CWE-116
Improper Encoding or Escaping of Output
Description
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-104 · CAPEC-73 · CAPEC-81 · CAPEC-85
CVEs mapped to this weakness (216)
page 11 of 11| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-39170 | 0.00 | — | 0.01 | Sep 1, 2021 | Pimcore is an open source data & experience management platform. Prior to version 10.1.2, an authenticated user could add XSS code as a value of custom metadata on assets. There is a patch for this issue in Pimcore version 10.1.2. As a workaround, users may apply the patch… | |||
| CVE-2021-32796 | 0.00 | — | 0.01 | Jul 27, 2021 | xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected… | |||
| CVE-2021-30640 | — | 0.00 | — | 0.10 | Jul 12, 2021 | A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to… | ||
| CVE-2021-20195 | 0.00 | — | 0.01 | May 28, 2021 | A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from… | |||
| CVE-2020-26283 | 0.00 | — | 0.01 | Mar 24, 2021 | go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem. In go-ipfs before version 0.8.0, control characters are not escaped from console output. This can result in hiding input from the user which could result in the user… | |||
| CVE-2020-13654 | — | 0.00 | — | 0.02 | Dec 31, 2020 | XWiki Platform before 12.8 mishandles escaping in the property displayer. | ||
| CVE-2020-26226 | 0.00 | — | 0.01 | Nov 18, 2020 | In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by `semantic-release` can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded… | |||
| CVE-2020-14330 | 0.00 | — | 0.01 | Sep 11, 2020 | An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other… | |||
| CVE-2020-7694 | — | 0.00 | — | 0.01 | Jul 27, 2020 | This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When… | ||
| CVE-2017-18892 | — | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized. | ||
| CVE-2020-13625 | — | 0.00 | — | 0.04 | Jun 8, 2020 | PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message. | ||
| CVE-2020-10960 | — | 0.00 | — | 0.01 | Apr 3, 2020 | In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows… | ||
| CVE-2019-19714 | — | 0.00 | — | 0.01 | Dec 17, 2019 | Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. It is possible to inject insert tags into the login module which will be replaced when the page is rendered. | ||
| CVE-2019-11325 | — | 0.00 | — | 0.03 | Nov 21, 2019 | An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter. | ||
| CVE-2019-12463 | — | 0.00 | — | 0.01 | Sep 9, 2019 | An issue was discovered in LibreNMS 1.50.1. The scripts that handle graphing options (includes/html/graphs/common.inc.php and includes/html/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with… | ||
| CVE-2019-10362 | 0.00 | — | 0.01 | Jul 31, 2019 | Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables. |
- CVE-2021-39170Sep 1, 2021risk 0.00cvss —epss 0.01
Pimcore is an open source data & experience management platform. Prior to version 10.1.2, an authenticated user could add XSS code as a value of custom metadata on assets. There is a patch for this issue in Pimcore version 10.1.2. As a workaround, users may apply the patch…
- CVE-2021-32796Jul 27, 2021risk 0.00cvss —epss 0.01
xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected…
- CVE-2021-30640Jul 12, 2021risk 0.00cvss —epss 0.10
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to…
- CVE-2021-20195May 28, 2021risk 0.00cvss —epss 0.01
A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from…
- CVE-2020-26283Mar 24, 2021risk 0.00cvss —epss 0.01
go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem. In go-ipfs before version 0.8.0, control characters are not escaped from console output. This can result in hiding input from the user which could result in the user…
- CVE-2020-13654Dec 31, 2020risk 0.00cvss —epss 0.02
XWiki Platform before 12.8 mishandles escaping in the property displayer.
- CVE-2020-26226Nov 18, 2020risk 0.00cvss —epss 0.01
In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by `semantic-release` can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded…
- CVE-2020-14330Sep 11, 2020risk 0.00cvss —epss 0.01
An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other…
- CVE-2020-7694Jul 27, 2020risk 0.00cvss —epss 0.01
This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When…
- CVE-2017-18892Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized.
- CVE-2020-13625Jun 8, 2020risk 0.00cvss —epss 0.04
PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.
- CVE-2020-10960Apr 3, 2020risk 0.00cvss —epss 0.01
In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows…
- CVE-2019-19714Dec 17, 2019risk 0.00cvss —epss 0.01
Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. It is possible to inject insert tags into the login module which will be replaced when the page is rendered.
- CVE-2019-11325Nov 21, 2019risk 0.00cvss —epss 0.03
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
- CVE-2019-12463Sep 9, 2019risk 0.00cvss —epss 0.01
An issue was discovered in LibreNMS 1.50.1. The scripts that handle graphing options (includes/html/graphs/common.inc.php and includes/html/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with…
- CVE-2019-10362Jul 31, 2019risk 0.00cvss —epss 0.01
Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables.