CVEbaza.plCWE DictionaryCWE-755
Common Weakness Enumeration

CWE-755

Improper Handling of Exceptional Conditions

Category: ClassCVE: 676
Description

The product does not handle or incorrectly handles an exceptional condition.

CVE vulnerabilities with CWE-755 (676)
9.8
CVSS
CRITICAL
CVE-2021-42142

An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97. DTLS servers mishandle the early use of a large epoch number. This vulnerability allows remote attackers to cause a denial of service and false-positive packet drops.

pub. 2024-01-23
9.8
CVSS
CRITICAL
CVE-2021-42141

An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. One incorrect handshake could complete with different epoch numbers in the packets Client_Hello, Client_key_exchange, and Change_cipher_spec, which may cause denial of service.

pub. 2024-01-22
9.8
CVSS
CRITICAL
CVE-2023-38406

bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri length of zero, aka a "flowspec overflow."

pub. 2023-11-06
9.8
CVSS
CRITICAL
CVE-2022-23121

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parse_entries function. The issue results from the lack of proper error handling when parsing AppleDouble entries. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15819.

pub. 2023-03-28
9.8
CVSS
CRITICAL
CVE-2021-4105

Improper Handling of Parameters vulnerability in BG-TEK COSLAT Firewall allows Remote Code Inclusion. This issue affects COSLAT Firewall: from 5.24.0.R.20180630 before 5.24.0.R.20210727.

pub. 2023-02-24
9.8
CVSS
CRITICAL
CVE-2022-48328

app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters.

pub. 2023-02-20
9.8
CVSS
CRITICAL
CVE-2022-48329

MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php.

pub. 2023-02-20
9.8
CVSS
CRITICAL
CVE-2022-31799

Bottle before 0.12.20 mishandles errors during early request binding.

pub. 2022-06-02
9.8
CVSS
CRITICAL
CVE-2021-40391

An out-of-bounds write vulnerability exists in the drill format T-code tool number functionality of Gerbv 2.7.0, dev (commit b5f1eacd), and the forked version of Gerbv (commit 71493260). A specially-crafted drill file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

pub. 2021-11-19
9.8
CVSS
CRITICAL
CVE-2021-43272

An improper handling of exceptional conditions vulnerability exists in Open Design Alliance ODA Viewer sample before 2022.11. ODA Viewer continues to process invalid or malicious DWF files instead of stopping upon an exception. An attacker can leverage this vulnerability to execute code in the context of the current process.

pub. 2021-11-14
9.8
CVSS
CRITICAL
CVE-2021-38384

Serverless Offline 8.0.0 returns a 403 HTTP status code for a route that has a trailing / character, which might cause a developer to implement incorrect access control, because the actual behavior within the Amazon AWS environment is a 200 HTTP status code (i.e., possibly greater than expected permissions).

pub. 2021-08-10
9.8
CVSS
CRITICAL
CVE-2021-36128

An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. Autoblocks for CentralAuth-issued suppression blocks are not properly implemented.

pub. 2021-07-02
9.8
CVSS
CRITICAL
CVE-2020-13859

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. A format error in /etc/shadow, coupled with a logic bug in the LuCI - OpenWrt Configuration Interface framework, allows the undocumented system account mofidev to login to the cgi-bin/luci/quick/wizard management interface without a password by abusing a forgotten-password feature.

pub. 2021-02-01
9.8
CVSS
CRITICAL
CVE-2020-24753

A memory corruption vulnerability in Objective Open CBOR Run-time (oocborrt) in versions before 2020-08-12 could allow an attacker to execute code via crafted Concise Binary Object Representation (CBOR) input to the cbor2json decoder. An uncaught error while decoding CBOR Major Type 3 text strings leads to the use of an attacker-controllable uninitialized stack value. This can be used to modify memory, causing a crash or potentially exploitable heap corruption.

pub. 2020-09-17
9.8
CVSS
CRITICAL
CVE-2020-7247

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.

pub. 2020-01-29🚩 CISA KEV⚡ EXPLOIT
9.8
CVSS
CRITICAL
CVE-2009-5043

burn allows file names to escape via mishandled quotation marks

pub. 2019-10-31
9.8
CVSS
CRITICAL
CVE-2019-17195

Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.

pub. 2019-10-15
9.8
CVSS
CRITICAL
CVE-2019-14431

In MatrixSSL 3.8.3 Open through 4.2.1 Open, the DTLS server mishandles incoming network messages leading to a heap-based buffer overflow of up to 256 bytes and possible Remote Code Execution in parseSSLHandshake in sslDecode.c. During processing of a crafted packet, the server mishandles the fragment length value provided in the DTLS message.

pub. 2019-07-29
9.8
CVSS
CRITICAL
CVE-2019-12815

An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.

pub. 2019-07-19
9.8
CVSS
CRITICAL
CVE-2019-6256

A Denial of Service issue was discovered in the LIVE555 Streaming Media libraries as used in Live555 Media Server 0.93. It can cause an RTSPServer crash in handleHTTPCmd_TunnelingPOST, when RTSP-over-HTTP tunneling is supported, via x-sessioncookie HTTP headers in a GET request and a POST request within the same TCP session. This occurs because of a call to an incorrect virtual function pointer in the readSocket function in GroupsockHelper.cpp.

pub. 2019-01-14
Showing 20 of 676 vulnerabilities
Information
ID: CWE-755
Type: Class
Vulnerabilities: 676
MITRE CWE ↗
← CWE Dictionary