Common Weakness Enumeration

CWE-116

Allowed-with-Review

Improper Encoding or Escaping of Output

Abstraction: Class · Status: Draft

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

613 vulnerabilities reference this CWE, most recent first.

GHSA-33C7-2MPW-HG34

Vulnerability from github – Published: 2020-07-29 18:07 – Updated: 2024-11-18 22:32
VLAI
Summary
Log injection in uvicorn
Details

This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "uvicorn"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7694"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-07-29T17:37:27Z",
    "nvd_published_at": "2020-07-27T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it\u0027s been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn\u0027s access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that\u0027s displaying the logs (either in real time or from a file).",
  "id": "GHSA-33c7-2mpw-hg34",
  "modified": "2024-11-18T22:32:53Z",
  "published": "2020-07-29T18:07:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7694"
    },
    {
      "type": "WEB",
      "url": "https://github.com/encode/uvicorn/issues/723"
    },
    {
      "type": "WEB",
      "url": "https://github.com/encode/uvicorn/commit/895807f94ea9a8e588605c12076b7d7517cda503"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/encode/uvicorn"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/uvicorn/PYSEC-2020-150.yaml"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-PYTHON-UVICORN-575560"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Log injection in uvicorn"
}

GHSA-33GV-FC78-QGF5

Vulnerability from github – Published: 2026-05-05 20:31 – Updated: 2026-05-13 16:24
VLAI
Summary
YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header
Details

Description: Stored (second-order) Cross-Site Scripting (XSS) occurs when attacker-controlled input is persisted through one component of an application and later rendered, without proper sanitization or contextual output encoding, by a completely different component — often one that implicitly trusts the stored data. Because the dangerous sink is typically a privileged administrative interface, the payload executes in the browser of a high-value user (such as an administrator) and inherits their authenticated session. This class of issue is especially severe when the entry point is an HTTP header on an unauthenticated endpoint, since the attack surface extends to any anonymous attacker on the internet with no prerequisites.

Issue Details: The application's database logger (YAFNET.Core/Logger/DbLogger.cs) captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, and stores the result in the EventLog.Description column whenever an event (e.g., an unhandled exception) is logged. The admin event-log page (YetAnotherForum.NET/Pages/Admin/EventLog.cshtml.cs) later deserializes that JSON in FormatStackTrace() and interpolates the UserAgent value directly into an HTML string with no encoding, and the Razor view EventLog.cshtml emits the result through @Html.Raw. Critically, the attacker does not need to be authenticated: the unauthenticated endpoint GET /api/Attachments/GetAttachment?attachmentId=2147483647 reliably triggers a server-side exception that is written to dbo.EventLog together with the attacker-controlled User-Agent. A single anonymous request such as curl -A "<img src=x onerror=alert('XSS')>" "http://<target>/api/Attachments/GetAttachment?attachmentId=2147483647" is sufficient to persist the payload, and when an administrator later visits /Admin/EventLog the malicious markup is rendered as live HTML in the admin's authenticated session.

Impact: An entirely unauthenticated attacker, with no account, no CSRF token, and no prior access, can stage JavaScript that will execute in an administrator's browser the next time the Event Log is viewed. Because the script runs in the admin's authenticated origin, it can perform any action the admin can: creating new administrative accounts, modifying site-wide settings, exfiltrating user data through admin-only endpoints. This effectively converts a single anonymous HTTP request into a full forum-takeover primitive, and the lack of any authentication requirement makes it exploitable at internet scale, including by automated scanners.

Likelihood: Exploitation requires only the ability to send a single HTTP request to a public, unauthenticated endpoint, which any anonymous attacker on the internet can do. Administrators routinely review the Event Log as part of normal operations, so payload delivery is highly probable with negligible attacker effort, making the overall likelihood very high.

Steps to Reproduce: - From an unauthenticated session (no cookies, no tokens), send the following request with a malicious User-Agent header: - curl.exe -sS -A "<img src=x onerror=alert('XSS')>" "http://yetanotherforum.internal:8080/api/Attachments/GetAttachment?attachmentId=2147483647" - Confirm the server returns an error response and that a row has been written to dbo.EventLog containing the attacker-controlled UserAgent value inside the JSON Description. - As an administrator (e.g., Superuser), navigate to /Admin/EventLog. - Observe that the rendered page contains the raw <img src=x onerror="alert('XSS')"> element inside the event's badge block, and that the onerror handler executes in the admin's authenticated session, confirming cross-session, cross-privilege script execution from an unauthenticated source.

image

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.0.4"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "YAFNET.Core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-beta01"
            },
            {
              "fixed": "4.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.2.11"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "YAFNET.Core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43938"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T20:31:36Z",
    "nvd_published_at": "2026-05-12T15:16:15Z",
    "severity": "HIGH"
  },
  "details": "**Description:**\nStored (second-order) Cross-Site Scripting (XSS) occurs when attacker-controlled input is persisted through one component of an application and later rendered, without proper sanitization or contextual output encoding, by a completely different component \u2014 often one that implicitly trusts the stored data. Because the dangerous sink is typically a privileged administrative interface, the payload executes in the browser of a high-value user (such as an administrator) and inherits their authenticated session. This class of issue is especially severe when the entry point is an HTTP header on an unauthenticated endpoint, since the attack surface extends to any anonymous attacker on the internet with no prerequisites.\n\n**Issue Details:**\nThe application\u0027s database logger (`YAFNET.Core/Logger/DbLogger.cs`) captures the incoming request\u0027s `User-Agent` header into a `JObject`, serializes it with `JsonConvert`, and stores the result in the `EventLog.Description` column whenever an event (e.g., an unhandled exception) is logged. The admin event-log page (`YetAnotherForum.NET/Pages/Admin/EventLog.cshtml.cs`) later deserializes that JSON in `FormatStackTrace()` and interpolates the `UserAgent` value directly into an HTML string with no encoding, and the Razor view `EventLog.cshtml` emits the result through `@Html.Raw`. Critically, the attacker does not need to be authenticated: the unauthenticated endpoint `GET /api/Attachments/GetAttachment?attachmentId=2147483647` reliably triggers a server-side exception that is written to `dbo.EventLog` together with the attacker-controlled `User-Agent`. A single anonymous request such as `curl -A \"\u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e\" \"http://\u003ctarget\u003e/api/Attachments/GetAttachment?attachmentId=2147483647\"` is sufficient to persist the payload, and when an administrator later visits `/Admin/EventLog` the malicious markup is rendered as live HTML in the admin\u0027s authenticated session.\n\n**Impact:**\nAn entirely unauthenticated attacker, with no account, no CSRF token, and no prior access, can stage JavaScript that will execute in an administrator\u0027s browser the next time the Event Log is viewed. Because the script runs in the admin\u0027s authenticated origin, it can perform any action the admin can: creating new administrative accounts, modifying site-wide settings, exfiltrating user data through admin-only endpoints. This effectively converts a single anonymous HTTP request into a full forum-takeover primitive, and the lack of any authentication requirement makes it exploitable at internet scale, including by automated scanners.\n\n**Likelihood:**\nExploitation requires only the ability to send a single HTTP request to a public, unauthenticated endpoint, which any anonymous attacker on the internet can do. Administrators routinely review the Event Log as part of normal operations, so payload delivery is highly probable with negligible attacker effort, making the overall likelihood very high.\n\n**Steps to Reproduce:**\n- From an unauthenticated session (no cookies, no tokens), send the following request with a malicious `User-Agent` header:\n  - `curl.exe -sS -A \"\u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e\" \"http://yetanotherforum.internal:8080/api/Attachments/GetAttachment?attachmentId=2147483647\"`\n- Confirm the server returns an error response and that a row has been written to `dbo.EventLog` containing the attacker-controlled `UserAgent` value inside the JSON `Description`.\n- As an administrator (e.g., `Superuser`), navigate to `/Admin/EventLog`.\n- Observe that the rendered page contains the raw `\u003cimg src=x onerror=\"alert(\u0027XSS\u0027)\"\u003e` element inside the event\u0027s badge block, and that the `onerror` handler executes in the admin\u0027s authenticated session, confirming cross-session, cross-privilege script execution from an unauthenticated source.\n\n\u003cimg width=\"1193\" height=\"809\" alt=\"image\" src=\"https://github.com/user-attachments/assets/70c59ef2-8d31-435b-9a9d-338f753e58f8\" /\u003e",
  "id": "GHSA-33gv-fc78-qgf5",
  "modified": "2026-05-13T16:24:19Z",
  "published": "2026-05-05T20:31:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/YAFNET/YAFNET/security/advisories/GHSA-33gv-fc78-qgf5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43938"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/YAFNET/YAFNET"
    },
    {
      "type": "WEB",
      "url": "https://github.com/YAFNET/YAFNET/releases/tag/v3.2.12"
    },
    {
      "type": "WEB",
      "url": "https://github.com/YAFNET/YAFNET/releases/tag/v4.0.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header"
}

GHSA-364C-VVQX-446C

Vulnerability from github – Published: 2023-09-20 06:30 – Updated: 2024-05-21 18:15
VLAI
Summary
Croc sender may place ANSI or CSI escape sequences in filename to attach receiver's terminal device
Details

An issue was discovered in Croc before 9.6.16. A sender may place ANSI or CSI escape sequences in a filename to attack the terminal device of a receiver.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/schollz/croc/v9"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.6.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-43620"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-21T16:59:43Z",
    "nvd_published_at": "2023-09-20T06:15:10Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Croc before 9.6.16. A sender may place ANSI or CSI escape sequences in a filename to attack the terminal device of a receiver. ",
  "id": "GHSA-364c-vvqx-446c",
  "modified": "2024-05-21T18:15:12Z",
  "published": "2023-09-20T06:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43620"
    },
    {
      "type": "WEB",
      "url": "https://github.com/schollz/croc/issues/595"
    },
    {
      "type": "WEB",
      "url": "https://github.com/schollz/croc/pull/697"
    },
    {
      "type": "WEB",
      "url": "https://github.com/schollz/croc/commit/3f12f75fae2e844c555ec01eeba0b8474938e93a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/schollz/croc"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2023/09/08/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/09/21/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Croc sender may place ANSI or CSI escape sequences in filename to attach receiver\u0027s terminal device"
}

GHSA-365W-7P77-9F2Q

Vulnerability from github – Published: 2025-12-18 06:30 – Updated: 2025-12-18 06:30
VLAI
Details

Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-68460"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-18T05:15:52Z",
    "severity": "HIGH"
  },
  "details": "Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.",
  "id": "GHSA-365w-7p77-9f2q",
  "modified": "2025-12-18T06:30:13Z",
  "published": "2025-12-18T06:30:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68460"
    },
    {
      "type": "WEB",
      "url": "https://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571"
    },
    {
      "type": "WEB",
      "url": "https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-36QH-35CM-5W2W

Vulnerability from github – Published: 2021-08-13 15:21 – Updated: 2022-02-08 21:08
VLAI
Summary
Authentication Bypass by Alternate Name in Apache Tomcat
Details

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0-M1"
            },
            {
              "fixed": "10.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0M1"
            },
            {
              "fixed": "9.0.45"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.5.0"
            },
            {
              "fixed": "8.5.65"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-30640"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-287",
      "CWE-289"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-13T19:21:02Z",
    "nvd_published_at": "2021-07-12T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.",
  "id": "GHSA-36qh-35cm-5w2w",
  "modified": "2022-02-08T21:08:59Z",
  "published": "2021-08-13T15:21:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30640"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-34"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210827-0007"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4952"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4986"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authentication Bypass by Alternate Name in Apache Tomcat"
}

GHSA-377H-VGG5-642Q

Vulnerability from github – Published: 2023-07-11 03:30 – Updated: 2024-04-04 05:54
VLAI
Details

SAP Solution Manager (Diagnostics agent) - version 7.20, allows an attacker to tamper with headers in a client request. This misleads SAP Diagnostics Agent to serve poisoned content to the server. On successful exploitation, the attacker can cause a limited impact on confidentiality and availability of the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-36921"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-644"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-11T03:15:10Z",
    "severity": "HIGH"
  },
  "details": "SAP Solution Manager (Diagnostics agent) - version 7.20, allows an attacker to tamper with headers in a client request. This misleads SAP Diagnostics Agent to serve poisoned content to the server. On successful exploitation, the attacker can cause a limited impact on confidentiality and availability of the application.\n\n",
  "id": "GHSA-377h-vgg5-642q",
  "modified": "2024-04-04T05:54:43Z",
  "published": "2023-07-11T03:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36921"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3348145"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-37XX-H5FJ-HM7P

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

A remote code execution vulnerability is identified in FruityWifi through 2.4. Due to improperly escaped shell metacharacters obtained from the POST request at the page_config_adv.php page, it is possible to perform remote code execution by an authenticated attacker. This is similar to CVE-2018-17317.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24849"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-05T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "A remote code execution vulnerability is identified in FruityWifi through 2.4. Due to improperly escaped shell metacharacters obtained from the POST request at the page_config_adv.php page, it is possible to perform remote code execution by an authenticated attacker. This is similar to CVE-2018-17317.",
  "id": "GHSA-37xx-h5fj-hm7p",
  "modified": "2022-05-24T17:33:14Z",
  "published": "2022-05-24T17:33:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24849"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/harsh-bothra/f899045b16bbba264628d79d52c07c22"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xtr4nge/FruityWifi"
    },
    {
      "type": "WEB",
      "url": "http://fruitywifi.com/index_eng.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-38W4-Q97C-XH4X

Vulnerability from github – Published: 2022-05-18 00:00 – Updated: 2022-06-01 21:14
VLAI
Summary
Cross-site Scripting in Jenkins Random String Parameter Plugin
Details

Jenkins Random String Parameter Plugin 1.0 and earlier does not escape the name and description of Random String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:random-string-parameter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-30966"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-01T21:14:21Z",
    "nvd_published_at": "2022-05-17T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Random String Parameter Plugin 1.0 and earlier does not escape the name and description of Random String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.",
  "id": "GHSA-38w4-q97c-xh4x",
  "modified": "2022-06-01T21:14:21Z",
  "published": "2022-05-18T00:00:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30966"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/random-string-parameter-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2717"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-site Scripting in Jenkins Random String Parameter Plugin"
}

GHSA-38X9-25WX-7FG2

Vulnerability from github – Published: 2026-06-18 14:24 – Updated: 2026-06-18 14:24
VLAI
Summary
Heimdall: IP Spoofing via Unvalidated Forwarding Headers
Details

Summary

When the trusted_proxies option is configured, heimdall extracts client IP addresses from the Forwarded (for= parameter) and X-Forwarded-For headers and exposes them as Request.ClientIPAddresses to the rule pipeline. However, extracted values are not validated to be syntactically valid IP addresses. Arbitrary strings, malformed IP literals, and RFC 7239 unknown values and obfuscated identifiers are accepted without further checks. In addition, the Forwarded header parser splits on , and ; without accounting for RFC 7239 quoted strings, which can cause a single quoted value to be parsed as multiple entries, with fragments — including trailing quote characters — treated as independent addresses.

Impact

Request.ClientIPAddresses is available to all pipeline mechanisms. Its contents can therefore influence rule evaluation in deployments where rules reference this property — for example, in a CEL authorizer that checks whether a request originates from a trusted IP range using the networks() function, or in a Remote authorizer that forwards the client IP as part of its payload to an external authorization system. Whether and how Request.ClientIPAddresses is used is entirely determined by the rule configuration.

Additionally, in proxy mode, Request.ClientIPAddresses is used directly to construct the X-Forwarded-For and Forwarded headers forwarded to upstream services. Injected or malformed values are therefore propagated to upstream services unchanged.

Attack Scenarios

All scenarios require that trusted_proxies is configured. If this option is not set, heimdall ignores forwarding headers entirely, and this vulnerability is not exploitable. Scenarios A and C (see below) additionally require that rules reference Request.ClientIPAddresses in their pipeline.

Scenario A – Manipulation of rule evaluation

An attacker who can influence forwarding headers — either by connecting directly to heimdall or through a proxy that does not sanitize these headers — can inject arbitrary values into Request.ClientIPAddresses. In deployments where a rule references this property (e.g. to restrict access to specific IP ranges), this may allow an attacker to bypass the intended access control logic.

Scenario B – IP spoofing against upstream services (proxy mode)

In proxy mode, injected or malformed values in Request.ClientIPAddresses are written unchanged into the X-Forwarded-For header sent to upstream services. Upstream services that trust this header may therefore receive and act on attacker-controlled IP values.

Scenario C – Malformed entries via quoted-string misparse

A Forwarded header containing a quoted value with embedded delimiters (, or ;) is misparsed, producing unintended additional entries in Request.ClientIPAddresses, including malformed fragments with trailing quote characters.

Workarounds

  • Ensure at the network level that only trusted proxies can communicate directly with heimdall.
  • Ensure that the proxy forwarding the requests to heimdall sanitizes or overrides (not merely appends to) Forwarded or X-Forwarded-For headers before forwarding them.
  • Avoid relying on Request.ClientIPAddresses for security-sensitive decisions until patched
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.17.16"
      },
      "package": {
        "ecosystem": "Go",
        "name": "https://github.com/dadrus/heimdall"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.17.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-20",
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T14:24:37Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nWhen the `trusted_proxies` option is configured, heimdall extracts client IP addresses from the `Forwarded` (`for=` parameter) and `X-Forwarded-For` headers and exposes them as `Request.ClientIPAddresses` to the rule pipeline. However, extracted values are not validated to be syntactically valid IP addresses. Arbitrary strings, malformed IP literals, and RFC 7239 `unknown` values and obfuscated identifiers are accepted without further checks.\nIn addition, the `Forwarded` header parser splits on `,` and `;` without accounting for RFC 7239 quoted strings, which can cause a single quoted value to be parsed as multiple entries, with fragments \u2014 including trailing quote characters \u2014 treated as independent addresses.\n\n### Impact\n\n`Request.ClientIPAddresses` is available to all pipeline mechanisms. Its contents can therefore influence rule evaluation in deployments where rules reference this property \u2014 for example, in a `CEL` authorizer that checks whether a request originates from a trusted IP range using the `networks()` function, or in a `Remote` authorizer that forwards the client IP as part of its payload to an external authorization system. Whether and how `Request.ClientIPAddresses` is used is entirely determined by the rule configuration.\n\nAdditionally, in proxy mode, `Request.ClientIPAddresses` is used directly to construct the `X-Forwarded-For` and `Forwarded` headers forwarded to upstream services. Injected or malformed values are therefore propagated to upstream services unchanged.\n\n### Attack Scenarios\n\nAll scenarios require that `trusted_proxies` is configured. If this option is not set, heimdall ignores forwarding headers entirely, and this vulnerability is not exploitable. Scenarios A and C  (see below) additionally require that rules reference `Request.ClientIPAddresses` in their pipeline.\n\n#### Scenario A \u2013 Manipulation of rule evaluation\n\nAn attacker who can influence forwarding headers \u2014 either by connecting directly to heimdall or through a proxy that does not sanitize these headers \u2014 can inject arbitrary values into `Request.ClientIPAddresses`. In deployments where a rule references this property (e.g. to restrict access to specific IP ranges), this may allow an attacker to bypass the intended access control logic.\n\n#### Scenario B \u2013 IP spoofing against upstream services (proxy mode)\n\nIn proxy mode, injected or malformed values in `Request.ClientIPAddresses` are written unchanged into the `X-Forwarded-For` header sent to upstream services. Upstream services that trust this header may therefore receive and act on attacker-controlled IP values.\n\n#### Scenario C \u2013 Malformed entries via quoted-string misparse\n\nA `Forwarded` header containing a quoted value with embedded delimiters (`,` or `;`) is misparsed, producing unintended additional entries in `Request.ClientIPAddresses`, including malformed fragments with trailing quote characters.\n\n### Workarounds\n\n* Ensure at the network level that only trusted proxies can communicate directly with heimdall.\n* Ensure that the proxy forwarding the requests to heimdall sanitizes or overrides (not merely appends to) `Forwarded` or `X-Forwarded-For` headers before forwarding them.\n* Avoid relying on `Request.ClientIPAddresses` for security-sensitive decisions until patched",
  "id": "GHSA-38x9-25wx-7fg2",
  "modified": "2026-06-18T14:24:37Z",
  "published": "2026-06-18T14:24:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dadrus/heimdall/security/advisories/GHSA-38x9-25wx-7fg2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dadrus/heimdall"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Heimdall: IP Spoofing via Unvalidated Forwarding Headers"
}

GHSA-393G-7274-4JMV

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11
VLAI
Details

Canon Oce Print Exec Workgroup 1.3.2 allows Host header injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39367"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-23T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Canon Oce Print Exec Workgroup 1.3.2 allows Host header injection.",
  "id": "GHSA-393g-7274-4jmv",
  "modified": "2022-05-24T19:11:58Z",
  "published": "2022-05-24T19:11:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39367"
    },
    {
      "type": "WEB",
      "url": "https://github.com/IthacaLabs/Canon/tree/main/OCE_Print_Exec_Workgroup_Version_1_3_2/HHI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-4.3
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
  • Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability.
Mitigation MIT-27
Architecture and Design

Strategy: Parameterization

  • If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
  • For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection.
Mitigation
Architecture and Design Implementation

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

Mitigation
Architecture and Design

In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input.

Mitigation
Architecture and Design

Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).

Mitigation
Requirements

Fully specify which encodings are required by components that will be communicating with each other.

Mitigation
Implementation

When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.

CAPEC-104: Cross Zone Scripting

An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.

CAPEC-73: User-Controlled Filename

An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

CAPEC-85: AJAX Footprinting

This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.