VYPR

CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (8,003)

page 27 of 401
  • CVE-2022-2421CriOct 26, 2022
    risk 0.58cvss 10.0epss 0.01

    Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

  • CVE-2021-25741HigSep 20, 2021
    risk 0.58cvss 8.8epss 0.07

    A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.

  • CVE-2021-26814HigMar 6, 2021
    risk 0.58cvss 8.8epss 0.09

    Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code…

  • CVE-2021-21322CriMar 2, 2021
    risk 0.58cvss 10.0epss 0.02

    fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. By crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is `/pub/`, a user…

  • CVE-2021-21321CriMar 2, 2021
    risk 0.58cvss 10.0epss 0.02

    fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of…

  • CVE-2020-13941HigAug 17, 2020
    risk 0.58cvss 8.8epss 0.04

    Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) allows commands backup, restore and…

  • CVE-2015-6497HigJan 15, 2020
    risk 0.58cvss 8.8epss 0.07

    The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via…

  • CVE-2018-17196HigJul 11, 2019
    risk 0.58cvss 8.8epss 0.05

    In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation. Only authenticated clients with Write permission on the respective topics are able to exploit this vulnerability. Users…

  • CVE-2018-1000773HigSep 6, 2018
    risk 0.58cvss 8.8epss 0.07

    WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail upload by an authenticated…

  • CVE-2018-8300HigJul 11, 2018
    risk 0.58cvss 8.8epss 0.13

    A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka "Microsoft SharePoint Remote Code Execution Vulnerability." This affects Microsoft SharePoint.

  • CVE-2018-8260HigJul 11, 2018
    risk 0.58cvss 8.8epss 0.15

    A Remote Code Execution vulnerability exists in .NET software when the software fails to check the source markup of a file, aka ".NET Framework Remote Code Execution Vulnerability." This affects .NET Framework 4.7.2, Microsoft .NET Framework 4.7.2.

  • CVE-2018-0313HigJun 21, 2018
    risk 0.58cvss 8.8epss 0.04

    A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to send a malicious packet to the management interface on an affected system and execute a command-injection exploit. The vulnerability is due to incorrect input…

  • CVE-2018-0274HigJun 7, 2018
    risk 0.58cvss 8.8epss 0.04

    A vulnerability in the CLI parser of Cisco Network Services Orchestrator (NSO) could allow an authenticated, remote attacker to execute arbitrary shell commands with the privileges of the root user. The vulnerability is due to insufficient input validation. An attacker could…

  • CVE-2018-4943HigMay 19, 2018
    risk 0.58cvss 8.8epss 0.07

    Adobe PhoneGap Push Plugin versions 1.8.0 and earlier have an exploitable Same-Origin Method Execution vulnerability. Successful exploitation could lead to JavaScript code execution in the context of the PhoneGap app.

  • CVE-2018-0279HigMay 17, 2018
    risk 0.58cvss 8.8epss 0.05

    A vulnerability in the Secure Copy Protocol (SCP) server of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to access the shell of the underlying Linux operating system on the affected device. The vulnerability is due to…

  • CVE-2017-15043HigMay 4, 2018
    risk 0.58cvss 8.8epss 0.04

    A vulnerability in Sierra Wireless AirLink GX400, GX440, ES440, and LS300 routers with firmware before 4.4.5 and GX450, ES450, RV50, RV50X, MP70, and MP70E routers with firmware before 4.9 could allow an authenticated remote attacker to execute arbitrary code and gain full…

  • CVE-2018-0287HigMay 2, 2018
    risk 0.58cvss 8.8epss 0.04

    A vulnerability in the Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. The vulnerability is due to a design flaw in the affected software. An attacker…

  • CVE-2018-1058HigMar 2, 2018
    risk 0.58cvss 8.8epss 0.14

    A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database. Versions 9.3 through 10 are affected.

  • CVE-2017-5793HigFeb 15, 2018
    risk 0.58cvss 8.8epss 0.05

    A Remote Arbitrary Code Execution vulnerability in HPE Intelligent Management Center (IMC) PLAT version 7.2 E0403P06 was found.

  • CVE-2017-12554HigFeb 15, 2018
    risk 0.58cvss 8.8epss 0.05

    A remote code execution vulnerability in HPE intelligent Management Center (iMC) PLAT iMC Plat 7.3 E0504P2 and earlier was found.