CWE-20— Improper Input Validation
11,529 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-20page 103 of 231
- CVE-2019-1072CRITICALCVSS 9.8EG 9.82019-07-15
A remote code execution vulnerability exists when Azure DevOps Server and Team Foundation Server (TFS) improperly handle user input, aka 'Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability'.
- CVE-2019-10769CRITICALCVSS 9.8EG 9.82019-12-06
safer-eval is a npm package to sandbox the he evaluation of code used within the eval function. Affected versions of this package are vulnerable to Arbitrary Code Execution via generating a RangeError.
- CVE-2019-10786CRITICALCVSS 9.8EG 9.82020-02-04
network-manager through 1.0.2 allows remote attackers to execute arbitrary commands via the "execSync()" argument.
- CVE-2019-1079MEDIUMCVSS 6.5EG 6.52019-07-15
An information disclosure vulnerability exists when Visual Studio improperly parses XML input in certain settings files, aka 'Visual Studio Information Disclosure Vulnerability'.
- CVE-2019-10790HIGHCVSS 7.5EG 7.52020-02-17
taffydb npm module, vulnerable in all versions up to and including 2.7.3, allows attackers to forge adding additional properties into user-input processed by taffy which can allow access to any data items in the DB. taffy sets an internal …
- CVE-2019-10937HIGHCVSS 7.5EG 7.52019-09-13
A vulnerability has been identified in SIMATIC TDC CP51M1 (All versions < V1.1.7). An attacker with network access to the device could cause a Denial-of-Service condition by sending a specially crafted UDP packet. The vulnerability affects…
- CVE-2019-10969HIGHCVSS 7.2EG 7.22019-10-08
Moxa EDR 810, all versions 5.1 and prior, allows an authenticated attacker to abuse the ping feature to execute unauthorized commands on the router, which may allow an attacker to perform remote code execution.
- CVE-2019-10973HIGHCVSS 7.2EG 7.22019-07-08
Quest KACE, all versions prior to version 8.0.x, 8.1.x, and 9.0.x, allows unintentional access to the appliance leveraging functions of the troubleshooting tools located in the administrator user interface.
- CVE-2019-11014CRITICALCVSS 9.8EG 9.82019-04-08
The VStarCam vstc.vscam.client library and vstc.vscam shared object, as used in the Eye4 application (for Android, iOS, and Windows), do not prevent spoofing of the camera server. An attacker can create a fake camera server that listens fo…
- CVE-2019-11069HIGHCVSS 7.5EG 7.52019-04-10
Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used.
- CVE-2019-11071HIGHCVSS 8.8EG 8.82019-04-10
SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled.
- CVE-2019-11085HIGHCVSS 7.8EG 7.82019-05-17
Insufficient input validation in Kernel Mode Driver in Intel(R) i915 Graphics for Linux before version 5.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2019-11086MEDIUMCVSS 6.8EG 6.82019-12-18
Insufficient input validation in subsystem for Intel(R) AMT before version 12.0.45 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.
- CVE-2019-11087MEDIUMCVSS 6.7EG 6.72019-12-18
Insufficient input validation in the subsystem for Intel(R) CSME before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45, 13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow a privileged user to potentially enable es…
- CVE-2019-11088HIGHCVSS 8.8EG 8.82019-12-18
Insufficient input validation in subsystem in Intel(R) AMT before versions 11.8.70, 11.11.70, 11.22.70 and 12.0.45 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
- CVE-2019-11089MEDIUMCVSS 5.5EG 5.52019-11-14
Insufficient input validation in Kernel Mode module for Intel(R) Graphics Driver before version 25.20.100.6519 may allow an authenticated user to potentially enable denial of service via local access.
- CVE-2019-1109CRITICALCVSS 9.1EG 9.12019-07-15
A spoofing vulnerability exists when Microsoft Office Javascript does not check the validity of the web page making a request to Office documents.An attacker who successfully exploited this vulnerability could read or write information in …
- CVE-2019-11094HIGHCVSS 7.8EG 7.82019-05-17
Insufficient input validation in system firmware for Intel (R) NUC Kit may allow an authenticated user to potentially enable escalation of privilege, denial of service, and/or information disclosure via local access.
- CVE-2019-11098MEDIUMCVSS 6.8EG 6.82021-07-14
Insufficient input validation in MdeModulePkg in EDKII may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access.
- CVE-2019-11100MEDIUMCVSS 4.6EG 4.62019-12-18
Insufficient input validation in the subsystem for Intel(R) AMT before versions 11.8.70, 11.11.70, 11.22.70 and 12.0.45 may allow an unauthenticated user to potentially enable information disclosure via physical access.
- CVE-2019-11101MEDIUMCVSS 4.4EG 4.42019-12-18
Insufficient input validation in the subsystem for Intel(R) CSME before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45, 13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow a privileged user to potentially enable in…
- CVE-2019-11102MEDIUMCVSS 4.4EG 4.42019-12-18
Insufficient input validation in Intel(R) DAL software for Intel(R) CSME before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45, 13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow a privileged user to potentially e…
- CVE-2019-11103HIGHCVSS 7.8EG 7.82019-12-18
Insufficient input validation in firmware update software for Intel(R) CSME before versions 12.0.45,13.0.10 and 14.0.10 may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2019-11104HIGHCVSS 7.8EG 7.82019-12-18
Insufficient input validation in MEInfo software for Intel(R) CSME before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45, 13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow an authenticated user to potentially ena…
- CVE-2019-11107CRITICALCVSS 9.8EG 9.82019-12-18
Insufficient input validation in the subsystem for Intel(R) AMT before version 12.0.45 may allow an unauthenticated user to potentially enable escalation of privilege via network access.
- CVE-2019-11108MEDIUMCVSS 6.7EG 6.72019-12-18
Insufficient input validation in subsystem for Intel(R) CSME before versions 12.0.45 and 13.0.10 may allow a privileged user to potentially enable escalation of privilege via local access.
- CVE-2019-11114MEDIUMCVSS 4.4EG 4.42019-05-17
Insufficient input validation in Intel(R) Driver & Support Assistant version 19.3.12.3 and before may allow a privileged user to potentially enable denial of service via local access.
- CVE-2019-11123MEDIUMCVSS 6.7EG 6.72019-06-13
Insufficient session validation in system firmware for Intel(R) NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
- CVE-2019-11125MEDIUMCVSS 6.7EG 6.72019-06-13
Insufficient input validation in system firmware for Intel(R) NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
- CVE-2019-11128MEDIUMCVSS 6.7EG 6.72019-06-13
Insufficient input validation in system firmware for Intel(R) NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
- CVE-2019-1113HIGHCVSS 8.8EG 8.82019-07-15
A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user…
- CVE-2019-11137HIGHCVSS 8.2EG 8.22019-11-14
Insufficient input validation in system firmware for Intel(R) Xeon(R) Scalable Processors, Intel(R) Xeon(R) Processors D Family, Intel(R) Xeon(R) Processors E5 v4 Family, Intel(R) Xeon(R) Processors E7 v4 Family and Intel(R) Atom(R) proces…
- CVE-2019-11140MEDIUMCVSS 6.7EG 6.72019-08-19
Insufficient session validation in system firmware for Intel(R) NUC may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
- CVE-2019-11175HIGHCVSS 7.5EG 7.52019-11-14
Insufficient input validation in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable denial of service via network access.
- CVE-2019-11179MEDIUMCVSS 6.5EG 6.52019-11-14
Insufficient input validation in Intel(R) Baseboard Management Controller firmware may allow an authenticated user to potentially enable information disclosure via network access.
- CVE-2019-11180HIGHCVSS 7.5EG 7.52019-11-14
Insufficient input validation in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable denial of service via network access.
- CVE-2019-11218HIGHCVSS 8.8EG 8.82019-04-24
Improper handling of extra parameters in the AccountController (User Profile edit) in Jakub Chodounsky Bonobo Git Server before 6.5.0 allows authenticated users to gain application administrator privileges via additional form parameter sub…
- CVE-2019-11228HIGHCVSS 7.5EG 7.52019-04-15
repo/setting.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 does not validate the form.MirrorAddress before calling SaveAddress.
- CVE-2019-11247HIGHCVSS 8.1EG 8.12019-08-29
The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role…
- CVE-2019-11253HIGHCVSS 7.5EG 9.02019-10-17
Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume e…
- CVE-2019-11255MEDIUMCVSS 4.8EG 4.82019-12-05
Improper input validation in Kubernetes CSI sidecar containers for external-provisioner (<v0.4.3, <v1.0.2, v1.1, <v1.2.2, <v1.3.1), external-snapshotter (<v0.4.2, <v1.0.2, v1.1, <1.2.2), and external-resizer (v0.1, v0.2) could result in un…
- CVE-2019-11289HIGHCVSS 8.6EG 8.62019-11-19
Cloud Foundry Routing, all versions before 0.193.0, does not properly validate nonce input. A remote unauthenticated malicious user could forge an HTTP route service request using an invalid nonce that will cause the Gorouter to crash.
- CVE-2019-11340MEDIUMCVSS 5.9EG 5.92019-04-19
util/emailutils.py in Matrix Sydent before 1.0.2 mishandles registration restrictions that are based on e-mail domain, if the allowed_local_3pids option is enabled. This occurs because of potentially unwanted behavior in Python, in which a…
- CVE-2019-11417CRITICALCVSS 9.8EG 9.82019-04-22
system.cgi on TRENDnet TV-IP110WN cameras has a buffer overflow caused by an inadequate source-length check before a strcpy operation in the respondAsp function. Attackers can exploit the vulnerability by using the languse parameter with a…
- CVE-2019-11460CRITICALCVSS 9.0EG 9.02019-04-22
An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 prior to 3.30.2.2, and 3.32 prior to 3.32.1.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push …
- CVE-2019-11595CRITICALCVSS 9.0EG 9.02019-04-29
In uBlock before 0.9.5.15, the $rewrite filter option allows filter-list maintainers to run arbitrary code in a client-side session when a web service loads a script for execution using XMLHttpRequest or Fetch, and the script origin has an…
- CVE-2019-11687HIGHCVSS 7.8EG 7.82019-05-02
An issue was discovered in the DICOM Part 10 File Format in the NEMA DICOM Standard 1995 through 2019b and continuing in current implementations. The 128-byte preamble of a DICOM file that complies with this specification can contain arbit…
- CVE-2019-11696HIGHCVSS 7.8EG 7.82019-07-23
Files with the .JNLP extension used for "Java web start" applications are not treated as executable content for download prompts even though they can be executed if Java is installed on the local system. This could allow users to mistakenl…
- CVE-2019-11697MEDIUMCVSS 6.5EG 6.52019-07-23
If the ALT and "a" keys are pressed when users receive an extension installation prompt, the extension will be installed without the install prompt delay that keeps the prompt visible in order for users to accept or decline the installatio…
- CVE-2019-11698MEDIUMCVSS 5.3EG 5.32019-07-23
If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar and the resulting bookmark is subsequently dragged and dropped into the web content area, an arbitrary query of a user's browser history can be run and transmitte…
Map vulnerabilities like CWE-20 to your infrastructure
EchelonGraph correlates every CVE — across CWE-20 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →