VYPR

CWE-116

Improper Encoding or Escaping of Output

ClassDraftLikelihood: High

Description

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-104 · CAPEC-73 · CAPEC-81 · CAPEC-85

CVEs mapped to this weakness (216)

page 9 of 11
  • CVE-2024-0690Feb 6, 2024
    risk 0.00cvss epss 0.00

    An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive…

  • CVE-2024-22199Jan 11, 2024
    risk 0.00cvss epss 0.00

    This package provides universal methods to use multiple template engines with the Fiber web framework using the Views interface. This vulnerability specifically impacts web applications that render user-supplied data through this template engine, potentially leading to the…

  • CVE-2023-5968Nov 6, 2023
    risk 0.00cvss epss 0.01

    Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. 

  • CVE-2023-45135Oct 25, 2023
    risk 0.00cvss epss 0.02

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In `org.xwiki.platform:xwiki-platform-web` versions 7.2-milestone-2 until 14.10.12 and `org.xwiki.platform:xwiki-platform-web-templates` prior to versions 14.10.12 and…

  • CVE-2023-5654Oct 19, 2023
    risk 0.00cvss epss 0.00

    The React Developer Tools extension registers a message listener with window.addEventListener('message', ) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received…

  • CVE-2022-4137Sep 25, 2023
    risk 0.00cvss epss 0.01

    A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a…

  • CVE-2023-43620Sep 20, 2023
    risk 0.00cvss epss 0.00

    An issue was discovered in Croc through 9.6.5. A sender may place ANSI or CSI escape sequences in a filename to attack the terminal device of a receiver.

  • CVE-2023-3481Aug 21, 2023
    risk 0.00cvss epss 0.00

    Critters versions 0.0.17-0.0.19 have an issue when parsing the HTML, which leads to a potential cross-site scripting (XSS) bug. We recommend upgrading to version 0.0.20 of the extension. 

  • CVE-2023-40014Aug 10, 2023
    risk 0.00cvss epss 0.01

    OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the…

  • CVE-2023-39527Aug 7, 2023
    risk 0.00cvss epss 0.00

    PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to cross-site scripting through the `isCleanHTML` method. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.

  • CVE-2023-34036Jul 17, 2023
    risk 0.00cvss epss 0.00

    Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers if they are not behind a trusted proxy that ensures correctness of such headers, or if they don't have anything else in place to handle (and…

  • CVE-2023-3668Jul 14, 2023
    risk 0.00cvss epss 0.01

    Improper Encoding or Escaping of Output in GitHub repository froxlor/froxlor prior to 2.0.21.

  • CVE-2023-3552Jul 8, 2023
    risk 0.00cvss epss 0.00

    Improper Encoding or Escaping of Output in GitHub repository nilsteampassnet/teampass prior to 3.0.10.

  • CVE-2023-3190Jun 10, 2023
    risk 0.00cvss epss 0.01

    Improper Encoding or Escaping of Output in GitHub repository nilsteampassnet/teampass prior to 3.0.9.

  • CVE-2023-32071May 9, 2023
    risk 0.00cvss epss 0.71

    XWiki Platform is a generic wiki platform. Starting in versions 2.2-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, it's possible to execute javascript with the right of any user by leading him to a special URL on the wiki targeting a page which contains an…

  • CVE-2023-30844May 8, 2023
    risk 0.00cvss epss 0.01

    Mutagen provides real-time file synchronization and flexible network forwarding for developers. Prior to versions 0.16.6 and 0.17.1 in `mutagen` and prior to version 0.17.1 in `mutagen-compose`, Mutagen `list` and `monitor` commands are susceptible to control characters that…

  • CVE-2023-26472Mar 2, 2023
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform. Starting in version 6.2-milestone-1, one can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with certain content. This can be done by creating a new page or even through the user profile for…

  • CVE-2022-45143Jan 3, 2023
    risk 0.00cvss epss 0.03

    The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that…

  • CVE-2020-36567Dec 27, 2022
    risk 0.00cvss epss 0.01

    Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0 allows remote attackers to inject arbitrary log lines.

  • CVE-2022-41934Nov 23, 2022
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on commonly accessible documents including the menu macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to…