CWE-233
AllowedImproper Handling of Parameters
Abstraction: Base · Status: Incomplete
The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.
51 vulnerabilities reference this CWE, most recent first.
GHSA-JC24-HJQ6-4G6F
Vulnerability from github – Published: 2025-08-12 21:31 – Updated: 2025-08-14 21:31A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges on the device via a specially crafted request.
{
"affected": [],
"aliases": [
"CVE-2025-52970"
],
"database_specific": {
"cwe_ids": [
"CWE-233"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T19:15:32Z",
"severity": "HIGH"
},
"details": "A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges on the device via a specially crafted request.",
"id": "GHSA-jc24-hjq6-4g6f",
"modified": "2025-08-14T21:31:57Z",
"published": "2025-08-12T21:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52970"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-448"
},
{
"type": "WEB",
"url": "https://pwner.gg/blog/2025-08-13-fortiweb-cve-2025-52970"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQ3F-MFMG-747X
Vulnerability from github – Published: 2024-09-30 09:30 – Updated: 2024-10-07 18:52In Eclipse Glassfish versions before 7.0.17, the Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is /management/domain. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.glassfish.main.admin:rest-service"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-9329"
],
"database_specific": {
"cwe_ids": [
"CWE-233",
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-30T17:13:15Z",
"nvd_published_at": "2024-09-30T08:15:05Z",
"severity": "MODERATE"
},
"details": "In Eclipse Glassfish versions before 7.0.17, the Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is `/management/domain`. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.",
"id": "GHSA-jq3f-mfmg-747x",
"modified": "2024-10-07T18:52:19Z",
"published": "2024-09-30T09:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9329"
},
{
"type": "WEB",
"url": "https://github.com/eclipse-ee4j/glassfish/pull/25106"
},
{
"type": "WEB",
"url": "https://github.com/eclipse-ee4j/glassfish/commit/6ca35eee2ba90a8108984b27bec33f9cc50cd83b"
},
{
"type": "PACKAGE",
"url": "https://github.com/eclipse-ee4j/glassfish"
},
{
"type": "WEB",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/232"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Eclipse Glassfish improperly handles http parameters"
}
GHSA-MW95-JJMC-Q5F9
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-08-01 15:31Cross Site Scripting vulnerability in TOTOLINK X2000R before v1.0.0-B20231213.1013 allows a remote attacker to execute arbitrary code via the Guest Access Control parameter in the Wireless Page.
{
"affected": [],
"aliases": [
"CVE-2024-33433"
],
"database_specific": {
"cwe_ids": [
"CWE-233"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:37:38Z",
"severity": "MODERATE"
},
"details": "Cross Site Scripting vulnerability in TOTOLINK X2000R before v1.0.0-B20231213.1013 allows a remote attacker to execute arbitrary code via the Guest Access Control parameter in the Wireless Page.",
"id": "GHSA-mw95-jjmc-q5f9",
"modified": "2024-08-01T15:31:44Z",
"published": "2024-05-14T18:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33433"
},
{
"type": "WEB",
"url": "https://github.com/4hsien/CVE-vulns/blob/main/TOTOLINK/X2000R/XSS_2_Guest_Access_Control/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R2RW-HPHV-7MVH
Vulnerability from github – Published: 2022-06-15 00:00 – Updated: 2024-07-09 12:30A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The affected application contains a misconfiguration in the APT update. This could allow an attacker to add insecure packages to the application.
{
"affected": [],
"aliases": [
"CVE-2022-32261"
],
"database_specific": {
"cwe_ids": [
"CWE-233"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-14T10:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SINEMA Remote Connect Server (All versions \u003c V3.1). The affected application contains a misconfiguration in the APT update. This could allow an attacker to add insecure packages to the application.",
"id": "GHSA-r2rw-hphv-7mvh",
"modified": "2024-07-09T12:30:55Z",
"published": "2022-06-15T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32261"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-484086.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R8XX-8VM8-X6WJ
Vulnerability from github – Published: 2023-12-18 19:34 – Updated: 2024-01-19 20:50Impact
resque-web in resque versions before 2.1.0 is vulnerable to reflected XSS through the current_queue parameter in the path of the queues endpoint.
Patches
v2.1.0
Workarounds
No known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application.
References
https://github.com/resque/resque/issues/1679 https://github.com/resque/resque/pull/1687
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "resque"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50724"
],
"database_specific": {
"cwe_ids": [
"CWE-233",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-18T19:34:14Z",
"nvd_published_at": "2023-12-21T15:15:10Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nresque-web in resque versions before 2.1.0 is vulnerable to reflected XSS through the current_queue parameter in the path of the queues endpoint.\n\n### Patches\n\nv2.1.0\n\n### Workarounds\n\nNo known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application.\n\n### References\nhttps://github.com/resque/resque/issues/1679\nhttps://github.com/resque/resque/pull/1687\n",
"id": "GHSA-r8xx-8vm8-x6wj",
"modified": "2024-01-19T20:50:49Z",
"published": "2023-12-18T19:34:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/resque/resque/security/advisories/GHSA-r8xx-8vm8-x6wj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50724"
},
{
"type": "WEB",
"url": "https://github.com/resque/resque/issues/1679"
},
{
"type": "WEB",
"url": "https://github.com/resque/resque/pull/1687"
},
{
"type": "WEB",
"url": "https://github.com/resque/resque/commit/e8e2367fff6990d13109ec2483a456a05fbf9811"
},
{
"type": "PACKAGE",
"url": "https://github.com/resque/resque"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resque/CVE-2023-50724.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Resque vulnerable to Reflected Cross Site Scripting through pathnames"
}
GHSA-R9MQ-M72X-257G
Vulnerability from github – Published: 2023-12-18 19:33 – Updated: 2023-12-22 22:27Impact
Reflected XSS can be performed using the current_queue portion of the path on the /queues endpoint of resque-web.
Patches
v2.6.0
Workarounds
No known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application.
References
https://github.com/resque/resque/pull/1865
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "resque"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50727"
],
"database_specific": {
"cwe_ids": [
"CWE-233",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-18T19:33:58Z",
"nvd_published_at": "2023-12-22T21:15:07Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nReflected XSS can be performed using the current_queue portion of the path on the /queues endpoint of resque-web.\n\n### Patches\n\nv2.6.0\n\n### Workarounds\n\nNo known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application.\n\n### References\n\nhttps://github.com/resque/resque/pull/1865\n",
"id": "GHSA-r9mq-m72x-257g",
"modified": "2023-12-22T22:27:07Z",
"published": "2023-12-18T19:33:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/resque/resque/security/advisories/GHSA-r9mq-m72x-257g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50727"
},
{
"type": "WEB",
"url": "https://github.com/resque/resque/pull/1865"
},
{
"type": "WEB",
"url": "https://github.com/resque/resque/commit/7623b8dfbdd0a07eb04b19fb25b16a8d6f087f9a"
},
{
"type": "PACKAGE",
"url": "https://github.com/resque/resque"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resque/CVE-2023-50727.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Resque vulnerable to reflected XSS in Queue Endpoint"
}
GHSA-RQQ8-2MXG-MGR6
Vulnerability from github – Published: 2026-01-30 12:31 – Updated: 2026-01-30 12:31Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can cause abnormal device behavior by crafting specific messages.
{
"affected": [],
"aliases": [
"CVE-2026-22626"
],
"database_specific": {
"cwe_ids": [
"CWE-233"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-30T11:15:56Z",
"severity": "MODERATE"
},
"details": "Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can cause abnormal device behavior by crafting specific messages.",
"id": "GHSA-rqq8-2mxg-mgr6",
"modified": "2026-01-30T12:31:20Z",
"published": "2026-01-30T12:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22626"
},
{
"type": "WEB",
"url": "https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V466-77R2-7589
Vulnerability from github – Published: 2026-03-30 12:32 – Updated: 2026-03-30 12:32WebDrive 18.00.5057 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the username field during Secure WebDAV connection setup. Attackers can input a buffer-overflow payload of 5000 bytes in the username parameter and trigger a connection test to cause the application to crash.
{
"affected": [],
"aliases": [
"CVE-2018-25233"
],
"database_specific": {
"cwe_ids": [
"CWE-233"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-30T12:16:17Z",
"severity": "MODERATE"
},
"details": "WebDrive 18.00.5057 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the username field during Secure WebDAV connection setup. Attackers can input a buffer-overflow payload of 5000 bytes in the username parameter and trigger a connection test to cause the application to crash.",
"id": "GHSA-v466-77r2-7589",
"modified": "2026-03-30T12:32:27Z",
"published": "2026-03-30T12:32:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25233"
},
{
"type": "WEB",
"url": "https://webdrive.com"
},
{
"type": "WEB",
"url": "https://webdrive.com/download"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45761"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/webdrive-denial-of-service-via-secure-webdav"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VC4R-VV86-49PV
Vulnerability from github – Published: 2024-01-12 18:30 – Updated: 2024-01-12 18:30The Real-Time Streaming Protocol implementation in the MIB3 infotainment incorrectly handles requests to /logs URI, when the id parameter equals to zero. This issue allows an attacker connected to the in-vehicle Wi-Fi network to cause denial-of-service of the infotainment system, when the certain preconditions are met.
Vulnerability discovered on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022.
{
"affected": [],
"aliases": [
"CVE-2023-28898"
],
"database_specific": {
"cwe_ids": [
"CWE-233"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-12T16:15:51Z",
"severity": "MODERATE"
},
"details": "The Real-Time Streaming Protocol implementation in the MIB3 infotainment incorrectly handles requests to /logs URI, when the id parameter equals to zero. This issue allows an attacker connected to the in-vehicle Wi-Fi network to cause denial-of-service of the infotainment system, when the certain preconditions are met.\n\nVulnerability discovered on \u0160koda Superb III (3V3) - 2.0 TDI manufactured in 2022.\n",
"id": "GHSA-vc4r-vv86-49pv",
"modified": "2024-01-12T18:30:20Z",
"published": "2024-01-12T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28898"
},
{
"type": "WEB",
"url": "https://nonexistent.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQPX-JX44-JFM6
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Insufficient Parameter Validation in the SchedGet() system call could allow an attacker with local access to cause a crash of the QNX Neutrino kernel.
{
"affected": [],
"aliases": [
"CVE-2026-0515"
],
"database_specific": {
"cwe_ids": [
"CWE-233"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:17:10Z",
"severity": "MODERATE"
},
"details": "Insufficient Parameter Validation in the SchedGet() system call could allow an attacker with local access to cause a crash of the QNX Neutrino kernel.",
"id": "GHSA-vqpx-jx44-jfm6",
"modified": "2026-07-14T18:32:13Z",
"published": "2026-07-14T18:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0515"
},
{
"type": "WEB",
"url": "https://support.blackberry.com/pkb/s/article/141213"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-39: Manipulating Opaque Client-based Data Tokens
In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.