CWE-1287
AllowedImproper Validation of Specified Type of Input
Abstraction: Base · Status: Incomplete
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
259 vulnerabilities reference this CWE, most recent first.
GHSA-7X49-43RQ-5F5C
Vulnerability from github – Published: 2025-11-11 09:30 – Updated: 2025-11-11 09:30An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.
{
"affected": [],
"aliases": [
"CVE-2025-4645"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T07:15:33Z",
"severity": "MODERATE"
},
"details": "An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.",
"id": "GHSA-7x49-43rq-5f5c",
"modified": "2025-11-11T09:30:30Z",
"published": "2025-11-11T09:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4645"
},
{
"type": "WEB",
"url": "https://www.axis.com/dam/public/69/47/ff/cve-2025-4645pdf-en-US-504211.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-89V6-J5X6-CMJ3
Vulnerability from github – Published: 2026-07-09 20:54 – Updated: 2026-07-09 20:54Summary
The recentchanges action (actions/recentchanges.php) accepts a period argument from two disjoint parameter spaces: the URL query string ($_GET['period']) and the action invocation {{recentchanges period="..."}}. A whitelist at line 17 validates only the URL form against ['day','week','month']. The action-argument form takes the else branch at line 33 ($dateMin = $this->GetParameter('period')) with no validation, and the value flows into PageManager::getRecentlyChanged() (includes/services/PageManager.php:196), where it is interpolated into a WHERE time >= '...' ORDER BY time DESC clause without escaping or parameterization. UNION-based injection succeeds, the leaked rows render into the response page via actions/recentchanges.php:43,58 (ComposeLinkToPage($page['tag'])), so any visitor of the trigger page sees the exfiltrated data.
The vulnerability provides arbitrary read of the YesWiki database to anyone who can save the trigger page. On a default install (default_write_acl='*'), this includes anonymous users, subject to the hashcash JS check on the page-edit form. Once the trigger page is saved, every subsequent view fires the injection as the SQLi is stored. Stored SQL injection is reachable through the page-edit flow, with arbitrary database read.
Details
Two issues compose the vulnerability.
actions/recentchanges.phpline 33 reads the action argument and skips the whitelist.
php
if (isset($_GET['period']) && in_array($_GET['period'], ['day', 'week', 'month'])) {
switch ($_GET['period']) {
case 'day': $d = strtotime('-1 day'); $dateMin = date('Y-m-d H:i:s', $d); break;
case 'week': $d = strtotime('-1 week'); $dateMin = date('Y-m-d H:i:s', $d); break;
case 'month': $d = strtotime('-1 month'); $dateMin = date('Y-m-d H:i:s', $d); break;
}
} else {
$dateMin = $this->GetParameter('period');
}
Wiki::GetParameter() (includes/YesWiki.php:895) reads $this->parameter[$key], which is populated from the {{action key=value}} argument list — disjoint from $_GET. The whitelist's if branch only runs when $_GET['period'] matches one of three exact values; in every other case the else branch reads the action argument with no validation, no escaping, no DateTime parse, no regex. The two parameter spaces are independent.
- In
includes/services/PageManager.php,PageManager::getRecentlyChanged()interpolates the value into SQL.
php
public function getRecentlyChanged($limit = 50, $minDate = ''): ?array
{
if (!empty($minDate)) {
if ($pages = $this->dbService->loadAll(
'select id, tag, time, user, owner from' . $this->dbService->prefixTable('pages')
. "where latest = 'Y' and comment_on = '' and time >= '$minDate' order by time desc"
)) {
return $pages;
}
}
}
$minDate is interpolated raw into the query and there is no $this->dbService->escape($minDate) and no parameter binding and no format check.
The default action ACL for recentchanges is * (includes/YesWiki.php:1100, GetModuleACL), so Performer::CheckModuleACL('recentchanges', 'action') returns true for everyone. The injection runs whenever a viewer reaches a page that embeds the action with a malicious period argument.
PoC
Default fresh install so default_write_acl='*'.
1. place the SQLi payload on a page
{{recentchanges period="2000-01-01' UNION SELECT 9999 AS id, CONCAT('LEAK_', name, '_', SUBSTRING(password,1,32)) AS tag, NOW() AS time, name AS user, name AS owner FROM yeswiki_users WHERE name='AdminUser' -- "}}
The five UNION columns match the id, tag, time, user, owner projection that getRecentlyChanged selects. The tag column is rendered into the response as a hyperlink, exfiltrating the leaked data.
- anyone visits the page
GET /?<TriggerPage> HTTP/1.1
Host: target.example
The injected query executes server-side; the tag column is rendered into the page in actions/recentchanges.php:43,58 via ComposeLinkToPage($page['tag']).
Impact
Arbitrary read of any DB column the application's MySQL user can access.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "yeswiki/yeswiki"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52763"
],
"database_specific": {
"cwe_ids": [
"CWE-1287",
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-09T20:54:46Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nThe `recentchanges` action (`actions/recentchanges.php`) accepts a `period` argument from two disjoint parameter spaces: the URL query string (`$_GET[\u0027period\u0027]`) and the action invocation `{{recentchanges period=\"...\"}}`. A whitelist at line 17 validates only the URL form against `[\u0027day\u0027,\u0027week\u0027,\u0027month\u0027]`. The action-argument form takes the `else` branch at line 33 (`$dateMin = $this-\u003eGetParameter(\u0027period\u0027)`) with no validation, and the value flows into `PageManager::getRecentlyChanged()` (`includes/services/PageManager.php:196`), where it is interpolated into a `WHERE time \u003e= \u0027...\u0027 ORDER BY time DESC` clause without escaping or parameterization. UNION-based injection succeeds, the leaked rows render into the response page via `actions/recentchanges.php:43,58` (`ComposeLinkToPage($page[\u0027tag\u0027])`), so any visitor of the trigger page sees the exfiltrated data.\n\nThe vulnerability provides arbitrary read of the YesWiki database to anyone who can save the trigger page. On a default install (`default_write_acl=\u0027*\u0027`), this includes anonymous users, subject to the hashcash JS check on the page-edit form. Once the trigger page is saved, every subsequent view fires the injection as the SQLi is stored. Stored SQL injection is reachable through the page-edit flow, with arbitrary database read.\n\n### Details\n\nTwo issues compose the vulnerability.\n\n1. `actions/recentchanges.php` line 33 reads the action argument and skips the whitelist.\n\n ```php\n if (isset($_GET[\u0027period\u0027]) \u0026\u0026 in_array($_GET[\u0027period\u0027], [\u0027day\u0027, \u0027week\u0027, \u0027month\u0027])) {\n switch ($_GET[\u0027period\u0027]) {\n case \u0027day\u0027: $d = strtotime(\u0027-1 day\u0027); $dateMin = date(\u0027Y-m-d H:i:s\u0027, $d); break;\n case \u0027week\u0027: $d = strtotime(\u0027-1 week\u0027); $dateMin = date(\u0027Y-m-d H:i:s\u0027, $d); break;\n case \u0027month\u0027: $d = strtotime(\u0027-1 month\u0027); $dateMin = date(\u0027Y-m-d H:i:s\u0027, $d); break;\n }\n } else {\n $dateMin = $this-\u003eGetParameter(\u0027period\u0027); \n }\n ```\n\n `Wiki::GetParameter()` (`includes/YesWiki.php:895`) reads `$this-\u003eparameter[$key]`, which is populated from the `{{action key=value}}` argument list \u2014 disjoint from `$_GET`. The whitelist\u0027s `if` branch only runs when `$_GET[\u0027period\u0027]` matches one of three exact values; in every other case the `else` branch reads the action argument with no validation, no escaping, no DateTime parse, no regex. The two parameter spaces are independent.\n\n2. In `includes/services/PageManager.php`, `PageManager::getRecentlyChanged()` interpolates the value into SQL.\n\n ```php\n public function getRecentlyChanged($limit = 50, $minDate = \u0027\u0027): ?array\n {\n if (!empty($minDate)) {\n if ($pages = $this-\u003edbService-\u003eloadAll(\n \u0027select id, tag, time, user, owner from\u0027 . $this-\u003edbService-\u003eprefixTable(\u0027pages\u0027)\n . \"where latest = \u0027Y\u0027 and comment_on = \u0027\u0027 and time \u003e= \u0027$minDate\u0027 order by time desc\"\n )) {\n return $pages;\n }\n }\n }\n ```\n\n `$minDate` is interpolated raw into the query and there is no `$this-\u003edbService-\u003eescape($minDate)` and no parameter binding and no format check.\n\nThe default action ACL for `recentchanges` is `*` (`includes/YesWiki.php:1100`, `GetModuleACL`), so `Performer::CheckModuleACL(\u0027recentchanges\u0027, \u0027action\u0027)` returns `true` for everyone. The injection runs whenever a viewer reaches a page that embeds the action with a malicious `period` argument.\n\n### PoC\n\nDefault fresh install so `default_write_acl=\u0027*\u0027`.\n1. place the SQLi payload on a page\n\n```\n{{recentchanges period=\"2000-01-01\u0027 UNION SELECT 9999 AS id, CONCAT(\u0027LEAK_\u0027, name, \u0027_\u0027, SUBSTRING(password,1,32)) AS tag, NOW() AS time, name AS user, name AS owner FROM yeswiki_users WHERE name=\u0027AdminUser\u0027 -- \"}}\n```\n\nThe five UNION columns match the `id, tag, time, user, owner` projection that `getRecentlyChanged` selects. The `tag` column is rendered into the response as a hyperlink, exfiltrating the leaked data.\n\n2. anyone visits the page\n\n```http\nGET /?\u003cTriggerPage\u003e HTTP/1.1\nHost: target.example\n```\n\nThe injected query executes server-side; the `tag` column is rendered into the page in `actions/recentchanges.php:43,58` via `ComposeLinkToPage($page[\u0027tag\u0027])`.\n\n### Impact\n\nArbitrary read of any DB column the application\u0027s MySQL user can access.",
"id": "GHSA-89v6-j5x6-cmj3",
"modified": "2026-07-09T20:54:46Z",
"published": "2026-07-09T20:54:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-89v6-j5x6-cmj3"
},
{
"type": "WEB",
"url": "https://github.com/YesWiki/yeswiki/commit/5da27474c3ee62270c8a6b9d7055d494cdbd38e5"
},
{
"type": "PACKAGE",
"url": "https://github.com/YesWiki/yeswiki"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "YesWiki: SQL injection via the `recentchanges` action `period` argument leads to arbitrary DB read"
}
GHSA-8Q72-6QQ8-XV64
Vulnerability from github – Published: 2022-11-01 18:11 – Updated: 2022-11-01 18:11Impact
The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to "^(https)://.*") or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied.
This vulnerability may allow an attacker to gain access to a victim's account on a vulnerable CASified service without victim's knowledge, when the victim visits attacker's website while being logged in to the same CAS server.
Patch
phpCAS 1.6.0 is a major version upgrade that starts enforcing service URL discovery validation, because there is unfortunately no 100% safe default config to use in PHP. Starting this version, it is required to pass in an additional service base URL argument when constructing the client class.
For more information, please refer to the upgrading doc.
Workarounds
This vulnerability only impacts the CAS client that the phpCAS library protects against. The problematic service URL discovery behavior in phpCAS < 1.6.0 will only be disabled, and thus you are not impacted from it, if the phpCAS configuration has the following setup:
phpCAS::setUrl()is called (a reminder that you have to pass in the full URL of the current page, rather than your service base URL), andphpCAS::setCallbackURL()is called, only when the proxy mode is enabled.- Alternatively, if your PHP's HTTP header input
X-Forwarded-Host,X-Forwarded-Server,Host,X-Forwarded-Proto,X-Forwarded-Protocolis sanitized before reaching PHP (by a reverse proxy, for example), you will not be impacted by this vulnerability.
Otherwise, you should upgrade the library to get the safe service discovery behavior.
If your CAS server service registry is configured to only allow known and trusted service URLs, the severity of the vulnerability is reduced substantially since an attacker must be in control of another authorized service.
Acknowledgement
We would like to thank Filip Hejsek for discovering this vulnerability, responsibly reporting it to the developers, and helping harden the patch.
Henry Pan and Joachim Fritschi helped with the patch and release effort as phpCAS developers.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "apereo/phpcas"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-39369"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-01T18:11:07Z",
"nvd_published_at": "2022-11-01T17:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThe phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. \nDepending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to \"^(https)://.*\") or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied.\n\nThis vulnerability may allow an attacker to gain access to a victim\u0027s account on a vulnerable CASified service without victim\u0027s knowledge, when the victim visits attacker\u0027s website while being logged in to the same CAS server. \n\n### Patch\n\nphpCAS 1.6.0 is a major version upgrade that starts enforcing service URL discovery validation, because there is unfortunately no 100% safe default config to use in PHP. Starting this version, it is required to pass in an additional service base URL argument when constructing the client class.\n\nFor more information, please refer to the upgrading doc.\n\n### Workarounds\n\nThis vulnerability only impacts the CAS client that the phpCAS library protects against. The problematic service URL discovery behavior in phpCAS \u003c 1.6.0 will only be disabled, and thus you are not impacted from it, if the phpCAS configuration has the following setup:\n\n1. `phpCAS::setUrl()` is called (a reminder that you have to pass in the full URL of the current page, rather than your service base URL), and\n2. `phpCAS::setCallbackURL()` is called, only when the proxy mode is enabled.\n3. Alternatively, if your PHP\u0027s HTTP header input `X-Forwarded-Host`, `X-Forwarded-Server`, `Host`, `X-Forwarded-Proto`, `X-Forwarded-Protocol` is sanitized before reaching PHP (by a reverse proxy, for example), you will not be impacted by this vulnerability.\n\nOtherwise, you should upgrade the library to get the safe service discovery behavior.\n\nIf your CAS server service registry is configured to only allow known and trusted service URLs, the severity of the vulnerability is reduced substantially since an attacker must be in control of another authorized service.\n\n### Acknowledgement\n\nWe would like to thank Filip Hejsek for discovering this vulnerability, responsibly reporting it to the developers, and helping harden the patch.\n\nHenry Pan and Joachim Fritschi helped with the patch and release effort as phpCAS developers.",
"id": "GHSA-8q72-6qq8-xv64",
"modified": "2022-11-01T18:11:07Z",
"published": "2022-11-01T18:11:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/apereo/phpCAS/security/advisories/GHSA-8q72-6qq8-xv64"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39369"
},
{
"type": "WEB",
"url": "https://github.com/apereo/phpCAS/commit/b759361d904a2cb2a3bcee9411fc348cfde5d163"
},
{
"type": "PACKAGE",
"url": "https://github.com/apereo/phpCAS"
},
{
"type": "WEB",
"url": "https://github.com/apereo/phpCAS/releases/tag/1.6.0"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2XL7SMW6ESSP2Y6HHRYWW2MMCZSI4LBZ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RUA2JM6YT3ZXSZLBJVRA32AXYM3GJMO3"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJZGTWJ5ZXUUT47EHARNOUUNTH6SYDSE"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "phpCAS vulnerable to Service Hostname Discovery Exploitation"
}
GHSA-8W7P-V3P3-2MRJ
Vulnerability from github – Published: 2021-12-14 00:00 – Updated: 2025-09-09 18:31A remote code execution vulnerability in the BMP image codec of BlackBerry QNX SDP version(s) 6.4 to 7.1 could allow an attacker to potentially execute code in the context of the affected process.
{
"affected": [],
"aliases": [
"CVE-2021-32024"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-13T19:15:00Z",
"severity": "CRITICAL"
},
"details": "A remote code execution vulnerability in the BMP image codec of BlackBerry QNX SDP version(s) 6.4 to 7.1 could allow an attacker to potentially execute code in the context of the affected process.",
"id": "GHSA-8w7p-v3p3-2mrj",
"modified": "2025-09-09T18:31:10Z",
"published": "2021-12-14T00:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32024"
},
{
"type": "WEB",
"url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000089042"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8WHV-XMF7-JJ8R
Vulnerability from github – Published: 2025-08-14 15:30 – Updated: 2025-08-14 15:30A security issue exists due to improper handling of CIP Class 32’s request when a module is inhibited on the 5094-IF8 device. It causes the module to enter a fault state with the Module LED flashing red. Upon un-inhibiting, the module returns a connection fault (Code 16#0010), and the module cannot recover without a power cycle.
{
"affected": [],
"aliases": [
"CVE-2025-9041"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-14T15:15:45Z",
"severity": "HIGH"
},
"details": "A security issue exists due to improper handling of CIP Class 32\u2019s request when a module is inhibited on the 5094-IF8 device. It causes the module to enter a fault state with the Module LED flashing red. Upon un-inhibiting, the module returns a connection fault (Code 16#0010), and the module cannot recover without a power cycle.",
"id": "GHSA-8whv-xmf7-jj8r",
"modified": "2025-08-14T15:30:46Z",
"published": "2025-08-14T15:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9041"
},
{
"type": "WEB",
"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1737.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9269-MHF5-VFQW
Vulnerability from github – Published: 2026-06-16 12:32 – Updated: 2026-06-16 12:32A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted request that causes service disruption and may result in an unexpected device reboot.
{
"affected": [],
"aliases": [
"CVE-2026-10825"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-16T10:16:26Z",
"severity": "HIGH"
},
"details": "A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted request that causes service disruption and may result in an unexpected device reboot.",
"id": "GHSA-9269-mhf5-vfqw",
"modified": "2026-06-16T12:32:01Z",
"published": "2026-06-16T12:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10825"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-268270-cve-2026-10825-improper-validation-of-input-vulnerability-in-serial-device-servers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-93W4-X8JH-J7M2
Vulnerability from github – Published: 2025-01-16 21:30 – Updated: 2025-01-16 21:30Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel.
{
"affected": [],
"aliases": [
"CVE-2025-20630"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-16T19:15:30Z",
"severity": "MODERATE"
},
"details": "Mattermost Mobile versions \u003c=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel.",
"id": "GHSA-93w4-x8jh-j7m2",
"modified": "2025-01-16T21:30:58Z",
"published": "2025-01-16T21:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20630"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-95M8-QGXC-HCQX
Vulnerability from github – Published: 2026-03-11 18:30 – Updated: 2026-03-11 18:30A vulnerability in the Intermediate System-to-Intermediate System (IS-IS) multi-instance routing feature of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause the IS-IS process to restart unexpectedly.
This vulnerability is due to insufficient input validation of ingress IS-IS packets. An attacker could exploit this vulnerability by sending crafted IS-IS packets to an affected device after forming an adjacency. A successful exploit could allow the attacker to cause the IS-IS process to restart unexpectedly, resulting in a temporary loss of connectivity to advertised networks and a denial of service (DoS) condition. Note: The IS-IS protocol is a routing protocol. To exploit this vulnerability, an attacker must be Layer 2-adjacent to the affected device and must have formed an adjacency.
{
"affected": [],
"aliases": [
"CVE-2026-20074"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-11T17:16:55Z",
"severity": "HIGH"
},
"details": "A vulnerability in the Intermediate System-to-Intermediate System (IS-IS) multi-instance routing feature of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause the IS-IS process to restart unexpectedly.\n\nThis vulnerability is due to insufficient input validation of ingress IS-IS packets. An attacker could exploit this vulnerability by sending crafted IS-IS packets to an affected device after forming an adjacency. A successful exploit could allow the attacker to cause the IS-IS process to restart unexpectedly, resulting in a temporary loss of connectivity to advertised networks and a denial of service (DoS) condition.\nNote: The IS-IS protocol is a routing protocol. To exploit this vulnerability, an attacker must be Layer 2-adjacent to the affected device and must have formed an adjacency.\u0026nbsp;\u0026nbsp;",
"id": "GHSA-95m8-qgxc-hcqx",
"modified": "2026-03-11T18:30:33Z",
"published": "2026-03-11T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20074"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-isis-dos-kDMxpSzK"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-99G6-3HJH-HCXR
Vulnerability from github – Published: 2024-04-12 15:37 – Updated: 2025-02-06 21:32An Improper Validation of Specified Type of Input vulnerability in Routing Protocol Daemon (RPD) of Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause Denial of Service (DoS).
If a BGP update is received over an established BGP session which contains a tunnel encapsulation attribute with a specifically malformed TLV, rpd will crash and restart. This issue affects:
Junos OS:
-
all versions before 21.2R3-S7,
-
from 21.3 before 21.3R3-S5,
-
from 21.4 before 21.4R3-S5,
-
from 22.1 before 22.1R3-S5,
-
from 22.2 before 22.2R3-S3,
-
from 22.3 before 22.3R3-S2,
-
from 22.4 before 22.4R3,
-
from 23.2 before 23.2R1-S2, 23.2R2.
Junos OS Evolved:
-
all versions before 21.2R3-S7-EVO,
-
from 21.3-EVO before 21.3R3-S5-EVO,
-
from 21.4-EVO before 21.4R3-S5-EVO,
-
from 22.2-EVO before 22.2R3-S3-EVO,
-
from 22.3-EVO before 22.3R3-S2-EVO,
-
from 22.4-EVO before 22.4R3-EVO,
-
from 23.2-EVO before 23.2R1-S2-EVO, 23.2R2-EVO.
This is a related but separate issue than the one described in JSA75739
{
"affected": [],
"aliases": [
"CVE-2024-30395"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-12T15:15:24Z",
"severity": "HIGH"
},
"details": "An\u00a0Improper Validation of Specified Type of Input vulnerability in Routing Protocol Daemon (RPD) of Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause Denial of Service (DoS).\n\nIf a BGP update is received over an established BGP session which contains a tunnel encapsulation attribute with a specifically malformed TLV, rpd will crash and restart.\nThis issue affects:\n\nJunos OS:\n\n\n\n * all versions before 21.2R3-S7,\u00a0\n\n * from 21.3 before 21.3R3-S5,\u00a0\n\n * from 21.4 before 21.4R3-S5,\u00a0\n\n * from 22.1 before 22.1R3-S5,\u00a0\n\n * from 22.2 before 22.2R3-S3,\u00a0\n\n * from 22.3 before 22.3R3-S2,\u00a0\n\n * from 22.4 before 22.4R3,\u00a0\n\n * from 23.2 before 23.2R1-S2, 23.2R2.\n\n\n\n\n\nJunos OS Evolved:\n\n\n\n * all versions before 21.2R3-S7-EVO,\u00a0\n\n * from 21.3-EVO before 21.3R3-S5-EVO,\u00a0\n\n * from 21.4-EVO before 21.4R3-S5-EVO,\u00a0\n * from 22.2-EVO before 22.2R3-S3-EVO,\u00a0\n\n * from 22.3-EVO before 22.3R3-S2-EVO,\u00a0\n\n * from 22.4-EVO before 22.4R3-EVO,\u00a0\n\n * from 23.2-EVO before 23.2R1-S2-EVO, 23.2R2-EVO.\n\n\n\nThis is a related but separate issue than the one described in\u00a0JSA75739",
"id": "GHSA-99g6-3hjh-hcxr",
"modified": "2025-02-06T21:32:04Z",
"published": "2024-04-12T15:37:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30395"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA79095"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-99WW-C378-6M65
Vulnerability from github – Published: 2024-12-05 15:31 – Updated: 2025-02-27 18:31Credentials Disclosure vulnerabilities allow access to on board project back-up bundles. Affected products:
ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02
{
"affected": [],
"aliases": [
"CVE-2024-51546"
],
"database_specific": {
"cwe_ids": [
"CWE-1287",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-05T13:15:08Z",
"severity": "HIGH"
},
"details": "Credentials Disclosure vulnerabilities allow access to on board project back-up bundles.\u00a0\nAffected products:\n\n\nABB ASPECT - Enterprise v3.08.02; \nNEXUS Series v3.08.02; \nMATRIX Series v3.08.02",
"id": "GHSA-99ww-c378-6m65",
"modified": "2025-02-27T18:31:03Z",
"published": "2024-12-05T15:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51546"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
No CAPEC attack patterns related to this CWE.