CWE-20— Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.— MITRE CWE catalog
11,788 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-20page 75 of 236
- CVE-2017-18221MEDIUMCVSS 5.5EG 5.52018-03-07
The __munlock_pagevec function in mm/mlock.c in the Linux kernel before 4.11.4 allows local users to cause a denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall and munlockall system calls.
- CVE-2017-18235MEDIUMCVSS 5.5EG 5.52018-03-15
An issue was discovered in Exempi before 2.4.3. The VPXChunk class in XMPFiles/source/FormatSupport/WEBP_Support.cpp does not ensure nonzero widths and heights, which allows remote attackers to cause a denial of service (assertion failure …
- CVE-2017-18240MEDIUMCVSS 5.5EG 5.52018-03-19
The Gentoo app-admin/collectd package before 5.7.2-r1 sets the ownership of PID file directory to the collectd account, which might allow local users to kill arbitrary processes by leveraging access to this account for PID file modificatio…
- CVE-2017-18248MEDIUMCVSS 5.3EG 5.32018-03-26
The add_job function in scheduler/ipp.c in CUPS before 2.2.6, when D-Bus support is enabled, can be crashed by remote attackers by sending print jobs with an invalid username, related to a D-Bus notification.
- CVE-2017-18262MEDIUMCVSS 6.1EG 6.12018-04-30
Blackboard Learn (Since at least 17th of October 2017) has allowed Unvalidated Redirects on any signed-in user through its endpoints for handling Shibboleth logins, as demonstrated by a webapps/bb-auth-provider-shibboleth-BBLEARN/execute/s…
- CVE-2017-18292MEDIUMCVSS 5.5EG 5.52018-10-23
Secure app running in non secure space can restart TZ by calling Widevine app API repeatedly in Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear in versions MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, …
- CVE-2017-18317HIGHCVSS 7.8EG 7.82018-11-28
Restrictions related to the modem (sim lock, sim kill) can be bypassed by manipulating the system to issue a deactivation flow sequence in Snapdragon Automobile, Snapdragon Mobile in versions MSM8996AU,SD 410/12,SD 820,SD 820A.
- CVE-2017-18318CRITICALCVSS 9.8EG 9.82018-11-28
Missing validation check on CRL issuer name in Snapdragon Automobile, Snapdragon Mobile in versions MSM8996AU, SD 410/12, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 810, SD 820, SD 820A.
- CVE-2017-18320HIGHCVSS 7.8EG 7.82019-01-03
QSEE unload attempt on a 3rd party TEE without previously loading results in a data abort in snapdragon automobile and snapdragon mobile in versions MSM8996AU, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/S…
- CVE-2017-18349CRITICALCVSS 9.8EG 9.82018-10-23
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceNam…
- CVE-2017-18359HIGHCVSS 7.5EG 7.52019-01-25
PostGIS 2.x before 2.3.3, as used with PostgreSQL, allows remote attackers to cause a denial of service via crafted ST_AsX3D function input, as demonstrated by an abnormal server termination for "SELECT ST_AsX3D('LINESTRING EMPTY');" becau…
- CVE-2017-18367HIGHCVSS 7.5EG 7.52019-04-24
libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall arguments could bypass intended access …
- CVE-2017-18382LOWCVSS 2.7EG 2.72019-08-02
cPanel before 68.0.15 allows use of an unreserved e-mail address in DNS zone SOA records (SEC-306).
- CVE-2017-18388HIGHCVSS 7.8EG 7.82019-08-02
cPanel before 68.0.15 can perform unsafe file operations because Jailshell does not set the umask (SEC-315).
- CVE-2017-18392LOWCVSS 2.0EG 2.02019-08-02
cPanel before 68.0.15 allows collisions because PostgreSQL databases can be assigned to multiple accounts (SEC-325).
- CVE-2017-18393LOWCVSS 2.7EG 2.72019-08-02
cPanel before 68.0.15 does not block a username of postmaster, which might allow reception of private e-mail (SEC-326).
- CVE-2017-18394LOWCVSS 2.7EG 2.72019-08-02
cPanel before 68.0.15 does not have a sufficient list of reserved usernames (SEC-327).
- CVE-2017-18395LOWCVSS 2.7EG 2.72019-08-02
cPanel before 68.0.15 does not block a username of ssl (SEC-328).
- CVE-2017-18398LOWCVSS 3.8EG 3.82019-08-02
DnsUtils in cPanel before 68.0.15 allows zone creation for hostname and account subdomains (SEC-331).
- CVE-2017-18401LOWCVSS 2.7EG 2.72019-08-02
cPanel before 68.0.15 allows user accounts to be partially created with invalid username formats (SEC-334).
- CVE-2017-18405MEDIUMCVSS 5.5EG 5.52019-08-02
cPanel before 68.0.15 allows arbitrary file-read operations because of the backup .htaccess modification logic (SEC-345).
- CVE-2017-18409MEDIUMCVSS 6.5EG 6.52019-08-02
In cPanel before 67.9999.103, the backup interface could return a backup archive with all MySQL databases (SEC-283).
- CVE-2017-18410MEDIUMCVSS 6.5EG 6.52019-08-02
In cPanel before 67.9999.103, a user account's backup archive could contain all MySQL databases on the server (SEC-284).
- CVE-2017-18411MEDIUMCVSS 6.8EG 6.82019-08-02
The "addon domain conversion" feature in cPanel before 67.9999.103 can copy all MySQL databases to the new account (SEC-285).
- CVE-2017-18415HIGHCVSS 7.8EG 7.82019-08-02
cPanel before 67.9999.103 allows code execution in the context of the mailman account because of incorrect environment-variable filtering (SEC-302).
- CVE-2017-18430MEDIUMCVSS 4.7EG 4.72019-08-02
In cPanel before 66.0.2, user and group ownership may be incorrectly set when using reassign_post_terminate_cruft (SEC-294).
- CVE-2017-18431HIGHCVSS 7.5EG 7.52019-08-02
cPanel before 66.0.1 does not reliably perform suspend/unsuspend operations on accounts (CPANEL-13941).
- CVE-2017-18433HIGHCVSS 8.8EG 8.82019-08-02
cPanel before 64.0.21 allows code execution by webmail and demo accounts via a store_filter API call (SEC-236).
- CVE-2017-18434HIGHCVSS 7.8EG 7.82019-08-02
cPanel before 64.0.21 allows code execution in the context of the root account via a SET_VHOST_LANG_PACKAGE multilang adminbin call (SEC-237).
- CVE-2017-18439MEDIUMCVSS 6.3EG 6.32019-08-02
cPanel before 64.0.21 allows demo accounts to execute code via an ImageManager_dimensions API call (SEC-243).
- CVE-2017-18440MEDIUMCVSS 4.3EG 4.32019-08-02
cPanel before 64.0.21 allows demo users to execute traceroute via api2 (SEC-244).
- CVE-2017-18443MEDIUMCVSS 5.8EG 5.82019-08-02
cPanel before 64.0.21 allows demo and suspended accounts to use SSH port forwarding (SEC-247).
- CVE-2017-18444MEDIUMCVSS 5.3EG 5.32019-08-02
cPanel before 64.0.21 allows demo accounts to execute SSH API commands (SEC-248).
- CVE-2017-18447MEDIUMCVSS 6.3EG 6.32019-08-02
cPanel before 64.0.21 allows demo accounts to execute code via the ClamScanner_getsocket API (SEC-251).
- CVE-2017-18449MEDIUMCVSS 5.5EG 5.52019-08-02
cPanel before 64.0.21 allows certain file-rename operations in the context of the root account via scripts/convert_roundcube_mysql2sqlite (SEC-254).
- CVE-2017-18452MEDIUMCVSS 6.7EG 6.72019-08-02
cPanel before 64.0.21 allows code execution via Rails configuration files (SEC-259).
- CVE-2017-18453MEDIUMCVSS 4.9EG 4.92019-08-02
cPanel before 64.0.21 does not preserve supplemental groups across account renames (SEC-260).
- CVE-2017-18458LOWCVSS 3.3EG 3.32019-08-02
cPanel before 62.0.17 allows file overwrite when renaming an account (SEC-219).
- CVE-2017-18459HIGHCVSS 7.8EG 7.82019-08-02
cPanel before 62.0.17 allows arbitrary code execution during account modification (SEC-220).
- CVE-2017-18460HIGHCVSS 7.8EG 7.82019-08-02
cPanel before 62.0.17 allows arbitrary code execution during automatic SSL installation (SEC-221).
- CVE-2017-18461MEDIUMCVSS 4.3EG 4.32019-08-02
cPanel before 62.0.17 allows does not preserve security policy questions across an account rename (SEC-223).
- CVE-2017-18463HIGHCVSS 7.8EG 7.82019-08-02
cPanel before 62.0.17 allows code execution in the context of the root account via a long DocumentRoot path (SEC-225).
- CVE-2017-18464MEDIUMCVSS 4.9EG 4.92019-08-05
cPanel before 62.0.17 allows arbitrary file-overwrite operations via the WHM Zone Template editor (SEC-226).
- CVE-2017-18465MEDIUMCVSS 4.4EG 4.42019-08-05
cPanel before 62.0.17 does not have a sufficient list of reserved usernames (SEC-227).
- CVE-2017-18466LOWCVSS 2.7EG 2.72019-08-05
cPanel before 62.0.17 does not properly recognize domain ownership during addition of parked domains to a mail configuration (SEC-228).
- CVE-2017-18469MEDIUMCVSS 6.3EG 6.32019-08-05
cPanel before 62.0.17 allows demo accounts to execute code via an NVData_fetchinc API call (SEC-233).
- CVE-2017-18475HIGHCVSS 8.8EG 8.82019-08-05
In cPanel before 62.0.4, Exim piped filters ran in the context of an incorrect user account when delivering to a system user (SEC-204).
- CVE-2017-18482MEDIUMCVSS 6.5EG 6.52019-08-05
cPanel before 62.0.4 allows resellers to use the WHM enqueue_transfer_item API for queueing non-rearrange modules (SEC-213).
- CVE-2017-18509HIGHCVSS 7.8EG 7.82019-08-13
An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before 4.11. By setting a specific socket option, an attacker can control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially e…
- CVE-2017-18545HIGHCVSS 7.5EG 7.52019-08-16
The invite-anyone plugin before 1.3.16 for WordPress has incorrect escaping of untrusted Dashboard and front-end input.
Map vulnerabilities like CWE-20 to your infrastructure
EchelonGraph correlates every CVE — across CWE-20 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →