CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ClassIncompleteLikelihood: High

Description

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Hierarchy (View 1000)

Parents

CWE-707

Children

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-105 · CAPEC-108 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-14 · CAPEC-24 · CAPEC-250 · CAPEC-267 · CAPEC-273 · CAPEC-28 · CAPEC-3 · CAPEC-34 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-51 · CAPEC-52 · CAPEC-53 · CAPEC-6 · CAPEC-64 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-76 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-83 · CAPEC-84 · CAPEC-9

CVEs mapped to this weakness (3,064)

page 143 of 154

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2022-45048	—	—	0.00	May 5, 2023	Authenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability. This issue affects Apache Ranger: 2.3.0. Users are recommended to update to version 2.4.0.
CVE-2022-45801	Apache Incubator Streampark	—	0.01	May 1, 2023	Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability. LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP…
CVE-2023-30609	Matrix Org Matrix React SDK	—	0.01	Apr 25, 2023	matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a…
CVE-2023-22621	Strapi Strapi	—	0.91	Apr 19, 2023	Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email…
CVE-2023-29516	Cryptpad Xwiki Platform	—	0.27	Apr 18, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on `XWiki.AttachmentSelector` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The…
CVE-2023-29514	Cryptpad Xwiki Platform	—	0.30	Apr 18, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on any document (e.g., their own user profile) can execute code with programming rights, leading to remote code execution. This vulnerability has…
CVE-2023-29512	Cryptpad Xwiki Platform	—	0.29	Apr 18, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on a page (e.g., it's own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki…
CVE-2023-29510	Cryptpad Xwiki Platform	—	0.30	Apr 18, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included…
CVE-2023-29522	Cryptpad Xwiki Platform	—	0.36	Apr 18, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access…
CVE-2023-29521	Cryptpad Xwiki Platform	—	0.15	Apr 18, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping…
CVE-2023-29519	Cryptpad Xwiki Platform	—	0.05	Apr 18, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the "property" field of an attachment selector, as a…
CVE-2023-29518	Cryptpad Xwiki Platform	—	0.29	Apr 18, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping…
CVE-2023-29523	Cryptpad Xwiki Platform	—	0.11	Apr 18, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted…
CVE-2023-29525	Cryptpad Xwiki Platform	—	0.54	Apr 18, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Affected versions of xwiki are subject to code injection in the `since` parameter of the `/xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration` endpoint.…
CVE-2023-30547	Patriksimek Vm2	—	0.84	Apr 17, 2023	vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used…
CVE-2023-29213	Cryptpad Xwiki Platform	—	0.04	Apr 17, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of `org.xwiki.platform:xwiki-platform-logging-ui` it is possible to trick a user with programming rights into visiting a constructed url where e.g., by…
CVE-2023-29374	Langchain AI Langchain	—	0.04	Apr 5, 2023	In LangChain through 0.0.131, the LLMMathChain chain allows prompt injection attacks that can execute arbitrary code via the Python exec method.
CVE-2023-26119	Htmlunit Htmlunit	—	0.04	Apr 3, 2023	Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.
CVE-2023-25617	SAP Business Object (Adaptive Job Server)	—	0.02	Mar 14, 2023	SAP Business Object (Adaptive Job Server) - versions 420, 430, allows remote execution of arbitrary commands on Unix, when program objects execution is enabled, to authenticated users with scheduling rights, using the BI Launchpad, Central Management Console or a custom…
CVE-2023-27479	Cryptpad Xwiki Platform	—	0.15	Mar 7, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause…

CVE-2022-45048May 5, 2023
risk 0.00cvss —epss 0.00
Authenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability. This issue affects Apache Ranger: 2.3.0. Users are recommended to update to version 2.4.0.
CVE-2022-45801May 1, 2023
Apache
Incubator Streampark
risk 0.00cvss —epss 0.01
Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability. LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP…
CVE-2023-30609Apr 25, 2023
Matrix Org
Matrix React SDK
risk 0.00cvss —epss 0.01
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a…
CVE-2023-22621Apr 19, 2023
Strapi
Strapi
risk 0.00cvss —epss 0.91
Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email…
CVE-2023-29516Apr 18, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.27
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on `XWiki.AttachmentSelector` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The…
CVE-2023-29514Apr 18, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.30
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on any document (e.g., their own user profile) can execute code with programming rights, leading to remote code execution. This vulnerability has…
CVE-2023-29512Apr 18, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.29
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on a page (e.g., it's own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki…
CVE-2023-29510Apr 18, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.30
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included…
CVE-2023-29522Apr 18, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.36
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access…
CVE-2023-29521Apr 18, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.15
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping…
CVE-2023-29519Apr 18, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.05
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the "property" field of an attachment selector, as a…
CVE-2023-29518Apr 18, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.29
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping…
CVE-2023-29523Apr 18, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.11
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted…
CVE-2023-29525Apr 18, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.54
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Affected versions of xwiki are subject to code injection in the `since` parameter of the `/xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration` endpoint.…
CVE-2023-30547Apr 17, 2023
Patriksimek
Vm2
risk 0.00cvss —epss 0.84
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used…
CVE-2023-29213Apr 17, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.04
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of `org.xwiki.platform:xwiki-platform-logging-ui` it is possible to trick a user with programming rights into visiting a constructed url where e.g., by…
CVE-2023-29374Apr 5, 2023
Langchain AI
Langchain
risk 0.00cvss —epss 0.04
In LangChain through 0.0.131, the LLMMathChain chain allows prompt injection attacks that can execute arbitrary code via the Python exec method.
CVE-2023-26119Apr 3, 2023
Htmlunit
Htmlunit
risk 0.00cvss —epss 0.04
Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.
CVE-2023-25617Mar 14, 2023
SAP
Business Object (Adaptive Job Server)
risk 0.00cvss —epss 0.02
SAP Business Object (Adaptive Job Server) - versions 420, 430, allows remote execution of arbitrary commands on Unix, when program objects execution is enabled, to authenticated users with scheduling rights, using the BI Launchpad, Central Management Console or a custom…
CVE-2023-27479Mar 7, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.15
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause…