VYPR

CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (8,003)

page 99 of 401
  • CVE-2017-1000247HigNov 17, 2017
    risk 0.49cvss 7.5epss 0.01

    British Columbia Institute of Technology CodeIgniter 3.1.3 is vulnerable to HTTP Header Injection in the set_status_header() common function under Apache resulting in HTTP Header Injection flaws.

  • CVE-2017-0858HigNov 16, 2017
    risk 0.49cvss 7.5epss 0.01

    Another vulnerability in the Android media framework (n/a). Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-64836894.

  • CVE-2017-8815HigNov 15, 2017
    risk 0.49cvss 7.5epss 0.02

    The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules.

  • CVE-2017-8814HigNov 15, 2017
    risk 0.49cvss 7.5epss 0.02

    The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule definition followed by "a lot of junk."

  • CVE-2017-11177HigNov 6, 2017
    risk 0.49cvss 7.5epss 0.01

    TRITON AP-EMAIL 8.2 before 8.2 IB does not properly restrict file access in an unspecified directory.

  • CVE-2017-14919HigOct 30, 2017
    risk 0.49cvss 7.5epss 0.08

    Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.

  • CVE-2017-15928HigOct 27, 2017
    risk 0.49cvss 7.5epss 0.02

    In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation fault when a crafted input is supplied to parse_obj. NOTE: the vendor has stated "Ox should handle the error more gracefully" but has not confirmed a security implication.

  • CVE-2017-1210HigOct 24, 2017
    risk 0.49cvss 7.5epss 0.01

    IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0.2 could allow an unauthenticated attacker to inject data into log files made to look legitimate. IBM X-Force ID: 123850.

  • CVE-2017-2132HigOct 20, 2017
    risk 0.49cvss 7.5epss 0.01

    Panasonic KX-HJB1000 Home unit devices with firmware GHX1YG 14.50 or HJB1000_4.47 allow an attacker to delete arbitrary files in a specific directory via unspecified vectors.

  • CVE-2017-10610HigOct 13, 2017
    risk 0.49cvss 7.5epss 0.01

    On SRX Series devices, a crafted ICMP packet embedded within a NAT64 IPv6 to IPv4 tunnel may cause the flowd process to crash. Repeated crashes of the flowd process constitutes an extended denial of service condition for the SRX Series device. This issue only occurs if NAT64 is…

  • CVE-2017-5721HigOct 11, 2017
    risk 0.49cvss 7.5epss 0.01

    Insufficient input validation in system firmware for Intel NUC7i3BNK, NUC7i3BNH, NUC7i5BNK, NUC7i5BNH, NUC7i7BNH versions BN0049 and below allows local attackers to execute arbitrary code via manipulation of memory.

  • CVE-2017-9272HigOct 6, 2017
    risk 0.49cvss 7.5epss 0.01

    The Bi-directional driver in IDM 4.5 before 4.0.3.0 could be susceptible to a denial of service attack.

  • CVE-2017-1002153HigOct 6, 2017
    risk 0.49cvss 7.5epss 0.01

    Koji 1.13.0 does not properly validate SCM paths, allowing an attacker to work around blacklisted paths for build submission.

  • CVE-2017-8018HigOct 3, 2017
    risk 0.49cvss 7.5epss 0.01

    EMC AppSync host plug-in versions 3.5 and below (Windows platform only) includes a denial of service (DoS) vulnerability that could potentially be exploited by malicious users to compromise the affected system.

  • CVE-2017-14944HigSep 30, 2017
    risk 0.49cvss 7.5epss 0.01

    Inedo ProGet before 4.7.14 does not properly address dangerous package IDs during package addition, aka PG-1060.

  • CVE-2017-14935HigSep 30, 2017
    risk 0.49cvss 7.5epss 0.01

    Pulse Secure Pulse One On-Premise 2.0.1649 and below does not properly validate requests, which allows remote users to query and obtain sensitive information.

  • CVE-2015-7318HigSep 25, 2017
    risk 0.49cvss 7.5epss 0.02

    Plone 3.3.0 through 3.3.6 allows remote attackers to inject headers into HTTP responses.

  • CVE-2017-9793HigSep 20, 2017
    risk 0.49cvss 7.5epss 0.09

    The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.

  • CVE-2015-5179HigSep 20, 2017
    risk 0.49cvss 7.5epss 0.01

    FreeIPA might display user data improperly via vectors involving non-printable characters.

  • CVE-2017-14511HigSep 17, 2017
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in SAP E-Recruiting (aka ERECRUIT) 605 through 617. When an external applicant registers to the E-Recruiting application, he/she receives a link by email to confirm access to the provided email address. However, this measure can be bypassed and attackers…