VYPR

CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (8,003)

page 93 of 401
  • CVE-2017-5422HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.02

    If a malicious site uses the "view-source:" protocol in a series within a single hyperlink, it can trigger a non-exploitable browser crash when the hyperlink is selected. This was fixed by no longer making "view-source:" linkable. This vulnerability affects Firefox < 52 and…

  • CVE-2017-5421HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.02

    A malicious site could spoof the contents of the print preview window if popup windows are enabled, resulting in user confusion of what site is currently loaded. This vulnerability affects Firefox < 52 and Thunderbird < 52.

  • CVE-2016-9065HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.02

    The location bar in Firefox for Android can be spoofed by forcing a user into fullscreen mode, blocking its exiting, and creating of a fake location bar without any user notification. Note: This issue only affects Firefox for Android. Other versions and operating systems are…

  • CVE-2018-12025HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.02

    The transferFrom function of a smart contract implementation for FuturXE (FXE), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized transfer of digital assets because of a logic error. The developer messed up with the boolean judgment - if the input value is…

  • CVE-2018-12088HigJun 10, 2018
    risk 0.49cvss 7.5epss 0.02

    S3QL before 2.27 mishandles checksumming, and consequently allows replay attacks in which an attacker who controls the backend can present old versions of the filesystem metadata database as up-to-date, temporarily inject zero-valued bytes into files, or temporarily hide parts…

  • CVE-2018-12046HigJun 8, 2018
    risk 0.49cvss 7.5epss 0.01

    DedeCMS through 5.7SP2 allows arbitrary file write in dede/file_manage_control.php via a dede/file_manage_view.php?fmdo=newfile request with name and str parameters, as demonstrated by writing to a new .php file.

  • CVE-2018-12041HigJun 8, 2018
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered on the MediaTek AWUS036NH wireless USB adapter through 5.1.25.0. Attackers can remotely deny service by sending specially constructed 802.11 frames.

  • CVE-2017-16113HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.02

    The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.

  • CVE-2018-3852HigJun 6, 2018
    risk 0.49cvss 7.5epss 0.02

    An exploitable denial of service vulnerability exists in the Ocularis Recorder functionality of Ocularis 5.5.0.242. A specially crafted TCP packet can cause a process to terminate resulting in denial of service. An attacker can send a crafted TCP packet to trigger this…

  • CVE-2017-16023HigJun 4, 2018
    risk 0.49cvss 7.5epss 0.01

    Decamelize is used to convert a dash/dot/underscore/space separated string to camelCase. Decamelize 1.1.0 through 1.1.1 uses regular expressions to evaluate a string and takes unescaped separator values, which can be used to create a denial of service attack.

  • CVE-2017-16013HigJun 4, 2018
    risk 0.49cvss 7.5epss 0.02

    hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached.

  • CVE-2017-16005HigJun 4, 2018
    risk 0.49cvss 7.5epss 0.01

    Http-signature is a "Reference implementation of Joyent's HTTP Signature Scheme". In versions <=0.9.11, http-signature signs only the header values, but not the header names. This makes http-signature vulnerable to header forgery. Thus, if an attacker can intercept a request, he…

  • CVE-2018-5513HigJun 1, 2018
    risk 0.49cvss 7.5epss 0.02

    On F5 BIG-IP 13.1.0-13.1.0.3, 13.0.0, 12.1.0-12.1.3.3, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1, a malformed TLS handshake causes TMM to crash leading to a disruption of service. This issue is only exposed on the data plane when Proxy SSL configuration is enabled. The control…

  • CVE-2016-10540HigMay 31, 2018
    risk 0.49cvss 7.5epss 0.02

    Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path, pattern)` in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the `pattern` parameter.

  • CVE-2016-10539HigMay 31, 2018
    risk 0.49cvss 7.5epss 0.01

    negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted…

  • CVE-2016-10521HigMay 31, 2018
    risk 0.49cvss 7.5epss 0.01

    jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator.

  • CVE-2016-10520HigMay 31, 2018
    risk 0.49cvss 7.5epss 0.01

    jadedown is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.

  • CVE-2015-9239HigMay 31, 2018
    risk 0.49cvss 7.5epss 0.01

    ansi2html is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.

  • CVE-2018-11548HigMay 29, 2018
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in EOS.IO DAWN 4.2. plugins/net_plugin/net_plugin.cpp does not limit the number of P2P connections from the same source IP address.

  • CVE-2018-11411HigMay 24, 2018
    risk 0.49cvss 7.5epss 0.01

    The transferFrom function of a smart contract implementation for DimonCoin (FUD), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all victims' balances into their account) because certain computations involving _value are incorrect.