVE-2013-6143Jan 31, 2014
    Schneider Electric
    Telvent SAGE 3030 RTU
    risk 0.00cvss epss 0.00

    The Schneider Electric Telvent SAGE 3030 RTU with firmware C3413-500-001D3_P4 and C3413-500-001F0_PB allows remote attackers to cause a denial of service (temporary outage and CPU consumption) via malformed DNP3 traffic.

  • CVE-2013-6650Jan 28, 2014
    Google
    Chrome
    risk 0.00cvss epss 0.02

    The StoreBuffer::ExemptPopularPages function in store-buffer.cc in Google V8 before 3.22.24.16, as used in Google Chrome before 32.0.1700.102, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors that…

  • CVE-2013-6747Jan 27, 2014
    IBM
    Tivoli Directory Server
    risk 0.00cvss epss 0.03

    IBM GSKit 7.x before 7.0.4.48 and 8.x before 8.0.50.16, as used in IBM Security Directory Server (ISDS) and Tivoli Directory Server (TDS), allows remote attackers to cause a denial of service (application crash or hang) via a malformed X.509 certificate chain.

  • CVE-2014-0022Jan 26, 2014
    Baseurl
    Yum
    risk 0.00cvss epss 0.01

    The installUpdates function in yum-cron/yum-cron.py in yum 3.4.3 and earlier does not properly check the return value of the sigCheckPkg function, which allows remote attackers to bypass the RMP package signing restriction via an unsigned package.

  • CVE-2013-5350Jan 24, 2014
    Tejimaya
    Openpne
    risk 0.00cvss epss 0.01

    The "Remember me" feature in the opSecurityUser::getRememberLoginCookie function in lib/user/opSecurityUser.class.php in OpenPNE 3.6.13 before 3.6.13.1 and 3.8.9 before 3.8.9.1 does not properly validate login data in HTTP Cookie headers, which allows remote attackers to conduct…