VYPR

CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (8,003)

page 80 of 401
  • CVE-2023-36049HigNov 14, 2023
    risk 0.50cvss 7.6epss 0.13

    .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability

  • CVE-2023-39913HigNov 8, 2023
    risk 0.50cvss 8.8epss 0.01

    Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0. Users are recommended to upgrade to version 3.5.0, which…

  • CVE-2023-3893HigNov 3, 2023
    risk 0.50cvss 8.8epss 0.03

    A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes running kubernetes-csi-proxy may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes running …

  • CVE-2023-3955HigOct 31, 2023
    risk 0.50cvss 8.8epss 0.03

    A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

  • CVE-2023-5043HigOct 25, 2023
    risk 0.50cvss 7.6epss 0.02

    Ingress nginx annotation injection causes arbitrary command execution.

  • CVE-2023-27604HigAug 28, 2023
    risk 0.50cvss 8.8epss 0.01

    Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via ‘sqoop import --connect’, obtain airflow server permissions, etc. The…

  • CVE-2023-36821HigJul 5, 2023
    risk 0.50cvss 8.8epss 0.02

    Uptime Kuma, a self-hosted monitoring tool, allows an authenticated attacker to install a maliciously crafted plugin in versions prior to 1.22.1, which may lead to remote code execution. Uptime Kuma allows authenticated users to install plugins from an official list of plugins.…

  • CVE-2023-1888HigJun 9, 2023
    risk 0.50cvss 8.8epss 0.01

    The Directorist plugin for WordPress is vulnerable to an arbitrary user password reset in versions up to, and including, 7.5.4. This is due to a lack of validation checks within login.php. This makes it possible for authenticated attackers, with subscriber-level permissions and…

  • CVE-2023-0100HigMar 15, 2023
    risk 0.50cvss 8.8epss 0.01

    In Eclipse BIRT, starting from version 2.6.2, the default configuration allowed to retrieve a report from the same host using an absolute HTTP path for the report parameter (e.g. __report=http://xyz.com/report.rptdesign). If the host indicated in the __report parameter matched…

  • CVE-2022-24881HigApr 26, 2022
    risk 0.50cvss 8.8epss 0.03

    Ballcat Codegen provides the function of online editing code to generate templates. In versions prior to 1.0.0.beta.2, attackers can implement remote code execution through malicious code injection of the template engine. This happens because Velocity and freemarker templates…

  • CVE-2021-21408HigJan 10, 2022
    risk 0.50cvss 8.8epss 0.02

    Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch.

  • CVE-2020-15098HigJul 29, 2020
    risk 0.50cvss 8.8epss 0.02

    In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a…

  • CVE-2020-1714HigMay 13, 2020
    risk 0.50cvss 8.8epss 0.03

    A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially…

  • CVE-2020-10235HigMar 9, 2020
    risk 0.50cvss 8.8epss 0.02

    An issue was discovered in Froxlor before 0.10.14. Remote attackers with access to the installation routine could have executed arbitrary code via the database configuration options that were passed unescaped to exec, because of _backupExistingDatabase in…

  • CVE-2020-2110HigFeb 12, 2020
    risk 0.50cvss 8.8epss 0.01

    Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.

  • CVE-2020-2109HigFeb 12, 2020
    risk 0.50cvss 8.8epss 0.01

    Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.

  • CVE-2019-7885HigAug 2, 2019
    risk 0.50cvss 8.8epss 0.02

    Insufficient input validation in the config builder of the Elastic search module could lead to remote code execution in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This vulnerability could be abused by an authenticated user with the…

  • CVE-2017-15720HigJan 23, 2019
    risk 0.50cvss 8.8epss 0.02

    In Apache Airflow 1.8.2 and earlier, an authenticated user can execute code remotely on the Airflow webserver by creating a special object.

  • CVE-2018-14631HigSep 17, 2018
    risk 0.50cvss 8.8epss 0.02

    moodle before versions 3.5.2, 3.4.5, 3.3.8 is vulnerable to a boost theme - blog search GET parameter insufficiently filtered. The breadcrumb navigation provided by Boost theme when displaying search results of a blog were insufficiently filtered, which could result in reflected…

  • CVE-2018-8316HigAug 15, 2018
    risk 0.50cvss 7.5epss 0.14

    A remote code execution vulnerability exists when Internet Explorer improperly validates hyperlinks before loading executable libraries, aka "Internet Explorer Remote Code Execution Vulnerability." This affects Internet Explorer 11, Internet Explorer 10.