VYPR

CWE-116

Improper Encoding or Escaping of Output

ClassDraftLikelihood: High

Description

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-104 · CAPEC-73 · CAPEC-81 · CAPEC-85

CVEs mapped to this weakness (216)

page 10 of 11
  • CVE-2021-42010Oct 24, 2022
    risk 0.00cvss epss 0.01

    Heron versions <= 0.20.4-incubating allows CRLF log injection because of the lack of escaping in the log statements. Please update to version 0.20.5-incubating which addresses this issue.

  • CVE-2022-36100Sep 8, 2022
    risk 0.00cvss epss 0.74

    XWiki Platform Applications Tag and XWiki Platform Tag UI are tag applications for XWiki, a generic wiki platform. Starting with version 1.7 in XWiki Platform Applications Tag and prior to 13.10.6 and 14.4 in XWiki Platform Tag UI, the tags document `Main.Tags` in XWiki didn't…

  • CVE-2022-36099Sep 8, 2022
    risk 0.00cvss epss 0.76

    XWiki Platform Wiki UI Main Wiki is software for managing subwikis on XWiki Platform, a generic wiki platform. Starting with version 5.3-milestone-2 and prior to versions 13.10.6 and 14.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script…

  • CVE-2021-4041Aug 24, 2022
    risk 0.00cvss epss 0.00

    A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansible_runner.interface.run_command, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host…

  • CVE-2020-36599Aug 18, 2022
    risk 0.00cvss epss 0.01

    lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.

  • CVE-2022-2099Jul 17, 2022
    risk 0.00cvss epss 0.01

    The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles

  • CVE-2022-32549Jun 22, 2022
    risk 0.00cvss epss 0.02

    Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files.

  • CVE-2022-29258May 31, 2022
    risk 0.00cvss epss 0.01

    XWiki Platform Filter UI provides a generic user interface to convert from a XWiki Filter input stream to an output stream with settings for each stream. Starting with versions 6.0-milestone-2 and 5.4.4 and prior to versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3, XWiki…

  • CVE-2022-29251May 25, 2022
    risk 0.00cvss epss 0.01

    XWiki Platform Flamingo Theme UI is a tool that allows customization and preview of any Flamingo-based skin. Starting with versions 6.2.4 and 6.3-rc-1, a possible cross-site scripting vector is present in the `FlamingoThemesCode.WebHomeSheet` wiki page related to the…

  • CVE-2022-29252May 25, 2022
    risk 0.00cvss epss 0.01

    XWiki Platform Wiki UI Main Wiki is a package for managing subwikis. Starting with version 5.3-milestone-2, XWiki Platform Wiki UI Main Wiki contains a possible cross-site scripting vector in the `WikiManager.JoinWiki ` wiki page related to the "requestJoin" field. The issue is…

  • CVE-2022-29599May 23, 2022
    risk 0.00cvss epss 0.04

    In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

  • CVE-2022-30966May 17, 2022
    risk 0.00cvss epss 0.01

    Jenkins Random String Parameter Plugin 1.0 and earlier does not escape the name and description of Random String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2021-23266May 16, 2022
    risk 0.00cvss epss 0.01

    An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator.

  • CVE-2021-45848Mar 15, 2022
    risk 0.00cvss epss 0.02

    Denial of service (DoS) vulnerability in Nicotine+ 3.0.3 and later allows a user with a modified Soulseek client to crash Nicotine+ by sending a file download request with a file path containing a null character.

  • CVE-2022-23620Feb 9, 2022
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions AbstractSxExportURLFactoryActionHandler#processSx does not escape anything from SSX document references when serializing it on filesystem, it is possible…

  • CVE-2021-40694Jan 21, 2022
    risk 0.00cvss epss 0.01

    Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account.

  • CVE-2021-42250Nov 17, 2021
    risk 0.00cvss epss 0.02

    Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs.

  • CVE-2021-41232Nov 2, 2021
    risk 0.00cvss epss 0.01

    Thunderdome is an open source agile planning poker tool in the theme of Battling for points. In affected versions there is an LDAP injection vulnerability which affects instances with LDAP authentication enabled. The provided username is not properly escaped. This issue has been…

  • CVE-2021-41132Oct 14, 2021
    risk 0.00cvss epss 0.01

    OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of ``jQuery.html()``, there are a whole host of cross-site…

  • CVE-2021-21684Oct 6, 2021
    risk 0.00cvss epss 0.01

    Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.