VYPR

CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (8,003)

page 37 of 401
  • CVE-2020-1747CriMar 24, 2020
    risk 0.57cvss 9.8epss 0.05

    A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process…

  • CVE-2020-10108CriMar 12, 2020
    risk 0.57cvss 9.8epss 0.04

    In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

  • CVE-2014-4657CriFeb 20, 2020
    risk 0.57cvss 9.8epss 0.04

    The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions.

  • CVE-2020-8125CriFeb 4, 2020
    risk 0.57cvss 9.8epss 0.04

    Flaw in input validation in npm package klona version 1.1.0 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using klona.

  • CVE-2015-2784CriJan 21, 2020
    risk 0.57cvss 9.8epss 0.02

    The papercrop gem before 0.3.0 for Ruby on Rails does not properly handle crop input.

  • CVE-2020-6948CriJan 13, 2020
    risk 0.57cvss 9.8epss 0.04

    A remote code execution issue was discovered in HashBrown CMS through 1.3.3. Server/Entity/Deployer/GitDeployer.js has a Service.AppService.exec call that mishandles the URL, repository, username, and password.

  • CVE-2011-1028CriNov 20, 2019
    risk 0.57cvss 9.8epss 0.02

    The $smarty.template variable in Smarty3 allows attackers to possibly execute arbitrary PHP code via the sysplugins/smarty_internal_compile_private_special_variable.php file.

  • CVE-2012-4438HigNov 18, 2019
    risk 0.57cvss 8.8epss 0.02

    Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers with read access and HTTP access to Jenkins master to insert data and execute arbitrary code.

  • CVE-2019-16676CriSep 30, 2019
    risk 0.57cvss 9.8epss 0.03

    Plataformatec Simple Form has Incorrect Access Control in file_method? in lib/simple_form/form_builder.rb, because a user-supplied string is invoked as a method call.

  • CVE-2019-16142CriSep 9, 2019
    risk 0.57cvss 9.8epss 0.02

    An issue was discovered in the renderdoc crate before 0.5.0 for Rust. Multiple exposed methods take self by immutable reference, which is incompatible with a multi-threaded application.

  • CVE-2019-15657CriAug 26, 2019
    risk 0.57cvss 9.8epss 0.02

    In eslint-utils before 1.4.1, the getStaticValue function can execute arbitrary code.

  • CVE-2019-10199HigAug 14, 2019
    risk 0.57cvss 8.8epss 0.01

    It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain.

  • CVE-2019-10648CriMar 30, 2019
    risk 0.57cvss 9.8epss 0.02

    Robocode through 1.9.3.5 allows remote attackers to cause external service interaction (DNS), as demonstrated by a query for a unique subdomain name within an attacker-controlled DNS zone, because of a .openStream call within java.net.URL.

  • CVE-2018-6333CriDec 31, 2018
    risk 0.57cvss 9.8epss 0.02

    The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when rendering. As a result, a malicious URL could be used to render HTML and other content inside of the editor's context, which could potentially be chained to lead to code…

  • CVE-2018-0472HigOct 5, 2018
    risk 0.57cvss 8.6epss 0.16

    A vulnerability in the IPsec driver code of multiple Cisco IOS XE Software platforms and the Cisco ASA 5500-X Series Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause the device to reload. The vulnerability is due to improper processing…

  • CVE-2018-6055HigSep 25, 2018
    risk 0.57cvss 8.8epss 0.01

    Insufficient policy enforcement in Catalog Service in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to potentially run arbitrary code outside sandbox via a crafted HTML page.

  • CVE-2018-6043HigSep 25, 2018
    risk 0.57cvss 8.8epss 0.02

    Insufficient data validation in External Protocol Handler in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to potentially execute arbitrary programs on user machine via a crafted HTML page.

  • CVE-2018-6033HigSep 25, 2018
    risk 0.57cvss 8.8epss 0.01

    Insufficient data validation in Downloads in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to potentially run arbitrary code outside sandbox via a crafted Chrome Extension.

  • CVE-2018-14318HigSep 24, 2018
    risk 0.57cvss 8.8epss 0.02

    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S8 G950FXXU1AQL5. User interaction is required to exploit this vulnerability in that the target must have their cellular radios enabled. The specific flaw exists…

  • CVE-2018-10496HigSep 24, 2018
    risk 0.57cvss 8.8epss 0.02

    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Internet Browser Fixed in version 6.4.0.15. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious…