CWE-20— Improper Input Validation

An issue in dom96 HTTPbeast v.0.4.1 and before allows a remote attacker to send a malicious crafted request due to insufficient parsing in the parser.nim component.

Cube is a semantic layer for building data applications. Prior to version 0.34.34, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. The issue has been patched in `v0.3…

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Web Services feature of newer Lexmark devices.

The SE menu contains information used by Lexmark to diagnose device errors. A vulnerability in one of the SE menu routines can be leveraged by an attacker to execute arbitrary code.

Lenovo LeCloud App improper input validation allows attackers to access arbitrary components and arbitrary file downloads, which could result in information disclosure.

Improper Input Validation vulnerability in HYPR Workforce Access on Windows allows Path Traversal.This issue affects Workforce Access: before 8.7.

Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0.

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, has been found in D-Link DAR-7000 up to 20151231. This issue affects some unknown processing of the file /log/webmailattach.php. The manipulation of the arg…

A vulnerability has been identified in SIMATIC IPC1047E (All versions with maxView Storage Manager < V4.14.00.26068 on Windows), SIMATIC IPC647E (All versions with maxView Storage Manager < V4.14.00.26068 on Windows), SIMATIC IPC847E (All …

** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF This issue affects Apache Axis: through 1.3. As Axis 1 has been EOL we recommen…

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file upload vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrat…

Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling. A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an at…

The MMS Interpreter of WagoAppRTU in versions below 1.4.6.0 which is used by the WAGO Telecontrol Configurator is vulnerable to malformed packets. An remote unauthenticated attacker could send specifically crafted packets that lead to a de…

An issue in alanclarke URLite v.3.1.0 allows an attacker to cause a denial of service (DoS) via a crafted payload to the parsing function.

The [`tj-actions/verify-changed-files`](https://github.com/tj-actions/verify-changed-files) action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. The [`verify…

IBM DB2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to denial of service when querying a specific UDF built-in function concurrently. IBM X-Force ID: 278547.

Input verification vulnerability in the account module.Successful exploitation of this vulnerability may cause features to perform abnormally.

Vulnerability of input parameter verification in the motor module.Successful exploitation of this vulnerability may affect availability.

Out-of-bounds write vulnerability in the RSMC module. Impact: Successful exploitation of this vulnerability will affect availability.

In vsp driver, there is a possible missing verification incorrect input. This could lead to local denial of service with no additional execution privileges needed

Input verification vulnerability in the power module. Impact: Successful exploitation of this vulnerability will affect availability.

Improper Input Validation vulnerability in simulation function of GX Works2 allows an attacker to cause a denial-of-service (DoS) condition on the function by sending specially crafted packets. However, the attacker would need to send the …

Improper Input Validation vulnerability in simulation function of GX Works2 allows an attacker to cause a denial-of-service (DoS) condition on the function by sending specially crafted packets. However, the attacker would need to send the …

Improper Input Validation vulnerability in MegaBIP and already unsupported SmodBIP software allows for Stored XSS.This issue affects SmodBIP in all versions and MegaBIP in versions up to 4.36.2. MegaBIP 5.08 was tested and is not vulnera…

Server receiving a malformed message to create a new connection could lead to an attacker performing remote code execution or causing a failure. See Honeywell Security Notification for recommendations on upgrading and versioning.

An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediatly after the data is saved.The issue onlyoccurs if the…

A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an …

Improper Input Validation in GitHub repository vriteio/vrite prior to 0.3.0.

Under certain conditions, Nessus Network Monitor was found to not properly enforce input validation. This could allow an admin user to alter parameters that could potentially allow a blindSQL injection.

In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners.

Improper Input Validation in GitHub repository mintplex-labs/anything-llm prior to 0.1.0.

An issue has been discovered in GitLab EE with Advanced Search affecting all versions from 13.9 to 16.3.6, 16.4 prior to 16.4.2 and 16.5 prior to 16.5.1 that could allow a denial of service in the Advanced Search function by chaining too m…

The 1E-Exchange-DisplayMessageinstruction that is part of the End-User Interaction product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perfor…

An improper input validation vulnerability has been found in Lanaccess ONSAFE MonitorHM affecting version 3.7.0. This vulnerability could lead a remote attacker to exploit the checkbox element and perform remote code execution, compromisin…

Attacker can perform a Denial of Service attack to crash the ICAS 3 IVI ECU in a Volkswagen ID.3 (and other vehicles of the VW Group with the same hardware) and spoof volume setting commands to irreversibly turn on audio volume to maximum …

The Candid library causes a Denial of Service while parsing a specially crafted payload with 'empty' data type. For example, if the payload is `record { * ; empty }` and the canister interface expects `record { * }` then the Rust candid …

Improper input validation vulnerability in Newsletter Software SuperMailer affecting version 11.20.0.2204. An attacker could exploit this vulnerability by sending a malicious configuration file (file with SMB extension) to a user via a lin…

The Mock software contains a vulnerability wherein an attacker could potentially exploit privilege escalation, enabling the execution of arbitrary code with root user privileges. This weakness stems from the absence of proper sandboxing du…

As a simple library, class.upload.php does not perform an in-depth check on uploaded files, allowing a stored XSS vulnerability when the default configuration is used. Developers must be aware of that fact and use extension whitelisting…

Vulnerability exists in SCI IEC 60870-5-104 and HCI IEC 60870-5-104 that affects the RTU500 series product versions listed below. Specially crafted messages sent to the mentioned components are not validated properly and can result in buff…

Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escalate privileges

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pagelayer_header_code', 'pagelayer_body_open_code', and 'pagelayer_footer_code' meta fields in all ver…

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom fields in all versions up to, and including, 2.10.26 due to insufficient input sanitization and output escaping on user su…

A malicious user could potentially use the Sitefinity system for the distribution of phishing emails.

Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API rating could be manipulated.

Increasing the resolution of video frames, while performing a multi-threaded encode, can result in a heap overflow in av1_loop_restoration_dealloc().

wolfSSL prior to 5.6.6 did not check that messages in one (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in…

Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). The issues resulted from improper input validation and heap-based buffer overflow. A lo…

Insufficient data validation in Permission Prompts in Google Chrome prior to 117.0.5938.62 allowed an attacker who convinced a user to install a malicious app to potentially perform a sandbox escape via a malicious file. (Chromium security…

Zephyr OS IP packet handling does not properly drop IP packets arriving on an external interface with a source address equal to 127.0.01 or the destination address.