CWE-233
Improper Handling of Parameters
Description
The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-39
CVEs mapped to this weakness (15)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-32998 | Cri | 0.61 | — | 0.00 | May 28, 2026 | This vulnerability in Veeam Service Provider Console allows for remote code execution. | ||
| CVE-2023-20514 | Hig | 0.57 | — | 0.00 | Feb 11, 2026 | Improper handling of parameters in the AMD Secure Processor (ASP) could allow a privileged attacker to pass an arbitrary memory value to functions in the trusted execution environment resulting in arbitrary code execution | ||
| CVE-2021-45478 | Med | 0.42 | 6.5 | 0.01 | Mar 2, 2023 | Improper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collect Data as Provided by Users. This issue affects Library Automation System: before 19.2. | ||
| CVE-2021-45477 | Med | 0.42 | 6.5 | 0.01 | Mar 2, 2023 | Improper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collect Data as Provided by Users. This issue affects Library Automation System: before 19.2. | ||
| CVE-2018-25233 | Med | 0.40 | 6.2 | 0.00 | Mar 30, 2026 | WebDrive 18.00.5057 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the username field during Secure WebDAV connection setup. Attackers can input a buffer-overflow payload of 5000 bytes in… | ||
| CVE-2026-22626 | Med | 0.32 | 4.9 | 0.00 | Jan 30, 2026 | Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can cause abnormal device behavior by crafting specific messages. | ||
| CVE-2023-1419 | Med | 0.31 | 5.9 | 0.00 | Nov 17, 2024 | A script injection vulnerability was found in the Debezium database connector, where it does not properly sanitize some parameters. This flaw allows an attacker to send a malicious request to inject a parameter that may allow the viewing of unauthorized data. | ||
| CVE-2026-33585 | Low | 0.25 | 3.8 | 0.00 | May 13, 2026 | Improper management of the idle timeout parameter in the Keycloak interface of the Arqit SKA-Platform enables an attacker to impersonate an authenticated tenant user via an unexpired browser session. This issue affects Symmetric Key Agreement Platform: before 26.03. | ||
| CVE-2024-9329 | — | 0.00 | — | 0.01 | Sep 30, 2024 | In Eclipse Glassfish versions before 7.0.17, The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is '/management/domain'. By modifying the URL value to a malicious site, an attacker may successfully launch a… | ||
| CVE-2024-25979 | 0.00 | — | 0.01 | Feb 19, 2024 | The URL parameters accepted by forum search were not limited to the allowed parameters. | |||
| CVE-2023-50727 | 0.00 | — | 0.01 | Dec 22, 2023 | Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. Reflected XSS issue occurs when /queues is appended with /"><svg%20onload=alert(domain)>. This issue has been patched in version 2.6.0. | |||
| CVE-2023-50725 | 0.00 | — | 0.01 | Dec 22, 2023 | Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. The following paths in resque-web have been found to be vulnerable to reflected XSS: "/failed/?class=" and… | |||
| CVE-2023-50724 | 0.00 | — | 0.00 | Dec 21, 2023 | Resque (pronounced like "rescue") is a Redis-backed library for creating background jobs, placing those jobs on multiple queues, and processing them later. resque-web in resque versions before 2.1.0 are vulnerable to reflected XSS through the current_queue parameter in the path… | |||
| CVE-2022-3697 | — | 0.00 | — | 0.01 | Oct 28, 2022 | A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password… | ||
| CVE-2021-28675 | — | 0.00 | — | 0.01 | Jun 2, 2021 | An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load. |
- risk 0.61cvss —epss 0.00
This vulnerability in Veeam Service Provider Console allows for remote code execution.
- risk 0.57cvss —epss 0.00
Improper handling of parameters in the AMD Secure Processor (ASP) could allow a privileged attacker to pass an arbitrary memory value to functions in the trusted execution environment resulting in arbitrary code execution
- risk 0.42cvss 6.5epss 0.01
Improper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collect Data as Provided by Users. This issue affects Library Automation System: before 19.2.
- risk 0.42cvss 6.5epss 0.01
Improper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collect Data as Provided by Users. This issue affects Library Automation System: before 19.2.
- risk 0.40cvss 6.2epss 0.00
WebDrive 18.00.5057 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the username field during Secure WebDAV connection setup. Attackers can input a buffer-overflow payload of 5000 bytes in…
- risk 0.32cvss 4.9epss 0.00
Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can cause abnormal device behavior by crafting specific messages.
- risk 0.31cvss 5.9epss 0.00
A script injection vulnerability was found in the Debezium database connector, where it does not properly sanitize some parameters. This flaw allows an attacker to send a malicious request to inject a parameter that may allow the viewing of unauthorized data.
- risk 0.25cvss 3.8epss 0.00
Improper management of the idle timeout parameter in the Keycloak interface of the Arqit SKA-Platform enables an attacker to impersonate an authenticated tenant user via an unexpired browser session. This issue affects Symmetric Key Agreement Platform: before 26.03.
- CVE-2024-9329Sep 30, 2024risk 0.00cvss —epss 0.01
In Eclipse Glassfish versions before 7.0.17, The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is '/management/domain'. By modifying the URL value to a malicious site, an attacker may successfully launch a…
- CVE-2024-25979Feb 19, 2024risk 0.00cvss —epss 0.01
The URL parameters accepted by forum search were not limited to the allowed parameters.
- CVE-2023-50727Dec 22, 2023risk 0.00cvss —epss 0.01
Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. Reflected XSS issue occurs when /queues is appended with /"><svg%20onload=alert(domain)>. This issue has been patched in version 2.6.0.
- CVE-2023-50725Dec 22, 2023risk 0.00cvss —epss 0.01
Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. The following paths in resque-web have been found to be vulnerable to reflected XSS: "/failed/?class=" and…
- CVE-2023-50724Dec 21, 2023risk 0.00cvss —epss 0.00
Resque (pronounced like "rescue") is a Redis-backed library for creating background jobs, placing those jobs on multiple queues, and processing them later. resque-web in resque versions before 2.1.0 are vulnerable to reflected XSS through the current_queue parameter in the path…
- CVE-2022-3697Oct 28, 2022risk 0.00cvss —epss 0.01
A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password…
- CVE-2021-28675Jun 2, 2021risk 0.00cvss —epss 0.01
An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load.