CWE-20— Improper Input Validation
11,559 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-20page 171 of 232
- CVE-2022-36859MEDIUMCVSS 5.7EG 4.82022-09-09
Improper input validation vulnerability in SmartTagPlugin prior to version 1.2.21-6 allows privileged attackers to trigger a XSS on a victim's devices.
- CVE-2022-36868MEDIUMCVSS 5.9EG 3.32022-10-07
Improper restriction of broadcasting Intent in MouseNKeyHidDevice prior to SMR Oct-2022 Release 1 leaks MAC address of the connected Bluetooth device.
- CVE-2022-36873MEDIUMCVSS 5.9EG 6.52022-09-09
Improper restriction of broadcasting Intent in GalaxyStoreBridgePageLinker of?Waterplugin prior to version 2.2.11.22081151 leaks MAC address of the connected Bluetooth device.
- CVE-2022-36960HIGHCVSS 8.8EG 8.82022-11-29
SolarWinds Platform was susceptible to Improper Input Validation. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to escalate user privileges.
- CVE-2022-37010LOWCVSS 3.6EG 3.32022-07-28
In JetBrains IntelliJ IDEA before 2022.2 email address validation in the "Git User Name Is Not Defined" dialog was missed
- CVE-2022-37327MEDIUMCVSS 6.1EG 6.12023-05-10
Improper input validation in BIOS firmware for Intel(R) NUC, Intel(R) NUC Performance Kit, Intel(R) NUC Performance Mini PC, Intel(R) NUC 8 Compute Element, Intel(R) NUC Pro Kit, Intel(R) NUC Pro Board, Intel(R) NUC 11 Compute Element, Int…
- CVE-2022-37336HIGHCVSS 7.9EG 7.92023-08-11
Improper input validation in BIOS firmware for some Intel(R) NUC may allow a privileged user to potentially enable escalation of privilege via local access.
- CVE-2022-3736HIGHCVSS 7.5EG 7.52023-01-26
BIND 9 resolver can crash when stale cache and stale answers are enabled, option `stale-answer-client-timeout` is set to a positive integer, and the resolver receives an RRSIG query. This issue affects BIND 9 versions 9.16.12 through 9.16.…
- CVE-2022-37395HIGHCVSS 7.5EG 7.52022-09-20
A Huawei device has an input verification vulnerability. Successful exploitation of this vulnerability may lead to DoS attacks.Affected product versions include:CV81-WDM FW versions 01.70.49.29.46.
- CVE-2022-3752HIGHCVSS 8.6EG 7.52022-12-19
An unauthorized user could use a specially crafted sequence of Ethernet/IP messages, combined with heavy traffic loading to cause a denial-of-service condition in Rockwell Automation Logix controllers resulting in a major non-recoverable …
- CVE-2022-3767HIGHCVSS 7.7EG 6.52023-03-09
Missing validation in DAST analyzer affecting all versions from 1.11.0 prior to 3.0.32, allows custom request headers to be sent with every request, regardless of the host.
- CVE-2022-38076LOWCVSS 3.8EG 3.82023-08-11
Improper input validation in some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2022-38099HIGHCVSS 7.5EG 7.82022-11-11
Improper input validation in BIOS firmware for some Intel(R) NUC 11 Compute Elements before version EBTGL357.0065 may allow a privileged user to potentially enable escalation of privilege via local access.
- CVE-2022-38102HIGHCVSS 7.2EG 7.22023-08-11
Improper Input validation in firmware for some Intel(R) Converged Security and Management Engine before versions 15.0.45, and 16.1.27 may allow a privileged user to potentially enable denial of service via local access.
- CVE-2022-38123HIGHCVSS 8.7EG 7.22022-12-06
Improper Input Validation of plugin files in Administrator Interface of Secomea GateManager allows a server administrator to inject code into the GateManager interface. This issue affects: Secomea GateManager versions prior to 10.0.
- CVE-2022-38341HIGHCVSS 7.1EG 7.12022-09-19
Safe Software FME Server v2021.2.5 and below does not employ server-side validation.
- CVE-2022-38385HIGHCVSS 7.1EG 8.12022-11-15
IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.2.0 could allow an authenticated user to obtain highly sensitive information or perform unauthorized actions due to improper input validation. IBM X-Force ID: 233777.
- CVE-2022-38408HIGHCVSS 7.8EG 7.82022-09-16
Adobe Illustrator versions 26.4 (and earlier) and 25.4.7 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue …
- CVE-2022-38435HIGHCVSS 7.8EG 7.82022-10-25
Adobe Illustrator versions 26.4 (and earlier) and 25.4.7 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue …
- CVE-2022-38778MEDIUMCVSS 6.5EG 6.52023-02-08
A flaw (CVE-2022-38900) was discovered in one of Kibana’s third party dependencies, that could allow an authenticated user to perform a request that crashes the Kibana server process.
- CVE-2022-38787MEDIUMCVSS 5.7EG 5.72023-05-10
Improper input validation in firmware for some Intel(R) FPGA products before version 2.7.0 Hotfix may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2022-38900HIGHCVSS 7.5EG 7.52022-11-28
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
- CVE-2022-38985HIGHCVSS 7.5EG 7.52022-10-14
The facial recognition module has a vulnerability in input validation.Successful exploitation of this vulnerability may affect data confidentiality.
- CVE-2022-39012HIGHCVSS 7.5EG 7.52022-12-28
Huawei Aslan Children's Watch has an improper input validation vulnerability. Successful exploitation may cause the watch's application service abnormal.
- CVE-2022-39016HIGHCVSS 8.2EG 8.82022-10-31
Javascript injection in PDFtron in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to perform an account takeover via a crafted PDF upload.
- CVE-2022-39017HIGHCVSS 8.2EG 5.42022-10-31
Improper input validation and output encoding in all comments fields, in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to introduce cross-site scripting attacks via specially crafted comments.
- CVE-2022-39060CRITICALCVSS 9.8EG 9.82023-01-31
ChangingTech MegaServiSignAdapter component has a vulnerability of improper input validation. An unauthenticated remote attacker can exploit this vulnerability to access and modify HKEY_CURRENT_USER subkey (ex: AutoRUN) in Registry where m…
- CVE-2022-39226MEDIUMCVSS 4.3EG 4.32022-09-29
Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, a malicious actor can add large payloads of text into the Location and …
- CVE-2022-39232MEDIUMCVSS 6.5EG 6.52022-09-29
Discourse is an open source discussion platform. Starting with version 2.9.0.beta5 and prior to version 2.9.0.beta10, an incomplete quote can generate a JavaScript error which will crash the current page in the browser in some cases. Versi…
- CVE-2022-39236MEDIUMCVSS 4.3EG 4.32022-09-28
Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer'…
- CVE-2022-39259LOWCVSS 3.3EG 3.32022-10-21
jadx is a set of command line and GUI tools for producing Java source code from Android Dex and Apk files. versions prior to 1.4.5 are subject to a Denial of Service when opening zip files with HTML sequences. This issue has been patched i…
- CVE-2022-39266CRITICALCVSS 9.6EG 9.62022-09-29
isolated-vm is a library for nodejs which gives the user access to v8's Isolate interface. In versions 4.3.6 and prior, if the untrusted v8 cached data is passed to the API through CachedDataOptions, attackers can bypass the sandbox and ru…
- CVE-2022-39275MEDIUMCVSS 5.3EG 5.32022-10-06
Saleor is a headless, GraphQL commerce platform. In affected versions some GraphQL mutations were not properly checking the ID type input which allowed to access database objects that the authenticated user may not be allowed to access. Th…
- CVE-2022-39281MEDIUMCVSS 6.5EG 6.52022-10-08
fat_free_crm is a an open source, Ruby on Rails customer relationship management platform (CRM). In versions prior to 0.20.1 an authenticated user can perform a remote Denial of Service attack against Fat Free CRM via bucket access. The vu…
- CVE-2022-39291MEDIUMCVSS 5.4EG 5.42022-10-07
ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a vulnerability which allows users with "View" system permissions to inject new data into the logs stored by Z…
- CVE-2022-39306MEDIUMCVSS 6.4EG 6.42022-11-09
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an ad…
- CVE-2022-39312CRITICALCVSS 9.8EG 9.82022-10-25
Dataease is an open source data visualization analysis tool. Dataease prior to 1.15.2 has a deserialization vulnerability. In Dataease, the Mysql data source in the data source function can customize the JDBC connection parameters and the …
- CVE-2022-39318MEDIUMCVSS 4.8EG 4.82022-11-16
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input validation in `urbdrc` channel. A malicious server can trick a FreeRDP based client to crash with division by zero. This issue ha…
- CVE-2022-39338LOWCVSS 3.5EG 3.52022-11-25
user_oidc is an OpenID Connect user backend for Nextcloud. Versions prior to 1.2.1 did not properly validate discovery urls which may lead to a stored cross site scripting attack vector. The impact is limited due to the restrictive CSP tha…
- CVE-2022-39346LOWCVSS 3.5EG 3.52022-11-25
Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. I…
- CVE-2022-39353CRITICALCVSS 9.4EG 9.42022-11-02
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childN…
- CVE-2022-39361HIGHCVSS 8.8EG 8.82022-10-26
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, H2 (Sample Database) could allow Remote Code Execution (RCE), which can be abused by users able to write SQL que…
- CVE-2022-39376LOWCVSS 2.6EG 2.62022-11-03
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Users may be able to inject custom fields v…
- CVE-2022-39389HIGHCVSS 8.2EG 8.22022-11-17
Lightning Network Daemon (lnd) is an implementation of a lightning bitcoin overlay network node. All lnd nodes before version `v0.15.4` are vulnerable to a block parsing bug that can cause a node to enter a degraded state once encountered.…
- CVE-2022-39863LOWCVSS 3.6EG 4.72022-10-07
Intent redirection vulnerability in Samsung Account prior to version 13.5.01.3 allows attackers to access content providers without permission.
- CVE-2022-39880HIGHCVSS 7.1EG 7.82022-11-09
Improper input validation vulnerability in DualOutFocusViewer prior to SMR Nov-2022 Release 1 allows local attacker to perform an arbitrary code execution.
- CVE-2022-39881MEDIUMCVSS 5.3EG 9.12022-11-09
Improper input validation vulnerability for processing SIB12 PDU in Exynos modems prior to SMR Sep-2022 Release allows remote attacker to read out of bounds memory.
- CVE-2022-39974HIGHCVSS 7.5EG 7.52022-09-20
WASM3 v0.5.0 was discovered to contain a segmentation fault via the component op_Select_i32_srs in wasm3/source/m3_exec.h.
- CVE-2022-40139HIGHCVSS 7.2EG 9.0⚠ KEV2022-09-19
Improper validation of some components used by the rollback mechanism in Trend Micro Apex One and Trend Micro Apex One as a Service clients could allow a Apex One server administrator to instruct affected clients to download an unverified …
- CVE-2022-40145CRITICALCVSS 9.8EG 9.82022-12-21
This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasourc…
Map vulnerabilities like CWE-20 to your infrastructure
EchelonGraph correlates every CVE — across CWE-20 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →