CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Parents

CWE-707

Children

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (6,924)

page 297 of 347

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2011-4602	Pidgin (software) Pidgin	—	0.04	Dec 17, 2011	The XMPP protocol plugin in libpurple in Pidgin before 2.10.1 does not properly handle missing fields in (1) voice-chat and (2) video-chat stanzas, which allows remote attackers to cause a denial of service (application crash) via a crafted message.
CVE-2011-4755	Parallels Parallels Plesk Small Business Panel	—	0.02	Dec 16, 2011	Parallels Plesk Small Business Panel 10.2.0 does not properly validate string data that is intended for storage in an XML document, which allows remote attackers to cause a denial of service (parsing error) or possibly have unspecified other impact via a crafted cookie, as…
CVE-2011-4727	Parallels Parallels Plesk Panel	—	0.02	Dec 16, 2011	The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 does not properly validate string data that is intended for storage in an XML document, which allows remote attackers to cause a denial of service (parsing error) or possibly have unspecified…
CVE-2011-3907	Google Chrome	—	0.01	Dec 13, 2011	The view-source feature in Google Chrome before 16.0.912.63 allows remote attackers to spoof the URL bar via unspecified vectors.
CVE-2011-4685	Opera Opera	—	0.02	Dec 7, 2011	Dragonfly in Opera before 11.60 allows remote attackers to cause a denial of service (application crash) via unspecified content on a web page, as demonstrated by forbes.com.
CVE-2011-4554	Oneclickorgs One Click Orgs	—	0.01	Dec 6, 2011	One Click Orgs before 1.2.3 allows remote authenticated users to trigger crafted SMTP traffic via (1) " (double quote) and newline characters in an org name or (2) " (double quote) characters in an e-mail address, related to a "2nd Order SMTP Injection" issue.
CVE-2011-4553	Oneclickorgs One Click Orgs	—	0.01	Dec 6, 2011	Multiple open redirect vulnerabilities in One Click Orgs before 1.2.3 allow (1) remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the return_to parameter, and allow (2) remote authenticated users to redirect users to arbitrary web sites…
CVE-2011-2397	Ironmountain Connected Backup	—	0.06	Dec 5, 2011	The Agent service in Iron Mountain Connected Backup 8.4 allows remote attackers to execute arbitrary code via a crafted opcode 13 request that triggers use of the LaunchCompoundFileAnalyzer class to send request data to the System.getRunTime.exec method.
CVE-2011-4405	Canonical Ubuntu Linux	—	0.03	Nov 29, 2011	The cupshelpers scripts in system-config-printer in Ubuntu 11.04 and 11.10, as used by the automatic printer driver download service, uses an "insecure connection" for queries to the OpenPrinting database, which allows remote attackers to execute arbitrary code via a…
CVE-2011-3367	Arora Browser Arora	—	0.01	Nov 29, 2011	Arora, possibly 0.11 and other versions, does not use a certain font when rendering certificate fields in a security dialog, which allows remote attackers to spoof the common name (CN) of a certificate via rich text.
CVE-2011-3366	Adjam Rekonq	—	0.01	Nov 29, 2011	Rekonq 0.7.0 and earlier does not use a certain font when rendering certificate fields in a security dialog, which allows remote attackers to spoof the common name (CN) of a certificate via rich text.
CVE-2011-3365	KDE Kde	—	0.01	Nov 29, 2011	The KDE SSL Wrapper (KSSL) API in KDE SC 4.6.0 through 4.7.1, and possibly earlier versions, does not use a certain font when rendering certificate fields in a security dialog, which allows remote attackers to spoof the common name (CN) of a certificate via rich text.
CVE-2011-3150	Arturia Software Center	—	0.02	Nov 29, 2011	Software Center in Ubuntu 11.10, 11.04 10.10 does not properly validate server certificates, which allows remote attackers to execute arbitrary code or obtain sensitive information via a man-in-the-middle (MITM) attack.
CVE-2011-4249	RealNetworks Realplayer	—	0.03	Nov 24, 2011	Array index error in the RV30 codec in RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2011-4311	Montala Resourcespace	—	0.02	Nov 19, 2011	ResourceSpace before 4.2.2833 does not properly validate access keys, which allows remote attackers to bypass intended resource restrictions via unspecified vectors.
CVE-2011-3646	PhpMyAdmin phpMyAdmin	—	0.02	Nov 17, 2011	phpmyadmin.css.php in phpMyAdmin 3.4.x before 3.4.6 allows remote attackers to obtain sensitive information via an array-typed js_frame parameter to phpmyadmin.css.php, which reveals the installation path in an error message.
CVE-2011-2772	Mahara (software) Mahara	—	0.02	Nov 15, 2011	The get_dataroot_image_path function in lib/file.php in Mahara before 1.4.1 does not properly validate uploaded image files, which allows remote attackers to cause a denial of service (memory consumption) via a (1) large or (2) invalid image.
CVE-2011-3647	Mozilla Corporation Firefox	—	0.02	Nov 9, 2011	The JSSubScriptLoader in Mozilla Firefox before 3.6.24 and Thunderbird before 3.1.6 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that…
CVE-2009-0905	IBM Websphere Mq	—	0.00	Oct 30, 2011	IBM WebSphere MQ 6.0 before 6.0.2.8 and 7.0 before 7.0.1.0 does not properly handle long group names, which might allow local users to gain privileges by leveraging combinations of group names with the same initial substring.
CVE-2011-3872	Puppet (software) Puppet	—	0.02	Oct 27, 2011	Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote…

CVE-2011-4602Dec 17, 2011
Pidgin (software)
Pidgin
risk 0.00cvss —epss 0.04
The XMPP protocol plugin in libpurple in Pidgin before 2.10.1 does not properly handle missing fields in (1) voice-chat and (2) video-chat stanzas, which allows remote attackers to cause a denial of service (application crash) via a crafted message.
CVE-2011-4755Dec 16, 2011
Parallels
Parallels Plesk Small Business Panel
risk 0.00cvss —epss 0.02
Parallels Plesk Small Business Panel 10.2.0 does not properly validate string data that is intended for storage in an XML document, which allows remote attackers to cause a denial of service (parsing error) or possibly have unspecified other impact via a crafted cookie, as…
CVE-2011-4727Dec 16, 2011
Parallels
Parallels Plesk Panel
risk 0.00cvss —epss 0.02
The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 does not properly validate string data that is intended for storage in an XML document, which allows remote attackers to cause a denial of service (parsing error) or possibly have unspecified…
CVE-2011-3907Dec 13, 2011
Google
Chrome
risk 0.00cvss —epss 0.01
The view-source feature in Google Chrome before 16.0.912.63 allows remote attackers to spoof the URL bar via unspecified vectors.
CVE-2011-4685Dec 7, 2011
Opera
Opera
risk 0.00cvss —epss 0.02
Dragonfly in Opera before 11.60 allows remote attackers to cause a denial of service (application crash) via unspecified content on a web page, as demonstrated by forbes.com.
CVE-2011-4554Dec 6, 2011
Oneclickorgs
One Click Orgs
risk 0.00cvss —epss 0.01
One Click Orgs before 1.2.3 allows remote authenticated users to trigger crafted SMTP traffic via (1) " (double quote) and newline characters in an org name or (2) " (double quote) characters in an e-mail address, related to a "2nd Order SMTP Injection" issue.
CVE-2011-4553Dec 6, 2011
Oneclickorgs
One Click Orgs
risk 0.00cvss —epss 0.01
Multiple open redirect vulnerabilities in One Click Orgs before 1.2.3 allow (1) remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the return_to parameter, and allow (2) remote authenticated users to redirect users to arbitrary web sites…
CVE-2011-2397Dec 5, 2011
Ironmountain
Connected Backup
risk 0.00cvss —epss 0.06
The Agent service in Iron Mountain Connected Backup 8.4 allows remote attackers to execute arbitrary code via a crafted opcode 13 request that triggers use of the LaunchCompoundFileAnalyzer class to send request data to the System.getRunTime.exec method.
CVE-2011-4405Nov 29, 2011
Canonical
Ubuntu Linux
risk 0.00cvss —epss 0.03
The cupshelpers scripts in system-config-printer in Ubuntu 11.04 and 11.10, as used by the automatic printer driver download service, uses an "insecure connection" for queries to the OpenPrinting database, which allows remote attackers to execute arbitrary code via a…
CVE-2011-3367Nov 29, 2011
Arora Browser
Arora
risk 0.00cvss —epss 0.01
Arora, possibly 0.11 and other versions, does not use a certain font when rendering certificate fields in a security dialog, which allows remote attackers to spoof the common name (CN) of a certificate via rich text.
CVE-2011-3366Nov 29, 2011
Adjam
Rekonq
risk 0.00cvss —epss 0.01
Rekonq 0.7.0 and earlier does not use a certain font when rendering certificate fields in a security dialog, which allows remote attackers to spoof the common name (CN) of a certificate via rich text.
CVE-2011-3365Nov 29, 2011
KDE
Kde
risk 0.00cvss —epss 0.01
The KDE SSL Wrapper (KSSL) API in KDE SC 4.6.0 through 4.7.1, and possibly earlier versions, does not use a certain font when rendering certificate fields in a security dialog, which allows remote attackers to spoof the common name (CN) of a certificate via rich text.
CVE-2011-3150Nov 29, 2011
Arturia
Software Center
risk 0.00cvss —epss 0.02
Software Center in Ubuntu 11.10, 11.04 10.10 does not properly validate server certificates, which allows remote attackers to execute arbitrary code or obtain sensitive information via a man-in-the-middle (MITM) attack.
CVE-2011-4249Nov 24, 2011
RealNetworks
Realplayer
risk 0.00cvss —epss 0.03
Array index error in the RV30 codec in RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2011-4311Nov 19, 2011
Montala
Resourcespace
risk 0.00cvss —epss 0.02
ResourceSpace before 4.2.2833 does not properly validate access keys, which allows remote attackers to bypass intended resource restrictions via unspecified vectors.
CVE-2011-3646Nov 17, 2011
PhpMyAdmin
phpMyAdmin
risk 0.00cvss —epss 0.02
phpmyadmin.css.php in phpMyAdmin 3.4.x before 3.4.6 allows remote attackers to obtain sensitive information via an array-typed js_frame parameter to phpmyadmin.css.php, which reveals the installation path in an error message.
CVE-2011-2772Nov 15, 2011
Mahara (software)
Mahara
risk 0.00cvss —epss 0.02
The get_dataroot_image_path function in lib/file.php in Mahara before 1.4.1 does not properly validate uploaded image files, which allows remote attackers to cause a denial of service (memory consumption) via a (1) large or (2) invalid image.
CVE-2011-3647Nov 9, 2011
Mozilla Corporation
Firefox
risk 0.00cvss —epss 0.02
The JSSubScriptLoader in Mozilla Firefox before 3.6.24 and Thunderbird before 3.1.6 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that…
CVE-2009-0905Oct 30, 2011
IBM
Websphere Mq
risk 0.00cvss —epss 0.00
IBM WebSphere MQ 6.0 before 6.0.2.8 and 7.0 before 7.0.1.0 does not properly handle long group names, which might allow local users to gain privileges by leveraging combinations of group names with the same initial substring.
CVE-2011-3872Oct 27, 2011
Puppet (software)
Puppet
risk 0.00cvss —epss 0.02
Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote…