CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-20

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2023-22963 20 2023-01-11 2023-01-18
0.0
None ??? ??? ??? ??? ??? ???
The personnummer implementation before 3.0.3 for Dart mishandles numbers in which the last four digits match the ^000[0-9]$ regular expression.
2 CVE-2023-22952 20 2023-01-11 2023-01-18
0.0
None ??? ??? ??? ??? ??? ???
In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.
3 CVE-2023-22898 20 DoS 2023-01-10 2023-01-13
0.0
None ??? ??? ??? ??? ??? ???
workers/extractor.py in Pandora (aka pandora-analysis/pandora) 1.3.0 allows a denial of service when an attacker submits a deeply nested ZIP archive (aka ZIP bomb).
4 CVE-2023-22734 20 2023-01-17 2023-01-25
0.0
None ??? ??? ??? ??? ??? ???
Shopware is an open source commerce platform based on Symfony Framework and Vue js. The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process. As a result operators may have inconsistencies in their newsletter systems. This problem has been fixed with version 6.4.18.1. Users are advised to upgrade. Users unable to upgrade may find security measures are available via a plugin for major versions 6.1, 6.2, and 6.3. Users may also disable newsletter registration completely.
5 CVE-2023-22730 20 Bypass 2023-01-17 2023-01-25
0.0
None ??? ??? ??? ??? ??? ???
Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions It was possible to put the same line item multiple times in the cart using the AP. The Cart Validators checked the line item's individuality and the user was able to bypass quantity limits in sales. This problem has been fixed with version 6.4.18.1. Users on major versions 6.1, 6.2, and 6.3 may also obtain this fix via a plugin.
6 CVE-2023-22470 20 2023-01-14 2023-01-24
0.0
None ??? ??? ??? ??? ??? ???
Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. A database error can be generated potentially causing a DoS when performed multiple times. There are currently no known workarounds. It is recommended that the Nextcloud Server is upgraded to 1.6.5 or 1.7.3 or 1.8.2.
7 CVE-2023-22465 20 2023-01-04 2023-01-11
0.0
None ??? ??? ??? ??? ??? ???
Http4s is a Scala interface for HTTP services. Starting with version 0.1.0 and prior to versions 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38, the `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. As a workaround, use the weakly typed header interface.
8 CVE-2023-22460 20 2023-01-04 2023-01-10
0.0
None ??? ??? ??? ??? ??? ???
go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Encoding data which contains a Bytes kind Node will pass a Bytes token to the JSON encoder which will panic as it doesn't expect to receive Bytes tokens. Such an encode should be treated as an error, as plain JSON should not be able to encode Bytes. This only impacts uses of the `json` codec. `dag-json` is not impacted. Use of `json` as a decoder is not impacted. This issue is fixed in v0.19.0. As a workaround, one may prefer the `dag-json` codec, which has the ability to encode bytes.
9 CVE-2023-22452 20 2023-01-02 2023-01-09
0.0
None ??? ??? ??? ??? ??? ???
kenny2automate is a Discord bot. In the web interface for server settings, form elements were generated with Discord channel IDs as part of input names. Prior to commit a947d7c, no validation was performed to ensure that the channel IDs submitted actually belonged to the server being configured. Thus anyone who has access to the channel ID they wish to change settings for and the server settings panel for any server could change settings for the requested channel no matter which server it belonged to. Commit a947d7c resolves the issue and has been deployed to the official instance of the bot. The only workaround that exists is to disable the web config entirely by changing it to run on localhost. Note that a workaround is only necessary for those who run their own instance of the bot.
10 CVE-2023-21607 20 Exec Code 2023-01-18 2023-01-26
0.0
None ??? ??? ??? ??? ??? ???
Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
11 CVE-2023-21596 20 Exec Code 2023-01-13 2023-01-23
0.0
None ??? ??? ??? ??? ??? ???
Adobe InCopy versions 18.0 (and earlier), 17.4 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
12 CVE-2023-21588 20 Exec Code 2023-01-13 2023-01-20
0.0
None ??? ??? ??? ??? ??? ???
Adobe InDesign version 18.0 (and earlier), 17.4 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
13 CVE-2023-20532 20 DoS 2023-01-11 2023-01-20
0.0
None ??? ??? ??? ??? ??? ???
Insufficient input validation in the SMU may allow an attacker to improperly lock resources, potentially resulting in a denial of service.
14 CVE-2023-20530 20 DoS 2023-01-11 2023-01-20
0.0
None ??? ??? ??? ??? ??? ???
Insufficient input validation of BIOS mailbox messages in SMU may result in out-of-bounds memory reads potentially resulting in a denial of service.
15 CVE-2023-20528 20 2023-01-11 2023-01-20
0.0
None ??? ??? ??? ??? ??? ???
Insufficient input validation in the SMU may allow a physical attacker to exfiltrate SMU memory contents over the I2C bus potentially leading to a loss of confidentiality.
16 CVE-2023-20527 20 2023-01-11 2023-01-20
0.0
None ??? ??? ??? ??? ??? ???
Improper syscall input validation in the ASP Bootloader may allow a privileged attacker to read memory out-of-bounds, potentially leading to a denial-of-service.
17 CVE-2023-20525 20 DoS 2023-01-11 2023-01-20
0.0
None ??? ??? ??? ??? ??? ???
Insufficient syscall input validation in the ASP Bootloader may allow a privileged attacker to read memory outside the bounds of a mapped register potentially leading to a denial of service.
18 CVE-2023-20522 20 DoS 2023-01-11 2023-01-19
0.0
None ??? ??? ??? ??? ??? ???
Insufficient input validation in ASP may allow an attacker with a malicious BIOS to potentially cause a denial of service.
19 CVE-2023-0434 20 2023-01-22 2023-01-23
0.0
None ??? ??? ??? ??? ??? ???
Improper Input Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev40.
20 CVE-2023-0299 20 2023-01-14 2023-01-23
0.0
None ??? ??? ??? ??? ??? ???
Improper Input Validation in GitHub repository publify/publify prior to 9.2.10.
21 CVE-2023-0229 20 2023-01-26 2023-01-26
0.0
None ??? ??? ??? ??? ??? ???
A flaw was found in github.com/openshift/apiserver-library-go, used in OpenShift 4.12 and 4.11, that contains an issue that can allow low-privileged users to set the seccomp profile for pods they control to "unconfined." By default, the seccomp profile used in the restricted-v2 Security Context Constraint (SCC) is "runtime/default," allowing users to disable seccomp for pods they can create and modify.
22 CVE-2023-0139 20 Bypass 2023-01-10 2023-01-17
0.0
None ??? ??? ??? ??? ??? ???
Insufficient validation of untrusted input in Downloads in Google Chrome on Windows prior to 109.0.5414.74 allowed a remote attacker to bypass download restrictions via a crafted HTML page. (Chromium security severity: Low)
23 CVE-2022-47917 20 2023-01-18 2023-01-26
0.0
None ??? ??? ??? ??? ??? ???
Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 is vulnerable to improper input validation of user input to several modules and services of the software. This could allow an attacker to delete arbitrary files and cause a denial-of-service condition.
24 CVE-2022-47208 20 Exec Code 2022-12-16 2022-12-27
0.0
None ??? ??? ??? ??? ??? ???
The “puhttpsniff” service, which runs by default, is susceptible to command injection due to improperly sanitized user input. An unauthenticated attacker on the same network segment as the router can execute arbitrary commands on the device without authentication.
25 CVE-2022-46768 20 2022-12-15 2022-12-19
0.0
None ??? ??? ??? ??? ??? ???
Arbitrary file read vulnerability exists in Zabbix Web Service Report Generation, which listens on the port 10053. The service does not have proper validation for URL parameters before reading the files.
26 CVE-2022-46372 20 Exec Code 2023-01-12 2023-01-23
0.0
None ??? ??? ??? ??? ??? ???
Alotcer - AR7088H-A firmware version 16.10.3 Command execution Improper validation of unspecified input field may allow Authenticated command execution.
27 CVE-2022-46363 20 2022-12-13 2022-12-16
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.
28 CVE-2022-46328 20 2022-12-20 2022-12-24
0.0
None ??? ??? ??? ??? ??? ???
Some smartphones have the input validation vulnerability. Successful exploitation of this vulnerability may affect data confidentiality.
29 CVE-2022-45875 20 Exec Code 2023-01-04 2023-01-10
0.0
None ??? ??? ??? ??? ??? ???
Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions.
30 CVE-2022-45470 20 XSS 2022-11-21 2022-11-23
0.0
None ??? ??? ??? ??? ??? ???
** UNSUPPORTED WHEN ASSIGNED ** missing input validation in Apache Hama may cause information disclosure through path traversal and XSS. Since Apache Hama is EOL, we do not expect these issues to be fixed.
31 CVE-2022-45113 20 2022-12-07 2022-12-12
0.0
None ??? ??? ??? ??? ??? ???
Improper validation of syntactic correctness of input vulnerability exist in Movable Type series. Having a user to access a specially crafted URL may allow a remote unauthenticated attacker to set a specially crafted URL to the Reset Password page and conduct a phishing attack. Affected products/versions are as follows: Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type 6.8.7 and earlier (Movable Type 6 Series), Movable Type Advanced 6.8.7 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier.
32 CVE-2022-44756 20 2022-12-21 2022-12-28
0.0
None ??? ??? ??? ??? ??? ???
Insights for Vulnerability Remediation (IVR) is vulnerable to improper input validation. This may lead to information disclosure. This requires privileged access.
33 CVE-2022-44556 20 2022-11-08 2022-12-26
0.0
None ??? ??? ??? ??? ??? ???
Missing parameter type validation in the DRM module. Successful exploitation of this vulnerability may affect availability.
34 CVE-2022-44019 20 Exec Code 2022-10-30 2022-11-01
0.0
None ??? ??? ??? ??? ??? ???
In Total.js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter.
35 CVE-2022-43875 20 DoS 2022-12-20 2022-12-27
0.0
None ??? ??? ??? ??? ??? ???
IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4 could allow an authenticated user to lock additional RM authorizations, resulting in a denial of service on displaying or managing these authorizations. IBM X-Force ID: 240034.
36 CVE-2022-43723 20 DoS 2022-12-13 2022-12-15
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability has been identified in SICAM PAS/PQS (All versions < V7.0), SICAM PAS/PQS (All versions >= 7.0 < V8.06). Affected software does not properly validate the input for a certain parameter in the s7ontcp.dll. This could allow an unauthenticated remote attacker to send messages and create a denial of service condition as the application crashes. At the time of assigning the CVE, the affected firmware version of the component has already been superseded by succeeding mainline versions.
37 CVE-2022-43565 20 Bypass 2022-11-04 2022-11-08
0.0
None ??? ??? ??? ??? ??? ???
In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the ‘tstats command handles Javascript Object Notation (JSON) lets an attacker bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards . The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser.
38 CVE-2022-43563 20 Bypass 2022-11-04 2022-11-08
0.0
None ??? ??? ??? ??? ??? ???
In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the rex search command handles field names lets an attacker bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards . The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.
39 CVE-2022-43546 20 Exec Code 2022-11-08 2022-11-09
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability has been identified in POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50). Affected devices do not properly validate the EndTime-parameter in requests to the web interface on port 443/tcp. This could allow an authenticated remote attacker to crash the device (followed by an automatic reboot) or to execute arbitrary code on the device.
40 CVE-2022-43545 20 Exec Code 2022-11-08 2022-11-09
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability has been identified in POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50). Affected devices do not properly validate the RecordType-parameter in requests to the web interface on port 443/tcp. This could allow an authenticated remote attacker to crash the device (followed by an automatic reboot) or to execute arbitrary code on the device.
41 CVE-2022-43484 20 Exec Code 2022-12-05 2022-12-21
0.0
None ??? ??? ??? ??? ??? ???
TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC. By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application.
42 CVE-2022-43455 20 2023-01-18 2023-01-25
0.0
None ??? ??? ??? ??? ??? ???
Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 is vulnerable to improper input validation of user input to the service_start, service_stop, and service_restart modules of the software. This could allow an attacker to start, stop, or restart arbitrary services running on the server.
43 CVE-2022-43439 20 Exec Code 2022-11-08 2022-11-09
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability has been identified in POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50). Affected devices do not properly validate the Language-parameter in requests to the web interface on port 443/tcp. This could allow an authenticated remote attacker to crash the device (followed by an automatic reboot) or to execute arbitrary code on the device.
44 CVE-2022-42793 20 Bypass 2022-11-01 2022-11-03
0.0
None ??? ??? ??? ??? ??? ???
An issue in code signature validation was addressed with improved checks. This issue is fixed in macOS Big Sur 11.7, macOS Ventura 13, iOS 16, iOS 15.7 and iPadOS 15.7, macOS Monterey 12.6. An app may be able to bypass code signing checks.
45 CVE-2022-42544 20 2022-12-16 2022-12-21
0.0
None ??? ??? ??? ??? ??? ???
In getView of AddAppNetworksFragment.java, there is a possible way to mislead the user about network add requests due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-224545390
46 CVE-2022-42534 20 2022-12-16 2022-12-21
0.0
None ??? ??? ??? ??? ??? ???
In trusty_ffa_mem_reclaim of shared-mem-smcall.c, there is a possible privilege escalation due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-237838301References: N/A
47 CVE-2022-42468 20 Exec Code 2022-10-26 2022-10-28
0.0
None ??? ??? ??? ??? ??? ???
Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.
48 CVE-2022-42344 20 2022-10-20 2022-10-21
0.0
None ??? ??? ??? ??? ??? ???
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.
49 CVE-2022-42340 20 2022-10-14 2022-10-18
0.0
None ??? ??? ??? ??? ??? ???
Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction.
50 CVE-2022-42269 20 2022-12-30 2023-01-09
0.0
None ??? ??? ??? ??? ??? ???
NVIDIA Trusted OS contains a vulnerability in an SMC call handler, where failure to validate untrusted input may allow a highly privileged local attacker to cause information disclosure and compromise integrity. The scope of the impact can extend to other components.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.