CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Description
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-10 · CAPEC-101 · CAPEC-105 · CAPEC-108 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-14 · CAPEC-24 · CAPEC-250 · CAPEC-267 · CAPEC-273 · CAPEC-28 · CAPEC-3 · CAPEC-34 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-51 · CAPEC-52 · CAPEC-53 · CAPEC-6 · CAPEC-64 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-76 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-83 · CAPEC-84 · CAPEC-9
CVEs mapped to this weakness (3,064)
page 151 of 154| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-6858 | — | 0.00 | — | 0.00 | Mar 12, 2020 | Hotels Styx through 1.0.0.beta8 allows HTTP response splitting due to CRLF Injection. This is exploitable if untrusted user input can appear in a response header. | ||
| CVE-2020-5203 | — | 0.00 | — | 0.01 | Mar 11, 2020 | In Fat-Free Framework 3.7.1, attackers can achieve arbitrary code execution if developers choose to pass user controlled input (e.g., $_REQUEST, $_GET, or $_POST) to the framework's Clear method. | ||
| CVE-2020-5258 | 0.00 | — | 0.02 | Mar 10, 2020 | In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes… | |||
| CVE-2020-5249 | — | 0.00 | — | 0.01 | Mar 2, 2020 | In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body.… | ||
| CVE-2020-5245 | 0.00 | — | 0.06 | Feb 24, 2020 | Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been… | |||
| CVE-2014-4678 | — | 0.00 | — | 0.10 | Feb 20, 2020 | The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4657. | ||
| CVE-2019-10793 | — | 0.00 | — | 0.00 | Feb 18, 2020 | dot-object before 2.1.3 is vulnerable to Prototype Pollution. The set function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | ||
| CVE-2019-10792 | — | 0.00 | — | 0.00 | Feb 18, 2020 | bodymen before 1.1.1 is vulnerable to Prototype Pollution. The handler function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | ||
| CVE-2019-10795 | — | 0.00 | — | 0.00 | Feb 18, 2020 | undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | ||
| CVE-2019-10794 | — | 0.00 | — | 0.00 | Feb 18, 2020 | All versions of component-flatten are vulnerable to Prototype Pollution. The a function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | ||
| CVE-2014-4967 | — | 0.00 | — | 0.03 | Feb 18, 2020 | Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing " src=" clause, (2) a trailing "… | ||
| CVE-2014-4966 | — | 0.00 | — | 0.04 | Feb 18, 2020 | Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data. | ||
| CVE-2013-7381 | — | 0.00 | — | 0.02 | Feb 12, 2020 | libnotify before 1.0.4 for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in a call to libnotify.notify. | ||
| CVE-2013-7378 | — | 0.00 | — | 0.02 | Feb 12, 2020 | scripts/email.coffee in the Hubot Scripts module before 2.4.4 for Node.js allows remote attackers to execute arbitrary commands. | ||
| CVE-2015-3154 | 0.00 | — | 0.00 | Jan 27, 2020 | CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email. | |||
| CVE-2020-7596 | — | 0.00 | — | 0.01 | Jan 25, 2020 | Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument. | ||
| CVE-2014-4172 | — | 0.00 | — | 0.13 | Jan 24, 2020 | A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via… | ||
| CVE-2020-5219 | 0.00 | — | 0.00 | Jan 24, 2020 | Angular Expressions before version 1.0.1 has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. If running angular-expressions in the browser, an attacker could run any browser… | |||
| CVE-2013-4318 | — | 0.00 | — | 0.00 | Dec 26, 2019 | File injection vulnerability in Ruby gem Features 0.3.0 allows remote attackers to inject malicious html in the /tmp directory. | ||
| CVE-2019-19919 | — | 0.00 | — | 0.25 | Dec 20, 2019 | Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads. |
- CVE-2020-6858Mar 12, 2020risk 0.00cvss —epss 0.00
Hotels Styx through 1.0.0.beta8 allows HTTP response splitting due to CRLF Injection. This is exploitable if untrusted user input can appear in a response header.
- CVE-2020-5203Mar 11, 2020risk 0.00cvss —epss 0.01
In Fat-Free Framework 3.7.1, attackers can achieve arbitrary code execution if developers choose to pass user controlled input (e.g., $_REQUEST, $_GET, or $_POST) to the framework's Clear method.
- CVE-2020-5258Mar 10, 2020risk 0.00cvss —epss 0.02
In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes…
- CVE-2020-5249Mar 2, 2020risk 0.00cvss —epss 0.01
In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body.…
- CVE-2020-5245Feb 24, 2020risk 0.00cvss —epss 0.06
Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been…
- CVE-2014-4678Feb 20, 2020risk 0.00cvss —epss 0.10
The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4657.
- CVE-2019-10793Feb 18, 2020risk 0.00cvss —epss 0.00
dot-object before 2.1.3 is vulnerable to Prototype Pollution. The set function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
- CVE-2019-10792Feb 18, 2020risk 0.00cvss —epss 0.00
bodymen before 1.1.1 is vulnerable to Prototype Pollution. The handler function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
- CVE-2019-10795Feb 18, 2020risk 0.00cvss —epss 0.00
undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
- CVE-2019-10794Feb 18, 2020risk 0.00cvss —epss 0.00
All versions of component-flatten are vulnerable to Prototype Pollution. The a function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
- CVE-2014-4967Feb 18, 2020risk 0.00cvss —epss 0.03
Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing " src=" clause, (2) a trailing "…
- CVE-2014-4966Feb 18, 2020risk 0.00cvss —epss 0.04
Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.
- CVE-2013-7381Feb 12, 2020risk 0.00cvss —epss 0.02
libnotify before 1.0.4 for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in a call to libnotify.notify.
- CVE-2013-7378Feb 12, 2020risk 0.00cvss —epss 0.02
scripts/email.coffee in the Hubot Scripts module before 2.4.4 for Node.js allows remote attackers to execute arbitrary commands.
- CVE-2015-3154Jan 27, 2020risk 0.00cvss —epss 0.00
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
- CVE-2020-7596Jan 25, 2020risk 0.00cvss —epss 0.01
Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument.
- CVE-2014-4172Jan 24, 2020risk 0.00cvss —epss 0.13
A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via…
- CVE-2020-5219Jan 24, 2020risk 0.00cvss —epss 0.00
Angular Expressions before version 1.0.1 has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. If running angular-expressions in the browser, an attacker could run any browser…
- CVE-2013-4318Dec 26, 2019risk 0.00cvss —epss 0.00
File injection vulnerability in Ruby gem Features 0.3.0 allows remote attackers to inject malicious html in the /tmp directory.
- CVE-2019-19919Dec 20, 2019risk 0.00cvss —epss 0.25
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.