CWE-233
AllowedImproper Handling of Parameters
Abstraction: Base · Status: Incomplete
The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.
51 vulnerabilities reference this CWE, most recent first.
GHSA-7366-87V7-R2GG
Vulnerability from github – Published: 2023-03-02 09:30 – Updated: 2026-05-18 15:30Improper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collect Data as Provided by Users.This issue affects Library Automation System: before 19.2.
{
"affected": [],
"aliases": [
"CVE-2021-45477"
],
"database_specific": {
"cwe_ids": [
"CWE-233"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-02T09:15:00Z",
"severity": "MODERATE"
},
"details": "Improper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collect Data as Provided by Users.This issue affects Library Automation System: before 19.2.",
"id": "GHSA-7366-87v7-r2gg",
"modified": "2026-05-18T15:30:31Z",
"published": "2023-03-02T09:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45477"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-23-0119"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-23-0119"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CPX3-93W7-457X
Vulnerability from github – Published: 2022-10-28 19:00 – Updated: 2023-08-31 21:28A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "7.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-3697"
],
"database_specific": {
"cwe_ids": [
"CWE-233"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-24T23:11:22Z",
"nvd_published_at": "2022-10-28T16:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in Ansible in the amazon.aws collection when using the `tower_callback` parameter from the `amazon.aws.ec2_instance` module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.",
"id": "GHSA-cpx3-93w7-457x",
"modified": "2023-08-31T21:28:27Z",
"published": "2022-10-28T19:00:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3697"
},
{
"type": "WEB",
"url": "https://github.com/ansible-collections/amazon.aws/pull/1199"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/pull/35749"
},
{
"type": "WEB",
"url": "https://github.com/ansible-community/ansible-build-data/blob/main/6/CHANGELOG-v6.rst"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Ansible leaks password to logs"
}
GHSA-FJ2R-48WP-HCM4
Vulnerability from github – Published: 2026-05-28 06:31 – Updated: 2026-05-28 06:31This vulnerability in Veeam Service Provider Console allows for remote code execution.
{
"affected": [],
"aliases": [
"CVE-2026-32998"
],
"database_specific": {
"cwe_ids": [
"CWE-233"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T05:16:35Z",
"severity": "CRITICAL"
},
"details": "This vulnerability in Veeam Service Provider Console allows for remote code execution.",
"id": "GHSA-fj2r-48wp-hcm4",
"modified": "2026-05-28T06:31:08Z",
"published": "2026-05-28T06:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32998"
},
{
"type": "WEB",
"url": "https://www.veeam.com/kb4853"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FPQ7-2GC8-R9RX
Vulnerability from github – Published: 2024-02-29 06:30 – Updated: 2024-08-29 21:31An issue in EpointWebBuilder 5.1.0-sp1, 5.2.1-sp1, 5.4.1 and 5.4.2 allows a remote attacker to execute arbitrary code via the infoid parameter of the URL.
{
"affected": [],
"aliases": [
"CVE-2024-24525"
],
"database_specific": {
"cwe_ids": [
"CWE-233",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-29T06:15:47Z",
"severity": "CRITICAL"
},
"details": "An issue in EpointWebBuilder 5.1.0-sp1, 5.2.1-sp1, 5.4.1 and 5.4.2 allows a remote attacker to execute arbitrary code via the infoid parameter of the URL.",
"id": "GHSA-fpq7-2gc8-r9rx",
"modified": "2024-08-29T21:31:02Z",
"published": "2024-02-29T06:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24525"
},
{
"type": "WEB",
"url": "https://l3v3lforall.github.io/EpointWebBuilder_v5.x_VULN"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G68W-W4H2-FR59
Vulnerability from github – Published: 2026-03-30 00:31 – Updated: 2026-06-30 03:36GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab app due to improper authorization checks.
{
"affected": [],
"aliases": [
"CVE-2026-2370"
],
"database_specific": {
"cwe_ids": [
"CWE-233"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-30T00:16:01Z",
"severity": "HIGH"
},
"details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab app due to improper authorization checks.",
"id": "GHSA-g68w-w4h2-fr59",
"modified": "2026-06-30T03:36:04Z",
"published": "2026-03-30T00:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2370"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3522829"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-2370"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452920"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/589635"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2370.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G6RJ-RV7J-XWP4
Vulnerability from github – Published: 2021-06-08 18:49 – Updated: 2024-10-09 20:06An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pillow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-28675"
],
"database_specific": {
"cwe_ids": [
"CWE-233",
"CWE-252"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-03T21:41:46Z",
"nvd_published_at": "2021-06-02T15:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Pillow before 8.2.0. `PSDImagePlugin.PsdImageFile` lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on `Image.open` prior to `Image.load`.",
"id": "GHSA-g6rj-rv7j-xwp4",
"modified": "2024-10-09T20:06:42Z",
"published": "2021-06-08T18:49:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28675"
},
{
"type": "WEB",
"url": "https://github.com/python-pillow/Pillow/pull/5377/commits/22e9bee4ef225c0edbb9323f94c26cee0c623497"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-g6rj-rv7j-xwp4"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-139.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/python-pillow/Pillow"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL"
},
{
"type": "WEB",
"url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28675-fix-dos-in-psdimageplugin"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-33"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Pillow denial of service"
}
GHSA-GC3J-VVWF-4RP8
Vulnerability from github – Published: 2023-12-18 19:34 – Updated: 2023-12-22 22:26Impact
The following paths in resque-web have been found to be vulnerable to reflected XSS:
/failed/?class=<script>alert(document.cookie)</script>
/queues/><img src=a onerror=alert(document.cookie)>
Patches
v2.2.1
Workarounds
No known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application.
References
https://github.com/resque/resque/pull/1790
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "resque"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50725"
],
"database_specific": {
"cwe_ids": [
"CWE-233",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-18T19:34:06Z",
"nvd_published_at": "2023-12-22T20:15:07Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe following paths in resque-web have been found to be vulnerable to reflected XSS:\n\n```\n/failed/?class=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\n/queues/\u003e\u003cimg src=a onerror=alert(document.cookie)\u003e\n```\n\n### Patches\n\nv2.2.1\n\n### Workarounds\n\nNo known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application.\n\n### References\n\nhttps://github.com/resque/resque/pull/1790\n",
"id": "GHSA-gc3j-vvwf-4rp8",
"modified": "2023-12-22T22:26:56Z",
"published": "2023-12-18T19:34:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/resque/resque/security/advisories/GHSA-gc3j-vvwf-4rp8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50725"
},
{
"type": "WEB",
"url": "https://github.com/resque/resque/pull/1790"
},
{
"type": "WEB",
"url": "https://github.com/resque/resque/commit/ee99d2ed6cc75d9d384483b70c2d96d312115f07"
},
{
"type": "PACKAGE",
"url": "https://github.com/resque/resque"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resque/CVE-2023-50725.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Resque vulnerable to reflected XSS in resque-web failed and queues lists"
}
GHSA-H33H-3XRC-R94P
Vulnerability from github – Published: 2026-02-11 15:30 – Updated: 2026-02-11 15:30Improper handling of parameters in the AMD Secure Processor (ASP) could allow a privileged attacker to pass an arbitrary memory value to functions in the trusted execution environment resulting in arbitrary code execution
{
"affected": [],
"aliases": [
"CVE-2023-20514"
],
"database_specific": {
"cwe_ids": [
"CWE-233"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T15:16:11Z",
"severity": "HIGH"
},
"details": "Improper handling of parameters in the AMD Secure Processor (ASP) could allow a privileged attacker to pass an arbitrary memory value to functions in the trusted execution environment resulting in arbitrary code execution",
"id": "GHSA-h33h-3xrc-r94p",
"modified": "2026-02-11T15:30:27Z",
"published": "2026-02-11T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20514"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6024.html"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/Emb-Auto.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HQRQ-QHRV-9WXQ
Vulnerability from github – Published: 2024-03-27 18:32 – Updated: 2024-03-27 18:32A vulnerability in the Unified Threat Defense (UTD) configuration CLI of Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying host operating system. To exploit this vulnerability, an attacker must have level 15 privileges on the affected device.
This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by submitting a crafted CLI command to an affected device. A successful exploit could allow the attacker to execute arbitrary commands as root on the underlying operating system.
{
"affected": [],
"aliases": [
"CVE-2024-20306"
],
"database_specific": {
"cwe_ids": [
"CWE-233"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-27T17:15:52Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the Unified Threat Defense (UTD) configuration CLI of Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying host operating system. To exploit this vulnerability, an attacker must have level 15 privileges on the affected device. \n\n This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by submitting a crafted CLI command to an affected device. A successful exploit could allow the attacker to execute arbitrary commands as root on the underlying operating system.",
"id": "GHSA-hqrq-qhrv-9wxq",
"modified": "2024-03-27T18:32:38Z",
"published": "2024-03-27T18:32:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20306"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-utd-cmd-JbL8KvHT"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HVW5-3MGW-7RCF
Vulnerability from github – Published: 2024-11-17 12:30 – Updated: 2024-11-18 20:08A script injection vulnerability was found in the Debezium database connector, where it does not properly sanitize some parameters. This flaw allows an attacker to send a malicious request to inject a parameter that may allow the viewing of unauthorized data.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.debezium:debezium-connector-mysql"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0.Alpha1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "io.debezium:debezium-connector-sqlserver"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0.Alpha1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "io.debezium:debezium-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0.Alpha1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-1419"
],
"database_specific": {
"cwe_ids": [
"CWE-233"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-18T20:08:44Z",
"nvd_published_at": "2024-11-17T11:15:05Z",
"severity": "MODERATE"
},
"details": "A script injection vulnerability was found in the Debezium database connector, where it does not properly sanitize some parameters. This flaw allows an attacker to send a malicious request to inject a parameter that may allow the viewing of unauthorized data.",
"id": "GHSA-hvw5-3mgw-7rcf",
"modified": "2024-11-18T20:08:44Z",
"published": "2024-11-17T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1419"
},
{
"type": "WEB",
"url": "https://github.com/debezium/debezium/commit/58ef4f0b98428cc795c2844eaa6e1762e8248227"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-1419"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178722"
},
{
"type": "PACKAGE",
"url": "https://github.com/debezium/debezium"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Debezium database connector has a script injection vulnerability"
}
No mitigation information available for this CWE.
CAPEC-39: Manipulating Opaque Client-based Data Tokens
In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.