CWE-20
Improper Input Validation
Description
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9
CVEs mapped to this weakness (8,003)
page 62 of 401| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-15408 | Hig | 0.51 | 7.8 | 0.02 | Oct 5, 2018 | A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. The vulnerability exist because the affected software improperly validates… | ||
| CVE-2015-9268 | Hig | 0.51 | 7.8 | 0.02 | Oct 1, 2018 | Nullsoft Scriptable Install System (NSIS) before 2.49 has unsafe implicit linking against Version.dll. In other words, there is no protection mechanism in which a wrapper function resolves the dependency at an appropriate time during runtime. | ||
| CVE-2018-10502 | Hig | 0.51 | 7.8 | 0.00 | Sep 24, 2018 | This vulnerability allows local attackers to escalate privileges on vulnerable installations of Samsung Galaxy Apps Fixed in version 4.2.18.2. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.… | ||
| CVE-2018-10497 | Hig | 0.51 | 7.8 | 0.00 | Sep 24, 2018 | This vulnerability allows local attackers to escalate privileges on vulnerable installations of Samsung Email Fixed in version 5.0.02.16. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The… | ||
| CVE-2018-14889 | Hig | 0.51 | 7.8 | 0.01 | Sep 21, 2018 | CouchDB in Vectra Networks Cognito Brain and Sensor before 4.3 contains a local code execution vulnerability. | ||
| CVE-2018-11302 | Hig | 0.51 | 7.8 | 0.00 | Sep 18, 2018 | In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check of input received from userspace before copying into buffer can lead to potential array overflow in WLAN. | ||
| CVE-2018-14630 | — | Hig | 0.51 | 8.8 | 0.04 | Sep 17, 2018 | moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within… | |
| CVE-2018-7923 | Hig | 0.51 | 7.8 | 0.01 | Sep 12, 2018 | Huawei ALP-L09 smart phones with versions earlier than ALP-L09 8.0.0.150(C432) have an insufficient input validation vulnerability due to lack of parameter check. An attacker tricks the user who has root privilege to install a crafted application, the application may modify the… | ||
| CVE-2018-7922 | Hig | 0.51 | 7.8 | 0.01 | Sep 12, 2018 | Huawei ALP-L09 smart phones with versions earlier than ALP-L09 8.0.0.150(C432) have an insufficient input validation vulnerability due to lack of parameter check. An attacker tricks the user who has root privilege to install a crafted application, the application may modify the… | ||
| CVE-2017-1000600 | Hig | 0.51 | 8.8 | 0.04 | Sep 6, 2018 | WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be… | ||
| CVE-2018-15122 | Hig | 0.51 | 7.8 | 0.01 | Aug 16, 2018 | An issue found in Progress Telerik JustAssembly through 2018.1.323.2 and JustDecompile through 2018.2.605.0 makes it possible to execute code by decompiling a compiled .NET object (such as DLL or EXE) with an embedded resource file by clicking on the resource. | ||
| CVE-2018-8412 | Hig | 0.51 | 7.8 | 0.01 | Aug 15, 2018 | An elevation of privilege vulnerability exists when the Microsoft AutoUpdate (MAU) application for Mac improperly validates updates before executing them, aka "Microsoft (MAU) Office Elevation of Privilege Vulnerability." This affects Microsoft Office. | ||
| CVE-2018-14923 | Hig | 0.51 | 7.8 | 0.01 | Aug 3, 2018 | A vulnerability in uniview EZPlayer 1.0.6 could allow an attacker to execute arbitrary code on a targeted system via video playback. | ||
| CVE-2018-3650 | Hig | 0.51 | 7.8 | 0.00 | Aug 1, 2018 | Insufficient Input Validation in Bleach module in INTEL Distribution for Python versions prior to IDP 2018 Update 2 allows unprivileged user to bypass URI sanitization via local vector. | ||
| CVE-2018-14581 | Hig | 0.51 | 7.8 | 0.02 | Jul 31, 2018 | Redgate .NET Reflector before 10.0.7.774 and SmartAssembly before 6.12.5 allow attackers to execute code by decompiling a compiled .NET object (such as a DLL or EXE file) with a specific embedded resource file. | ||
| CVE-2018-10616 | Hig | 0.51 | 7.8 | 0.01 | Jul 18, 2018 | ABB Panel Builder 800 all versions has an improper input validation vulnerability which may allow an attacker to insert and run arbitrary code on a computer where the affected product is used. | ||
| CVE-2017-18155 | Hig | 0.51 | 7.8 | 0.00 | Jul 12, 2018 | While playing HEVC content using HD DMB in Snapdragon Automobile and Snapdragon Mobile in version MSM8996AU, SD 450, SD 625, SD 820, SD 820A, SD 835, an uninitialized variable can be used leading to a kernel fault. | ||
| CVE-2018-8232 | Hig | 0.51 | 7.8 | 0.01 | Jul 11, 2018 | A Tampering vulnerability exists when Microsoft Macro Assembler improperly validates code, aka "Microsoft Macro Assembler Tampering Vulnerability." This affects Microsoft Visual Studio. | ||
| CVE-2018-3597 | Hig | 0.51 | 7.8 | 0.00 | Jul 6, 2018 | In the ADSP RPC driver in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05, an arbitrary kernel write can occur. | ||
| CVE-2018-0337 | Hig | 0.51 | 7.8 | 0.00 | Jun 21, 2018 | A vulnerability in the role-based access-checking mechanisms of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on an affected device. The vulnerability exists because the affected software lacks proper input and validation checks… |
- risk 0.51cvss 7.8epss 0.02
A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. The vulnerability exist because the affected software improperly validates…
- risk 0.51cvss 7.8epss 0.02
Nullsoft Scriptable Install System (NSIS) before 2.49 has unsafe implicit linking against Version.dll. In other words, there is no protection mechanism in which a wrapper function resolves the dependency at an appropriate time during runtime.
- risk 0.51cvss 7.8epss 0.00
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Samsung Galaxy Apps Fixed in version 4.2.18.2. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.…
- risk 0.51cvss 7.8epss 0.00
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Samsung Email Fixed in version 5.0.02.16. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The…
- risk 0.51cvss 7.8epss 0.01
CouchDB in Vectra Networks Cognito Brain and Sensor before 4.3 contains a local code execution vulnerability.
- risk 0.51cvss 7.8epss 0.00
In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check of input received from userspace before copying into buffer can lead to potential array overflow in WLAN.
- risk 0.51cvss 8.8epss 0.04
moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within…
- risk 0.51cvss 7.8epss 0.01
Huawei ALP-L09 smart phones with versions earlier than ALP-L09 8.0.0.150(C432) have an insufficient input validation vulnerability due to lack of parameter check. An attacker tricks the user who has root privilege to install a crafted application, the application may modify the…
- risk 0.51cvss 7.8epss 0.01
Huawei ALP-L09 smart phones with versions earlier than ALP-L09 8.0.0.150(C432) have an insufficient input validation vulnerability due to lack of parameter check. An attacker tricks the user who has root privilege to install a crafted application, the application may modify the…
- risk 0.51cvss 8.8epss 0.04
WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be…
- risk 0.51cvss 7.8epss 0.01
An issue found in Progress Telerik JustAssembly through 2018.1.323.2 and JustDecompile through 2018.2.605.0 makes it possible to execute code by decompiling a compiled .NET object (such as DLL or EXE) with an embedded resource file by clicking on the resource.
- risk 0.51cvss 7.8epss 0.01
An elevation of privilege vulnerability exists when the Microsoft AutoUpdate (MAU) application for Mac improperly validates updates before executing them, aka "Microsoft (MAU) Office Elevation of Privilege Vulnerability." This affects Microsoft Office.
- risk 0.51cvss 7.8epss 0.01
A vulnerability in uniview EZPlayer 1.0.6 could allow an attacker to execute arbitrary code on a targeted system via video playback.
- risk 0.51cvss 7.8epss 0.00
Insufficient Input Validation in Bleach module in INTEL Distribution for Python versions prior to IDP 2018 Update 2 allows unprivileged user to bypass URI sanitization via local vector.
- risk 0.51cvss 7.8epss 0.02
Redgate .NET Reflector before 10.0.7.774 and SmartAssembly before 6.12.5 allow attackers to execute code by decompiling a compiled .NET object (such as a DLL or EXE file) with a specific embedded resource file.
- risk 0.51cvss 7.8epss 0.01
ABB Panel Builder 800 all versions has an improper input validation vulnerability which may allow an attacker to insert and run arbitrary code on a computer where the affected product is used.
- risk 0.51cvss 7.8epss 0.00
While playing HEVC content using HD DMB in Snapdragon Automobile and Snapdragon Mobile in version MSM8996AU, SD 450, SD 625, SD 820, SD 820A, SD 835, an uninitialized variable can be used leading to a kernel fault.
- risk 0.51cvss 7.8epss 0.01
A Tampering vulnerability exists when Microsoft Macro Assembler improperly validates code, aka "Microsoft Macro Assembler Tampering Vulnerability." This affects Microsoft Visual Studio.
- risk 0.51cvss 7.8epss 0.00
In the ADSP RPC driver in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05, an arbitrary kernel write can occur.
- risk 0.51cvss 7.8epss 0.00
A vulnerability in the role-based access-checking mechanisms of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on an affected device. The vulnerability exists because the affected software lacks proper input and validation checks…