CWE-1284
AllowedImproper Validation of Specified Quantity in Input
Abstraction: Base · Status: Incomplete
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
494 vulnerabilities reference this CWE, most recent first.
GHSA-P3QX-XPHH-H4VV
Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-11-03 21:32A logic issue was addressed with improved restrictions. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to access information about a user's contacts.
{
"affected": [],
"aliases": [
"CVE-2025-24100"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T22:15:15Z",
"severity": "LOW"
},
"details": "A logic issue was addressed with improved restrictions. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to access information about a user\u0027s contacts.",
"id": "GHSA-p3qx-xphh-h4vv",
"modified": "2025-11-03T21:32:24Z",
"published": "2025-01-28T00:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24100"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122068"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122069"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122070"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/15"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/16"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P4QJ-FGM6-87W7
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-27 15:33IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment.
{
"affected": [],
"aliases": [
"CVE-2026-3676"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:16:47Z",
"severity": "MODERATE"
},
"details": "IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment.",
"id": "GHSA-p4qj-fgm6-87w7",
"modified": "2026-05-27T15:33:12Z",
"published": "2026-05-27T15:33:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3676"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7273649"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P635-CHCG-QXPC
Vulnerability from github – Published: 2025-11-03 18:31 – Updated: 2025-11-03 18:31IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an authenticated user to cause a denial of service due to the improper validation of input length.
{
"affected": [],
"aliases": [
"CVE-2025-36092"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-03T16:15:34Z",
"severity": "MODERATE"
},
"details": "IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an authenticated user to cause a denial of service due to the improper validation of input length.",
"id": "GHSA-p635-chcg-qxpc",
"modified": "2025-11-03T18:31:51Z",
"published": "2025-11-03T18:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36092"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7249999"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P7Q7-P9R8-M9Q3
Vulnerability from github – Published: 2024-05-17 09:31 – Updated: 2024-05-17 09:31Improper Validation of Specified Quantity in Input vulnerability in The Events Calendar BookIt allows Manipulating Hidden Fields.This issue affects BookIt: from n/a through 2.4.0.
{
"affected": [],
"aliases": [
"CVE-2024-24715"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T09:15:22Z",
"severity": "MODERATE"
},
"details": "Improper Validation of Specified Quantity in Input vulnerability in The Events Calendar BookIt allows Manipulating Hidden Fields.This issue affects BookIt: from n/a through 2.4.0.",
"id": "GHSA-p7q7-p9r8-m9q3",
"modified": "2024-05-17T09:31:02Z",
"published": "2024-05-17T09:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24715"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/bookit/wordpress-wordpress-bookit-plugin-plugin-2-4-0-price-bypass-vulnerability-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-P8C7-9H6J-9WMG
Vulnerability from github – Published: 2026-01-14 00:31 – Updated: 2026-01-14 00:31Sysax Multi Server 6.95 contains a denial of service vulnerability in the administrative password field that allows attackers to crash the application. Attackers can overwrite the password field with 800 bytes of repeated characters to trigger an application crash and disrupt server functionality.
{
"affected": [],
"aliases": [
"CVE-2023-54337"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T23:16:01Z",
"severity": "MODERATE"
},
"details": "Sysax Multi Server 6.95 contains a denial of service vulnerability in the administrative password field that allows attackers to crash the application. Attackers can overwrite the password field with 800 bytes of repeated characters to trigger an application crash and disrupt server functionality.",
"id": "GHSA-p8c7-9h6j-9wmg",
"modified": "2026-01-14T00:31:29Z",
"published": "2026-01-14T00:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54337"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/51066"
},
{
"type": "WEB",
"url": "https://www.sysax.com"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/sysax-multi-server-password-denial-of-service-poc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PCF5-PV9F-HRQM
Vulnerability from github – Published: 2024-04-15 18:30 – Updated: 2024-04-15 18:30A vulnerability was reported
in a system recovery bootloader that was part of the Lenovo preloaded Windows 7 and 8 operating systems from 2012 to 2014
that could allow a privileged attacker with local access to modify the boot manager and escalate privileges.
{
"affected": [],
"aliases": [
"CVE-2024-23593"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-15T18:15:10Z",
"severity": "MODERATE"
},
"details": "\nA vulnerability was reported\n\nin a system recovery bootloader that was part of the Lenovo preloaded Windows 7 and 8 operating systems from 2012 to 2014\n\n that could allow a privileged attacker with local access to modify the boot manager and escalate privileges. \n\n",
"id": "GHSA-pcf5-pv9f-hrqm",
"modified": "2024-04-15T18:30:51Z",
"published": "2024-04-15T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23593"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/us/en/product_security/LEN-132277"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PCW9-XW4X-JGJ3
Vulnerability from github – Published: 2023-06-23 21:30 – Updated: 2025-02-28 15:30The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers.
{
"affected": [],
"aliases": [
"CVE-2023-34188"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-23T20:15:09Z",
"severity": "HIGH"
},
"details": "The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers.",
"id": "GHSA-pcw9-xw4x-jgj3",
"modified": "2025-02-28T15:30:58Z",
"published": "2023-06-23T21:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34188"
},
{
"type": "WEB",
"url": "https://github.com/cesanta/mongoose/pull/2197"
},
{
"type": "WEB",
"url": "https://github.com/cesanta/mongoose/commit/4663090a8fb036146dfe77718cff612b0101cb0f"
},
{
"type": "WEB",
"url": "https://blog.narfindustries.com/blog/narf-discovers-critical-vulnerabilities-in-cesanta-mongoose-http-server"
},
{
"type": "WEB",
"url": "https://github.com/cesanta/mongoose/compare/7.9...7.10"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250228-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PH8C-F4JV-6J8G
Vulnerability from github – Published: 2023-08-21 00:30 – Updated: 2023-08-21 00:30A vulnerability was found in SourceCodester Card Holder Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Minus Value Handler. The manipulation leads to improper validation of specified quantity in input. The attack may be launched remotely. The identifier of this vulnerability is VDB-237560.
{
"affected": [],
"aliases": [
"CVE-2023-4439"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-20T23:15:10Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in SourceCodester Card Holder Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Minus Value Handler. The manipulation leads to improper validation of specified quantity in input. The attack may be launched remotely. The identifier of this vulnerability is VDB-237560.",
"id": "GHSA-ph8c-f4jv-6j8g",
"modified": "2023-08-21T00:30:27Z",
"published": "2023-08-21T00:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4439"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.237560"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.237560"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PP47-7R4F-FFRQ
Vulnerability from github – Published: 2024-07-09 18:30 – Updated: 2024-07-09 18:30A vulnerability was discovered in Samsung Mobile Processors Exynos 2200 and Exynos 2400 where they lack a check for the validation of native handles, which can result in a DoS(Denial of Service) attack by unmapping an invalid length.
{
"affected": [],
"aliases": [
"CVE-2024-31957"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T18:15:10Z",
"severity": "MODERATE"
},
"details": "A vulnerability was discovered in Samsung Mobile Processors Exynos 2200 and Exynos 2400 where they lack a check for the validation of native handles, which can result in a DoS(Denial of Service) attack by unmapping an invalid length.",
"id": "GHSA-pp47-7r4f-ffrq",
"modified": "2024-07-09T18:30:53Z",
"published": "2024-07-09T18:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31957"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2024-31957"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PP7W-98JH-P48W
Vulnerability from github – Published: 2024-08-13 18:31 – Updated: 2024-11-04 18:31Improper input validation in SMU may allow an attacker with privileges and a compromised physical function (PF) to modify the PCIe® lane count and speed, potentially leading to a loss of availability.
{
"affected": [],
"aliases": [
"CVE-2023-31304"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-13T17:15:20Z",
"severity": "LOW"
},
"details": "Improper input validation in SMU may allow an attacker with privileges and a compromised physical function (PF) \u00a0 \u00a0 to modify the PCIe\u00ae lane count and speed, potentially leading to a loss of availability.",
"id": "GHSA-pp7w-98jh-p48w",
"modified": "2024-11-04T18:31:18Z",
"published": "2024-08-13T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31304"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-6005.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
No CAPEC attack patterns related to this CWE.