VYPR

CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (6,893)

page 340 of 345
  • CVE-2007-1426Mar 13, 2007
    Astrocam
    Astrocam
    risk 0.00cvss epss 0.02

    The web interface in AstroCam 2.0.0 through 2.6.5 allows remote attackers to cause a denial of service (daemon shutdown) via requests that contain a large amount of data in the "a" variable, which "fills up the message queue."

  • CVE-2006-7160Mar 7, 2007
    Agnitum
    Outpost Firewall
    risk 0.00cvss epss 0.00

    The Sandbox.sys driver in Outpost Firewall PRO 4.0, and possibly earlier versions, does not validate arguments to hooked SSDT functions, which allows local users to cause a denial of service (crash) via invalid arguments to the (1) NtAssignProcessToJobObject,, (2) NtCreateKey,…

  • CVE-2006-7113Mar 6, 2007
    P News
    P News
    risk 0.00cvss epss 0.01

    Unrestricted file upload vulnerability in P-News 2.0 allows remote attackers to upload and execute arbitrary files via an avatar file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

  • CVE-2007-1257Mar 3, 2007
    Cisco Systems, Inc.
    Catalyst 6500 Ws Svc Nam 1
    risk 0.00cvss epss 0.03

    The Network Analysis Module (NAM) in Cisco Catalyst Series 6000, 6500, and 7600 allows remote attackers to execute arbitrary commands via certain SNMP packets that are spoofed from the NAM's own IP address.

  • CVE-2007-1235Mar 3, 2007
    Bj Sintay
    Sitex
    risk 0.00cvss epss 0.01

    Unrestricted file upload vulnerability in sitex allows remote attackers to upload arbitrary PHP code via an avatar filename with a double extension such as .php.jpg, which fails verification and is saved as a .php file.

  • CVE-2007-1155Mar 2, 2007
    Webspell
    Webspell
    risk 0.00cvss epss 0.01

    Unrestricted file upload vulnerability in webSPELL allows remote authenticated administrators to upload and execute arbitrary PHP code via the add squad feature. NOTE: this issue may be an administrative feature, in which case this CVE may be REJECTED.

  • CVE-2007-1136Mar 2, 2007
    Webmplayer
    Webmplayer
    risk 0.00cvss epss 0.03

    index.php in WebMplayer before 0.6.1-Alpha allows remote attackers to execute arbitrary code via shell metacharacters in an exec function call. NOTE: some sources have referred to this as eval injection in the param parameter, but CVE source inspection suggests that this is…

  • CVE-2007-1097Feb 26, 2007
    Wiclear
    Wiclear
    risk 0.00cvss epss 0.01

    Unrestricted file upload vulnerability in the onAttachFiles function in the upload tool (inc/lib/attachment.lib.php) in Wiclear before 0.11.1 allows remote attackers to upload and execute arbitrary PHP code via unspecified vectors related to filename validation. NOTE: some…

  • CVE-2006-6979Feb 8, 2007
    Amarok
    Amarok
    risk 0.00cvss epss 0.01

    The ruby handlers in the Magnatune component in Amarok do not properly quote text in certain contexts, probably including construction of an unzip command line, which allows attackers to execute arbitrary commands via shell metacharacters.

  • CVE-2006-2220Feb 8, 2007
    PhpBB
    phpBB
    risk 0.00cvss epss 0.00

    phpBB 2.0.20 does not properly verify user-specified input variables used as limits to SQL queries, which allows remote attackers to obtain sensitive information via a negative LIMIT specification, as demonstrated by the start parameter to memberlist.php, which reveals the SQL…

  • CVE-2006-2219Feb 8, 2007
    PhpBB
    phpBB
    risk 0.00cvss epss 0.01

    phpBB 2.0.20 does not verify user-specified input variable types before being passed to type-dependent functions, which allows remote attackers to obtain sensitive information, as demonstrated by the (1) mode parameter to memberlist.php and the (2) highlight parameter to…

  • CVE-2007-0802Feb 7, 2007
    Mozilla Corporation
    Firefox
    risk 0.00cvss epss 0.01

    Mozilla Firefox 2.0.0.1 allows remote attackers to bypass the Phishing Protection mechanism by adding certain characters to the end of the domain name, as demonstrated by the "." and "/" characters, which is not caught by the Phishing List blacklist filter.

  • CVE-2006-6971Feb 7, 2007
    Mozilla Corporation
    Firefox
    risk 0.00cvss epss 0.00

    Mozilla Firefox 2.0, possibly only when running on Windows, allows remote attackers to bypass the Phishing Protection mechanism by representing an IP address in (1) dotted-hex, (2) dotted-octal, (3) single decimal integer, (4) single hex integer, or (5) single octal integer…

  • CVE-2006-6955Jan 29, 2007
    Opera
    Opera
    risk 0.00cvss epss 0.01

    Opera allows remote attackers to cause a denial of service (application crash) via a web page that contains a large number of nested marquee tags, a related issue to CVE-2006-2723.

  • CVE-2006-6954Jan 29, 2007
    Flock
    Flock
    risk 0.00cvss epss 0.01

    Flock beta 1 0.7 allows remote attackers to cause a denial of service (application crash) via a web page that contains a large number of nested marquee tags, a related issue to CVE-2006-2723.

  • CVE-2007-0522Jan 26, 2007
    Motorola
    Motorazr
    risk 0.00cvss epss 0.00

    The Motorola MOTORAZR V3 phone allows remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push.

  • CVE-2007-0521Jan 26, 2007
    Sony Ericsson
    K700i
    risk 0.00cvss epss 0.00

    The Sony Ericsson K700i and W810i phones allow remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push.

  • CVE-2007-0523Jan 26, 2007
    Nokia
    N70
    risk 0.00cvss epss 0.00

    The Nokia N70 phone allows remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push.

  • CVE-2007-0524Jan 26, 2007
    LG Electronics
    Chocolate Kg800
    risk 0.00cvss epss 0.00

    The LG Chocolate KG800 phone allows remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push.

  • CVE-2006-6852Dec 31, 2006
    Tdiary
    Tdiary
    risk 0.00cvss epss 0.01

    Eval injection vulnerability in tDiary 2.0.3 and 2.1.4.200 61127 allows remote authenticated users to execute arbitrary Ruby code via unspecified vectors, possibly related to incorrect input validation by (1) conf.rhtml and (2) i.conf.rhtml. NOTE: some of these details are…