CWE-134
Use of Externally-Controlled Format String
Description
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-135 · CAPEC-67
CVEs mapped to this weakness (252)
page 2 of 13| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-16602 | Hig | 0.57 | 8.8 | 0.03 | Jan 23, 2018 | This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.… | ||
| CVE-2014-8170 | Hig | 0.57 | 8.8 | 0.04 | Sep 26, 2017 | ovirt_safe_delete_config in ovirtfunctions.py and other unspecified locations in ovirt-node 3.0.0-474-gb852fd7 as packaged in Red Hat Enterprise Virtualization 3 do not properly quote input strings, which allows remote authenticated users and physically proximate attackers to… | ||
| CVE-2017-12702 | Hig | 0.57 | 8.8 | 0.02 | Aug 30, 2017 | An Externally Controlled Format String issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. String format specifiers based on user provided input are not properly validated, which could allow an attacker to execute arbitrary code. | ||
| CVE-2016-5716 | Hig | 0.57 | 8.8 | 0.02 | Aug 9, 2017 | The console in Puppet Enterprise 2015.x and 2016.x prior to 2016.4.0 includes unsafe string reads that potentially allows for remote code execution on the console node. | ||
| CVE-2017-2403 | Hig | 0.57 | 8.8 | 0.03 | Apr 2, 2017 | An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves the "Printing" component. A format-string vulnerability allows remote attackers to execute arbitrary code via a crafted ipp: or ipps: URL. | ||
| CVE-2018-1566 | Hig | 0.55 | 8.4 | 0.00 | Jul 10, 2018 | IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to execute arbitrary code due to a format string error. IBM X-Force ID: 143023. | ||
| CVE-2026-6250 | Hig | 0.53 | 8.1 | 0.00 | Jun 11, 2026 | An authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 due to improper handling of user-controlled input. Externally controlled data is interpreted as a format string, which can be used to manipulate stack memory, including control flow data… | ||
| CVE-2018-6508 | Hig | 0.52 | 8.0 | 0.02 | Feb 9, 2018 | Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks. This vulnerability only affects tasks in the affected modules, if you are not using puppet tasks you are… | ||
| CVE-2018-17336 | Hig | 0.51 | 7.8 | 0.01 | Sep 22, 2018 | UDisks 2.8.0 has a format string vulnerability in udisks_log in udiskslogging.c, allowing attackers to obtain sensitive information (stack contents), cause a denial of service (memory corruption), or possibly have unspecified other impact via a malformed filesystem label, as… | ||
| CVE-2018-16554 | Hig | 0.51 | 7.8 | 0.02 | Sep 16, 2018 | The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because of inconsistency between float and double in a sprintf format string during TAG_GPS_ALT… | ||
| CVE-2015-8107 | Hig | 0.51 | 7.8 | 0.03 | Apr 13, 2017 | Format string vulnerability in GNU a2ps 4.14 allows remote attackers to execute arbitrary code. | ||
| CVE-2017-5613 | Hig | 0.51 | 7.8 | 0.03 | Mar 3, 2017 | Format string vulnerability in cgiemail and cgiecho allows remote attackers to execute arbitrary code via format string specifiers in a template file. | ||
| CVE-2015-8106 | Hig | 0.51 | 7.8 | 0.04 | Apr 18, 2016 | Format string vulnerability in the CmdKeywords function in funct1.c in latex2rtf before 2.3.10 allows remote attackers to execute arbitrary code via format string specifiers in the \keywords command in a crafted TeX file. | ||
| CVE-2026-22190 | Hig | 0.49 | 7.5 | 0.00 | Jan 7, 2026 | The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker… | ||
| CVE-2018-8778 | Hig | 0.49 | 7.5 | 0.08 | Apr 3, 2018 | In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker controlling the unpacking format (similar to format string vulnerabilities) can trigger a buffer under-read in the String#unpack method, resulting in a massive and… | ||
| CVE-2018-6875 | Hig | 0.49 | 7.5 | 0.01 | Mar 14, 2018 | Format String vulnerability in KeepKey version 4.0.0 allows attackers to trigger information display (of information that should not be accessible), related to text containing characters that the device's font lacks. | ||
| CVE-2018-5207 | Hig | 0.49 | 7.5 | 0.02 | Jan 6, 2018 | When using an incomplete variable argument, Irssi before 1.0.6 may access data beyond the end of the string. | ||
| CVE-2018-5205 | Hig | 0.49 | 7.5 | 0.02 | Jan 6, 2018 | When using incomplete escape codes, Irssi before 1.0.6 may access data beyond the end of the string. | ||
| CVE-2017-15191 | Hig | 0.49 | 7.5 | 0.03 | Oct 10, 2017 | In Wireshark 2.4.0 to 2.4.1, 2.2.0 to 2.2.9, and 2.0.0 to 2.0.15, the DMP dissector could crash. This was addressed in epan/dissectors/packet-dmp.c by validating a string length. | ||
| CVE-2017-9212 | Hig | 0.49 | 7.5 | 0.01 | May 23, 2017 | The Bluetooth stack on the BMW 330i 2011 allows a remote crash of the CD/Multimedia software via %x or %c format string specifiers in a device name. |
- risk 0.57cvss 8.8epss 0.03
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.…
- risk 0.57cvss 8.8epss 0.04
ovirt_safe_delete_config in ovirtfunctions.py and other unspecified locations in ovirt-node 3.0.0-474-gb852fd7 as packaged in Red Hat Enterprise Virtualization 3 do not properly quote input strings, which allows remote authenticated users and physically proximate attackers to…
- risk 0.57cvss 8.8epss 0.02
An Externally Controlled Format String issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. String format specifiers based on user provided input are not properly validated, which could allow an attacker to execute arbitrary code.
- risk 0.57cvss 8.8epss 0.02
The console in Puppet Enterprise 2015.x and 2016.x prior to 2016.4.0 includes unsafe string reads that potentially allows for remote code execution on the console node.
- risk 0.57cvss 8.8epss 0.03
An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves the "Printing" component. A format-string vulnerability allows remote attackers to execute arbitrary code via a crafted ipp: or ipps: URL.
- risk 0.55cvss 8.4epss 0.00
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to execute arbitrary code due to a format string error. IBM X-Force ID: 143023.
- risk 0.53cvss 8.1epss 0.00
An authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 due to improper handling of user-controlled input. Externally controlled data is interpreted as a format string, which can be used to manipulate stack memory, including control flow data…
- risk 0.52cvss 8.0epss 0.02
Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks. This vulnerability only affects tasks in the affected modules, if you are not using puppet tasks you are…
- risk 0.51cvss 7.8epss 0.01
UDisks 2.8.0 has a format string vulnerability in udisks_log in udiskslogging.c, allowing attackers to obtain sensitive information (stack contents), cause a denial of service (memory corruption), or possibly have unspecified other impact via a malformed filesystem label, as…
- risk 0.51cvss 7.8epss 0.02
The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because of inconsistency between float and double in a sprintf format string during TAG_GPS_ALT…
- risk 0.51cvss 7.8epss 0.03
Format string vulnerability in GNU a2ps 4.14 allows remote attackers to execute arbitrary code.
- risk 0.51cvss 7.8epss 0.03
Format string vulnerability in cgiemail and cgiecho allows remote attackers to execute arbitrary code via format string specifiers in a template file.
- risk 0.51cvss 7.8epss 0.04
Format string vulnerability in the CmdKeywords function in funct1.c in latex2rtf before 2.3.10 allows remote attackers to execute arbitrary code via format string specifiers in the \keywords command in a crafted TeX file.
- risk 0.49cvss 7.5epss 0.00
The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker…
- risk 0.49cvss 7.5epss 0.08
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker controlling the unpacking format (similar to format string vulnerabilities) can trigger a buffer under-read in the String#unpack method, resulting in a massive and…
- risk 0.49cvss 7.5epss 0.01
Format String vulnerability in KeepKey version 4.0.0 allows attackers to trigger information display (of information that should not be accessible), related to text containing characters that the device's font lacks.
- risk 0.49cvss 7.5epss 0.02
When using an incomplete variable argument, Irssi before 1.0.6 may access data beyond the end of the string.
- risk 0.49cvss 7.5epss 0.02
When using incomplete escape codes, Irssi before 1.0.6 may access data beyond the end of the string.
- risk 0.49cvss 7.5epss 0.03
In Wireshark 2.4.0 to 2.4.1, 2.2.0 to 2.2.9, and 2.0.0 to 2.0.15, the DMP dissector could crash. This was addressed in epan/dissectors/packet-dmp.c by validating a string length.
- risk 0.49cvss 7.5epss 0.01
The Bluetooth stack on the BMW 330i 2011 allows a remote crash of the CD/Multimedia software via %x or %c format string specifiers in a device name.