VYPR

CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (8,003)

page 364 of 401
  • CVE-2010-3750Oct 19, 2010
    risk 0.00cvss epss 0.06

    rjrmrpln.dll in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, and RealPlayer Enterprise 2.1.2 does not properly validate file contents that are used during interaction with a heap buffer, which allows remote attackers to execute arbitrary code via…

  • CVE-2010-2998Oct 19, 2010
    risk 0.00cvss epss 0.06

    Array index error in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.0.1 allows remote attackers to execute arbitrary code via malformed sample data in a RealMedia .IVR file, related to a "malformed IVR pointer index" issue.

  • CVE-2010-3901Oct 14, 2010
    risk 0.00cvss epss 0.01

    OpenConnect before 2.25 does not properly validate X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary AnyConnect SSL VPN servers via a crafted server certificate that (1) does not correspond to the server hostname or (2) is presented in circumstances…

  • CVE-2010-1322Oct 7, 2010
    risk 0.00cvss epss 0.03

    The merge_authdata function in kdc_authdata.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does not properly manage an index into an authorization-data list, which allows remote attackers to cause a denial of service (daemon crash), or…

  • CVE-2010-2888Oct 6, 2010
    risk 0.00cvss epss 0.06

    Multiple unspecified vulnerabilities in an ActiveX control in Adobe Reader and Acrobat 8.x before 8.2.5 and 9.x before 9.4 on Windows allow attackers to execute arbitrary code via unknown vectors.

  • CVE-2010-3756Oct 5, 2010
    risk 0.00cvss epss 0.01

    The _CalcHashValueWithLength function in FastBackServer.exe in the Server in IBM Tivoli Storage Manager (TSM) FastBack 5.5.0.0 through 5.5.6.0 and 6.1.0.0 through 6.1.0.1 does not properly validate an unspecified length value, which allows remote attackers to cause a denial of…

  • CVE-2010-3732Oct 5, 2010
    risk 0.00cvss epss 0.01

    The DRDA Services component in IBM DB2 UDB 9.5 before FP6a allows remote authenticated users to cause a denial of service (database server ABEND) by using the client CLI on Linux, UNIX, or Windows for executing a prepared statement with a large number of parameter markers.

  • CVE-2010-2946Sep 29, 2010
    risk 0.00cvss epss 0.00

    fs/jfs/xattr.c in the Linux kernel before 2.6.35.2 does not properly handle a certain legacy format for storage of extended attributes, which might allow local users by bypass intended xattr namespace restrictions via an "os2." substring at the beginning of a name.

  • CVE-2010-3283Sep 24, 2010
    risk 0.00cvss epss 0.01

    Open redirect vulnerability in HP System Management Homepage (SMH) before 6.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

  • CVE-2010-3476Sep 20, 2010
    risk 0.00cvss epss 0.03

    Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 does not properly handle the matching of Perl regular expressions against HTML e-mail messages, which allows remote attackers to cause a denial of service (CPU consumption) via a large message, a…

  • CVE-2010-3473Sep 20, 2010
    risk 0.00cvss epss 0.01

    Open redirect vulnerability in the Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 3.5.1 before 3.5.1-021 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

  • CVE-2010-3011Sep 17, 2010
    risk 0.00cvss epss 0.04

    CRLF injection vulnerability in HP System Management Homepage (SMH) before 6.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

  • CVE-2010-2580Sep 15, 2010
    risk 0.00cvss epss 0.04

    The SMTP service (MESMTPC.exe) in MailEnable 3.x and 4.25 does not properly perform a length check, which allows remote attackers to cause a denial of service (crash) via a long (1) email address in the MAIL FROM command, or (2) domain name in the RCPT TO command, which triggers…

  • CVE-2010-3320Sep 13, 2010
    risk 0.00cvss epss 0.01

    Open redirect vulnerability in IBM Records Manager (RM) 4.5.x before 4.5.1.1-IER-FP001 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

  • CVE-2010-2952Sep 13, 2010
    risk 0.00cvss epss 0.03

    Apache Traffic Server before 2.0.1, and 2.1.x before 2.1.2-unstable, does not properly choose DNS source ports and transaction IDs, and does not properly use DNS query fields to validate responses, which makes it easier for man-in-the-middle attackers to poison the internal DNS…

  • CVE-2010-3247Sep 7, 2010
    risk 0.00cvss epss 0.01

    Google Chrome before 6.0.472.53 does not properly restrict the characters in URLs, which allows remote attackers to spoof the appearance of the URL bar via homographic sequences.

  • CVE-2010-2248Sep 7, 2010
    risk 0.00cvss epss 0.04

    fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel before 2.6.34-rc4 allows remote attackers to cause a denial of service (panic) via an SMB response packet with an invalid CountHigh value, as demonstrated by a response from an OS/2 server, related to the…

  • CVE-2010-3186Aug 30, 2010
    risk 0.00cvss epss 0.03

    IBM WebSphere Application Server (WAS) 7.x before 7.0.0.13, and WebSphere Application Server Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, when a JAX-WS application is used, does not properly handle an IncludeTimestamp setting in the WS-Security policy, which has…

  • CVE-2010-2878Aug 26, 2010
    risk 0.00cvss epss 0.06

    DIRAPIX.dll in Adobe Shockwave Player before 11.5.8.612 does not properly validate a value associated with a buffer seek for a Director movie, which allows remote attackers to cause a denial of service (heap memory corruption) or execute arbitrary code via a crafted movie.

  • CVE-2010-2877Aug 26, 2010
    risk 0.00cvss epss 0.06

    Adobe Shockwave Player before 11.5.8.612 does not properly validate a count value in a Director movie, which allows remote attackers to cause a denial of service (heap memory corruption) or execute arbitrary code via a crafted movie, related to IML32X.dll and DIRAPIX.dll.