CVEbaza.plSłownik CWECWE-233
Common Weakness Enumeration

CWE-233

Improper Handling of Parameters

Kategoria: BaseCVE: 31
Opis

Produkt nie obsługuje prawidłowo sytuacji, gdy oczekiwana liczba parametrów, pól lub argumentów nie jest dostarczona na wejściu lub gdy parametry są niezdefiniowane. Może to prowadzić do nieoczekiwanego zachowania aplikacji lub błędów w jej działaniu.

Description (EN)

The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.

Podatności CVE z CWE-233 (31)
9.8
CVSS
CRITICAL
CVE-2024-24525

Podatność w EpointWebBuilder umożliwia zdalnemu, nieuwierzytelnionemu atakującemu wykonanie dowolnego kodu na serwerze poprzez manipulację parametrem infoid w adresie URL. Ze względu na brak wymagań dotyczących uwierzytelnienia i maksymalny wynik CVSS 9.8, podatność stanowi krytyczne zagrożenie dla systemów korzystających z tej aplikacji.

pub. 2024-02-29
9.8
CVSS
CRITICAL
CVE-2022-45182

Pi-Star_DV_Dash (for Pi-Star DV) before 5aa194d mishandles the module parameter.

pub. 2022-11-11
9.4
CVSS
CRITICAL
CVE-2026-32998

Krytyczna podatność w Veeam Service Provider Console umożliwia zdalne wykonanie kodu (RCE) przez uwierzytelnionego użytkownika sieciowego. Ze względu na ocenę CVSS 9.4 oraz potencjalny wpływ na systemy zewnętrzne, stanowi poważne zagrożenie dla infrastruktury dostawców usług zarządzanych.

pub. 2026-05-28
8.8
CVSS
HIGH
CVE-2024-31808

TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the webWlanIdx parameter in the setWebWlanIdx function.

pub. 2024-04-08
8.8
CVSS
HIGH
CVE-2021-0269

The improper handling of client-side parameters in J-Web of Juniper Networks Junos OS allows an attacker to perform a number of different malicious actions against a target device when a user is authenticated to J-Web. An attacker may be able to supersede existing parameters, including hardcoded parameters within the HTTP/S session, access and exploit variables, bypass web application firewall rules or input validation mechanisms, and otherwise alter and modify J-Web's normal behavior. An attacker may be able to transition victims to malicious web services, or exfiltrate sensitive information from otherwise secure web forms. This issue affects: Juniper Networks Junos OS: All versions prior to 17.4R3-S3; 18.1 versions prior to 18.1R3-S12; 18.2 versions prior to 18.2R3-S6; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R3-S6; 19.1 versions prior to 19.1R3-S4; 19.2 versions prior to 19.2R3-S1; 19.3 versions prior to 19.3R3-S1; 19.4 versions prior to 19.4R2-S2, 19.4R3; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R2.

pub. 2021-04-22
8.7
CVSS
HIGH
CVE-2023-20514

Improper handling of parameters in the AMD Secure Processor (ASP) could allow a privileged attacker to pass an arbitrary memory value to functions in the trusted execution environment resulting in arbitrary code execution

pub. 2026-02-11
8.6
CVSS
HIGH
CVE-2021-1230

A vulnerability with the Border Gateway Protocol (BGP) for Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode could allow an unauthenticated, remote attacker to cause a routing process to crash, which could lead to a denial of service (DoS) condition. This vulnerability is due to an issue with the installation of routes upon receipt of a BGP update. An attacker could exploit this vulnerability by sending a crafted BGP update to an affected device. A successful exploit could allow the attacker to cause the routing process to crash, which could cause the device to reload. This vulnerability applies to both Internal BGP (IBGP) and External BGP (EBGP). Note: The Cisco implementation of BGP accepts incoming BGP traffic from explicitly configured peers only. To exploit this vulnerability, an attacker would need to send a specific BGP update message over an established TCP connection that appears to come from a trusted BGP peer.

pub. 2021-02-24
8.1
CVSS
HIGH
CVE-2026-2370

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab app due to improper authorization checks.

pub. 2026-03-30
8.1
CVSS
HIGH
CVE-2025-52970

A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges on the device via a specially crafted request.

pub. 2025-08-12
7.8
CVSS
HIGH
CVE-2023-7261

Inappropriate implementation in Google Updator prior to 1.3.36.351 in Google Chrome allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: High)

pub. 2024-06-07
7.5
CVSS
HIGH
CVE-2023-26549

The SystemUI module has a vulnerability of repeated app restart due to improper parameters. Successful exploitation of this vulnerability may affect confidentiality.

pub. 2023-03-27
7.5
CVSS
HIGH
CVE-2022-3697

A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.

pub. 2022-10-28
7.2
CVSS
HIGH
CVE-2025-55080

In Eclipse ThreadX before 6.4.3, when memory protection is enabled, syscall parameters verification wasn't enough, allowing an attacker to obtain an arbitrary memory read/write.

pub. 2025-10-15
7.2
CVSS
HIGH
CVE-2023-20076

A vulnerability in the Cisco IOx application hosting environment could allow an authenticated, remote attacker to execute arbitrary commands as root on the underlying host operating system. This vulnerability is due to incomplete sanitization of parameters that are passed in for activation of an application. An attacker could exploit this vulnerability by deploying and activating an application in the Cisco IOx application hosting environment with a crafted activation payload file. A successful exploit could allow the attacker to execute arbitrary commands as root on the underlying host operating system.

pub. 2023-02-12
6.9
CVSS
MEDIUM
CVE-2018-25233

WebDrive 18.00.5057 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the username field during Secure WebDAV connection setup. Attackers can input a buffer-overflow payload of 5000 bytes in the username parameter and trigger a connection test to cause the application to crash.

pub. 2026-03-30
6.9
CVSS
MEDIUM
CVE-2024-9329

In Eclipse Glassfish versions before 7.0.17, The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is '/management/domain'. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

pub. 2024-09-30
6.6
CVSS
MEDIUM
CVE-2022-22792

MobiSoft - MobiPlus User Take Over and Improper Handling of url Parameters Attacker can navigate to specific url which will expose all the users and password in clear text. http://IP/MobiPlusWeb/Handlers/MainHandler.ashx?MethodName=GridData&GridName=Users

pub. 2022-02-16
6.5
CVSS
MEDIUM
CVE-2021-45477

Improper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collect Data as Provided by Users. This issue affects Library Automation System: before 19.2.

pub. 2023-03-02
6.5
CVSS
MEDIUM
CVE-2021-45478

Improper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collect Data as Provided by Users. This issue affects Library Automation System: before 19.2.

pub. 2023-03-02
6.1
CVSS
MEDIUM
CVE-2023-40819

ID4Portais in version < V.2022.837.002a returns message parameter unsanitized in the response, resulting in a HTML Injection vulnerability.

pub. 2024-08-06
Pokazano 20 z 31 podatności
Informacje
ID: CWE-233
Typ: Base
Podatności: 31
MITRE CWE ↗
← Słownik CWE
CWE-233 — Nieprawidłowa obsługa parametrów | Słownik CWE | CVEbaza.pl