Common Weakness Enumeration

CWE-233

Allowed

Improper Handling of Parameters

Abstraction: Base · Status: Incomplete

The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.

51 vulnerabilities reference this CWE, most recent first.

GHSA-7366-87V7-R2GG

Vulnerability from github – Published: 2023-03-02 09:30 – Updated: 2026-05-18 15:30
VLAI
Details

Improper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collect Data as Provided by Users.This issue affects Library Automation System: before 19.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-45477"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-233"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-02T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collect Data as Provided by Users.This issue affects Library Automation System: before 19.2.",
  "id": "GHSA-7366-87v7-r2gg",
  "modified": "2026-05-18T15:30:31Z",
  "published": "2023-03-02T09:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45477"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-23-0119"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-23-0119"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CPX3-93W7-457X

Vulnerability from github – Published: 2022-10-28 19:00 – Updated: 2023-08-31 21:28
VLAI
Summary
Ansible leaks password to logs
Details

A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-3697"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-233"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-24T23:11:22Z",
    "nvd_published_at": "2022-10-28T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in Ansible in the amazon.aws collection when using the `tower_callback` parameter from the `amazon.aws.ec2_instance` module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.",
  "id": "GHSA-cpx3-93w7-457x",
  "modified": "2023-08-31T21:28:27Z",
  "published": "2022-10-28T19:00:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3697"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible-collections/amazon.aws/pull/1199"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/pull/35749"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible-community/ansible-build-data/blob/main/6/CHANGELOG-v6.rst"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ansible leaks password to logs"
}

GHSA-FJ2R-48WP-HCM4

Vulnerability from github – Published: 2026-05-28 06:31 – Updated: 2026-05-28 06:31
VLAI
Details

This vulnerability in Veeam Service Provider Console allows for remote code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-32998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-233"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T05:16:35Z",
    "severity": "CRITICAL"
  },
  "details": "This vulnerability in Veeam Service Provider Console allows for remote code execution.",
  "id": "GHSA-fj2r-48wp-hcm4",
  "modified": "2026-05-28T06:31:08Z",
  "published": "2026-05-28T06:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32998"
    },
    {
      "type": "WEB",
      "url": "https://www.veeam.com/kb4853"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FPQ7-2GC8-R9RX

Vulnerability from github – Published: 2024-02-29 06:30 – Updated: 2024-08-29 21:31
VLAI
Details

An issue in EpointWebBuilder 5.1.0-sp1, 5.2.1-sp1, 5.4.1 and 5.4.2 allows a remote attacker to execute arbitrary code via the infoid parameter of the URL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-24525"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-233",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-29T06:15:47Z",
    "severity": "CRITICAL"
  },
  "details": "An issue in EpointWebBuilder 5.1.0-sp1, 5.2.1-sp1, 5.4.1 and 5.4.2 allows a remote attacker to execute arbitrary code via the infoid parameter of the URL.",
  "id": "GHSA-fpq7-2gc8-r9rx",
  "modified": "2024-08-29T21:31:02Z",
  "published": "2024-02-29T06:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24525"
    },
    {
      "type": "WEB",
      "url": "https://l3v3lforall.github.io/EpointWebBuilder_v5.x_VULN"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G68W-W4H2-FR59

Vulnerability from github – Published: 2026-03-30 00:31 – Updated: 2026-06-30 03:36
VLAI
Details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab app due to improper authorization checks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2370"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-233"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-30T00:16:01Z",
    "severity": "HIGH"
  },
  "details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab app due to improper authorization checks.",
  "id": "GHSA-g68w-w4h2-fr59",
  "modified": "2026-06-30T03:36:04Z",
  "published": "2026-03-30T00:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2370"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3522829"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-2370"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452920"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/589635"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2370.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6RJ-RV7J-XWP4

Vulnerability from github – Published: 2021-06-08 18:49 – Updated: 2024-10-09 20:06
VLAI
Summary
Pillow denial of service
Details

An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pillow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-28675"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-233",
      "CWE-252"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-03T21:41:46Z",
    "nvd_published_at": "2021-06-02T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Pillow before 8.2.0. `PSDImagePlugin.PsdImageFile` lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on `Image.open` prior to `Image.load`.",
  "id": "GHSA-g6rj-rv7j-xwp4",
  "modified": "2024-10-09T20:06:42Z",
  "published": "2021-06-08T18:49:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28675"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-pillow/Pillow/pull/5377/commits/22e9bee4ef225c0edbb9323f94c26cee0c623497"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-g6rj-rv7j-xwp4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-139.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/python-pillow/Pillow"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL"
    },
    {
      "type": "WEB",
      "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28675-fix-dos-in-psdimageplugin"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202107-33"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Pillow denial of service"
}

GHSA-GC3J-VVWF-4RP8

Vulnerability from github – Published: 2023-12-18 19:34 – Updated: 2023-12-22 22:26
VLAI
Summary
Resque vulnerable to reflected XSS in resque-web failed and queues lists
Details

Impact

The following paths in resque-web have been found to be vulnerable to reflected XSS:

/failed/?class=<script>alert(document.cookie)</script>
/queues/><img src=a onerror=alert(document.cookie)>

Patches

v2.2.1

Workarounds

No known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application.

References

https://github.com/resque/resque/pull/1790

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "resque"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-50725"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-233",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-18T19:34:06Z",
    "nvd_published_at": "2023-12-22T20:15:07Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe following paths in resque-web have been found to be vulnerable to reflected XSS:\n\n```\n/failed/?class=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\n/queues/\u003e\u003cimg src=a onerror=alert(document.cookie)\u003e\n```\n\n### Patches\n\nv2.2.1\n\n### Workarounds\n\nNo known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application.\n\n### References\n\nhttps://github.com/resque/resque/pull/1790\n",
  "id": "GHSA-gc3j-vvwf-4rp8",
  "modified": "2023-12-22T22:26:56Z",
  "published": "2023-12-18T19:34:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/resque/resque/security/advisories/GHSA-gc3j-vvwf-4rp8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50725"
    },
    {
      "type": "WEB",
      "url": "https://github.com/resque/resque/pull/1790"
    },
    {
      "type": "WEB",
      "url": "https://github.com/resque/resque/commit/ee99d2ed6cc75d9d384483b70c2d96d312115f07"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/resque/resque"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resque/CVE-2023-50725.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Resque vulnerable to reflected XSS in resque-web failed and queues lists"
}

GHSA-H33H-3XRC-R94P

Vulnerability from github – Published: 2026-02-11 15:30 – Updated: 2026-02-11 15:30
VLAI
Details

Improper handling of parameters in the AMD Secure Processor (ASP) could allow a privileged attacker to pass an arbitrary memory value to functions in the trusted execution environment resulting in arbitrary code execution

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20514"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-233"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-11T15:16:11Z",
    "severity": "HIGH"
  },
  "details": "Improper handling of parameters in the AMD Secure Processor (ASP) could allow a privileged attacker to pass an arbitrary memory value to functions in the trusted execution environment resulting in arbitrary code execution",
  "id": "GHSA-h33h-3xrc-r94p",
  "modified": "2026-02-11T15:30:27Z",
  "published": "2026-02-11T15:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20514"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6024.html"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/resources/product-security/bulletin/Emb-Auto.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HQRQ-QHRV-9WXQ

Vulnerability from github – Published: 2024-03-27 18:32 – Updated: 2024-03-27 18:32
VLAI
Details

A vulnerability in the Unified Threat Defense (UTD) configuration CLI of Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying host operating system. To exploit this vulnerability, an attacker must have level 15 privileges on the affected device.

This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by submitting a crafted CLI command to an affected device. A successful exploit could allow the attacker to execute arbitrary commands as root on the underlying operating system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20306"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-233"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-27T17:15:52Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the Unified Threat Defense (UTD) configuration CLI of Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying host operating system. To exploit this vulnerability, an attacker must have level 15 privileges on the affected device. \n\n This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by submitting a crafted CLI command to an affected device. A successful exploit could allow the attacker to execute arbitrary commands as root on the underlying operating system.",
  "id": "GHSA-hqrq-qhrv-9wxq",
  "modified": "2024-03-27T18:32:38Z",
  "published": "2024-03-27T18:32:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20306"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-utd-cmd-JbL8KvHT"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HVW5-3MGW-7RCF

Vulnerability from github – Published: 2024-11-17 12:30 – Updated: 2024-11-18 20:08
VLAI
Summary
Debezium database connector has a script injection vulnerability
Details

A script injection vulnerability was found in the Debezium database connector, where it does not properly sanitize some parameters. This flaw allows an attacker to send a malicious request to inject a parameter that may allow the viewing of unauthorized data.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.debezium:debezium-connector-mysql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.0.Alpha1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.debezium:debezium-connector-sqlserver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.0.Alpha1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.debezium:debezium-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.0.Alpha1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-1419"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-233"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-18T20:08:44Z",
    "nvd_published_at": "2024-11-17T11:15:05Z",
    "severity": "MODERATE"
  },
  "details": "A script injection vulnerability was found in the Debezium database connector, where it does not properly sanitize some parameters. This flaw allows an attacker to send a malicious request to inject a parameter that may allow the viewing of unauthorized data.",
  "id": "GHSA-hvw5-3mgw-7rcf",
  "modified": "2024-11-18T20:08:44Z",
  "published": "2024-11-17T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1419"
    },
    {
      "type": "WEB",
      "url": "https://github.com/debezium/debezium/commit/58ef4f0b98428cc795c2844eaa6e1762e8248227"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-1419"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178722"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/debezium/debezium"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Debezium database connector has a script injection vulnerability"
}

No mitigation information available for this CWE.

CAPEC-39: Manipulating Opaque Client-based Data Tokens

In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.