Common Weakness Enumeration

CWE-116

Allowed-with-Review

Improper Encoding or Escaping of Output

Abstraction: Class · Status: Draft

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

612 vulnerabilities reference this CWE, most recent first.

GHSA-CPX5-2Q84-PRC5

Vulnerability from github – Published: 2025-12-11 09:31 – Updated: 2025-12-11 09:31
VLAI
Details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to leak sensitive information from specifically crafted merge request titles.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12734"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-11T08:15:51Z",
    "severity": "LOW"
  },
  "details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to leak sensitive information from specifically crafted merge request titles.",
  "id": "GHSA-cpx5-2q84-prc5",
  "modified": "2025-12-11T09:31:26Z",
  "published": "2025-12-11T09:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12734"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3379381"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/579573"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CPXC-2W9F-G929

Vulnerability from github – Published: 2024-10-15 12:30 – Updated: 2025-08-22 09:30
VLAI
Details

An unauthenticated local attacker can gain admin privileges by deploying a config file due to improper input validation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45271"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-20",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-15T11:15:11Z",
    "severity": "HIGH"
  },
  "details": "An unauthenticated local attacker can gain admin privileges by deploying a config file due to improper input validation.",
  "id": "GHSA-cpxc-2w9f-g929",
  "modified": "2025-08-22T09:30:41Z",
  "published": "2024-10-15T12:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45271"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2024-056"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2024-066"
    },
    {
      "type": "WEB",
      "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-059.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CRMM-HGP2-WGRP

Vulnerability from github – Published: 2026-06-17 13:54 – Updated: 2026-06-17 13:54
VLAI
Summary
Laravel Framework: Temporary Signed URL Path Confusion
Details

A vulnerability in Laravel's local filesystem driver allows temporary signed URLs to be parsed ambiguously, potentially misrouting requests and bypassing expiration enforcement.

Under certain conditions, a generated temporary signed URL can be interpreted differently by the server than intended at signing time. This may cause requests to resolve to an unintended resource, and can prevent expiration from being enforced, allowing expired URLs to remain valid indefinitely.

Impact

  • Expired temporary URLs may continue to be accepted
  • Requests may resolve to a different resource than the one that was signed
  • The upload variant may allow writes to reach an unintended destination
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "laravel/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "laravel/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "12.61.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-17T13:54:13Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "A vulnerability in Laravel\u0027s local filesystem driver allows temporary signed URLs to be parsed ambiguously, potentially misrouting requests and bypassing expiration enforcement.\n\nUnder certain conditions, a generated temporary signed URL can be interpreted differently by the server than intended at signing time. This may cause requests to resolve to an unintended resource, and can prevent expiration from being enforced, allowing expired URLs to remain valid indefinitely.\n\n### Impact\n- Expired temporary URLs may continue to be accepted\n- Requests may resolve to a different resource than the one that was signed\n- The upload variant may allow writes to reach an unintended destination",
  "id": "GHSA-crmm-hgp2-wgrp",
  "modified": "2026-06-17T13:54:13Z",
  "published": "2026-06-17T13:54:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/laravel/framework/security/advisories/GHSA-crmm-hgp2-wgrp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laravel/framework/pull/60137"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laravel/framework/pull/60230"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laravel/framework/pull/60350"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/laravel/framework"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Laravel Framework: Temporary Signed URL Path Confusion"
}

GHSA-CWV4-H3J5-W3CF

Vulnerability from github – Published: 2026-07-07 23:41 – Updated: 2026-07-07 23:41
VLAI
Summary
rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path
Details

Resolved: https://github.com/plabayo/rama/commit/89ddff578fd78bbebec99482d7030f28c07757a3

Summary

plabayo/rama contains a stored/reflected cross-site scripting issue in the ServeDir HTML directory listing feature.

When ServeDir is configured with DirectoryServeMode::HtmlFileList, file names and URI path components are inserted directly into generated HTML without HTML escaping. If an attacker can create or influence a file or directory name inside a served directory, they may inject HTML or JavaScript into the directory listing page.

This can execute script in the browser of any user who visits the affected directory listing.

Affected Repository

plabayo/rama

Affected Component

rama-http/src/service/fs/serve_dir/open_file.rs

Root Cause

The HTML directory listing is constructed using string formatting and inserts untrusted values directly into HTML.

The directory listing row includes the file or directory name in both the link text and the href attribute:

rows.push(format!(
    "<tr><td>{5} <a href=\"{1}{2}{0}\">{0}</a></td><td>{3}</td><td>{4}</td></tr>",
    entry.name,
    uri.path().trim_end_matches('/'),
    ...
));

The navigation breadcrumb also inserts URI path parts into generated HTML:

nav_parts.push(format!("<a href=\"{current_path}\">{part}</a>"));

The page title and heading also include the current URI path:

<title>Directory listing for .{0}</title>
<h1>Directory listing for .{0}</h1>

These values are not HTML-escaped before being embedded into the generated page.

Security Impact

If an application uses ServeDir with DirectoryServeMode::HtmlFileList, an attacker who can create or influence file names inside the served directory can inject HTML or JavaScript into the generated directory listing.

Possible impact includes:

  • Script execution in the browser of users viewing the directory listing
  • Session or token theft if the application uses cookies or browser-accessible credentials
  • UI redressing or phishing inside the application origin
  • Unauthorized actions within the same origin if the victim is authenticated
  • Security boundary impact if the directory listing is served under a trusted application domain

The attack requires the directory listing feature to be enabled and the attacker to control or influence at least one file or directory name in the served path.

Proof of Concept

This proof of concept uses a benign payload.

Create a directory with a file name containing HTML:

mkdir rama-xss-test
cd rama-xss-test
touch '"><img src=x onerror=alert(document.domain)>.txt'

Serve this directory with Rama using ServeDir and DirectoryServeMode::HtmlFileList.

Example intended configuration:

ServeDir::new("rama-xss-test")
    .with_directory_serve_mode(DirectoryServeMode::HtmlFileList)

Then visit the directory listing in a browser.

Expected behavior:

The file name should be displayed as text. Special characters such as <, >, ", and ' should be HTML-escaped.

Actual behavior:

The file name is inserted directly into the generated HTML. The browser interprets the injected HTML and executes the benign JavaScript payload.

Expected Behavior

All file names, directory names, URI path parts, and other untrusted values should be escaped before being inserted into HTML.

For example:

  • < should become &lt;
  • > should become &gt;
  • " should become &quot;
  • ' should become &#x27;
  • & should become &amp;

Untrusted values used inside HTML attributes should be escaped using an attribute-safe escaping function.

Actual Behavior

The directory listing is generated with format!() and inserts file names and path values directly into HTML without escaping.

Suggested Fix

Escape all untrusted values before inserting them into the generated HTML.

Recommended changes:

  1. HTML-escape entry.name before using it as link text.
  2. Attribute-escape values used inside href.
  3. HTML-escape URI path components used in breadcrumbs.
  4. HTML-escape the current path used in the page title and heading.
  5. Add regression tests with file names containing HTML metacharacters.

Example test payloads:

"><img src=x onerror=alert(1)>.txt
<script>alert(1)</script>.txt
a&b.txt
quote"test.txt
single'test.txt

The secure output should render these as text only and should not create executable HTML or JavaScript.

Suggested Severity

Medium.

Suggested CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Rationale:

  • The vulnerability is remotely reachable when an application exposes ServeDir directory listings.
  • Exploitation requires the attacker to create or influence a file or directory name in the served directory.
  • User interaction is required because a victim must view the affected directory listing.
  • The impact is browser-side script execution in the application origin.
  • Scope may change if the listing is served under a trusted authenticated application origin.

Additional Notes

This report is limited to the HTML directory listing generated by ServeDir when DirectoryServeMode::HtmlFileList is enabled.

This report is not claiming remote code execution on the server. The issue is browser-side cross-site scripting caused by unescaped file names and path values in generated HTML.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "rama"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.0-rc.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-07T23:41:12Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "Resolved: https://github.com/plabayo/rama/commit/89ddff578fd78bbebec99482d7030f28c07757a3\n\n## Summary\n\n`plabayo/rama` contains a stored/reflected cross-site scripting issue in the `ServeDir` HTML directory listing feature.\n\nWhen `ServeDir` is configured with `DirectoryServeMode::HtmlFileList`, file names and URI path components are inserted directly into generated HTML without HTML escaping. If an attacker can create or influence a file or directory name inside a served directory, they may inject HTML or JavaScript into the directory listing page.\n\nThis can execute script in the browser of any user who visits the affected directory listing.\n\n## Affected Repository\n\n`plabayo/rama`\n\n## Affected Component\n\n`rama-http/src/service/fs/serve_dir/open_file.rs`\n\n## Root Cause\n\nThe HTML directory listing is constructed using string formatting and inserts untrusted values directly into HTML.\n\nThe directory listing row includes the file or directory name in both the link text and the `href` attribute:\n\n    rows.push(format!(\n        \"\u003ctr\u003e\u003ctd\u003e{5} \u003ca href=\\\"{1}{2}{0}\\\"\u003e{0}\u003c/a\u003e\u003c/td\u003e\u003ctd\u003e{3}\u003c/td\u003e\u003ctd\u003e{4}\u003c/td\u003e\u003c/tr\u003e\",\n        entry.name,\n        uri.path().trim_end_matches(\u0027/\u0027),\n        ...\n    ));\n\nThe navigation breadcrumb also inserts URI path parts into generated HTML:\n\n    nav_parts.push(format!(\"\u003ca href=\\\"{current_path}\\\"\u003e{part}\u003c/a\u003e\"));\n\nThe page title and heading also include the current URI path:\n\n    \u003ctitle\u003eDirectory listing for .{0}\u003c/title\u003e\n    \u003ch1\u003eDirectory listing for .{0}\u003c/h1\u003e\n\nThese values are not HTML-escaped before being embedded into the generated page.\n\n## Security Impact\n\nIf an application uses `ServeDir` with `DirectoryServeMode::HtmlFileList`, an attacker who can create or influence file names inside the served directory can inject HTML or JavaScript into the generated directory listing.\n\nPossible impact includes:\n\n- Script execution in the browser of users viewing the directory listing\n- Session or token theft if the application uses cookies or browser-accessible credentials\n- UI redressing or phishing inside the application origin\n- Unauthorized actions within the same origin if the victim is authenticated\n- Security boundary impact if the directory listing is served under a trusted application domain\n\nThe attack requires the directory listing feature to be enabled and the attacker to control or influence at least one file or directory name in the served path.\n\n## Proof of Concept\n\nThis proof of concept uses a benign payload.\n\nCreate a directory with a file name containing HTML:\n\n    mkdir rama-xss-test\n    cd rama-xss-test\n    touch \u0027\"\u003e\u003cimg src=x onerror=alert(document.domain)\u003e.txt\u0027\n\nServe this directory with Rama using `ServeDir` and `DirectoryServeMode::HtmlFileList`.\n\nExample intended configuration:\n\n    ServeDir::new(\"rama-xss-test\")\n        .with_directory_serve_mode(DirectoryServeMode::HtmlFileList)\n\nThen visit the directory listing in a browser.\n\nExpected behavior:\n\nThe file name should be displayed as text. Special characters such as `\u003c`, `\u003e`, `\"`, and `\u0027` should be HTML-escaped.\n\nActual behavior:\n\nThe file name is inserted directly into the generated HTML. The browser interprets the injected HTML and executes the benign JavaScript payload.\n\n## Expected Behavior\n\nAll file names, directory names, URI path parts, and other untrusted values should be escaped before being inserted into HTML.\n\nFor example:\n\n- `\u003c` should become `\u0026lt;`\n- `\u003e` should become `\u0026gt;`\n- `\"` should become `\u0026quot;`\n- `\u0027` should become `\u0026#x27;`\n- `\u0026` should become `\u0026amp;`\n\nUntrusted values used inside HTML attributes should be escaped using an attribute-safe escaping function.\n\n## Actual Behavior\n\nThe directory listing is generated with `format!()` and inserts file names and path values directly into HTML without escaping.\n\n## Suggested Fix\n\nEscape all untrusted values before inserting them into the generated HTML.\n\nRecommended changes:\n\n1. HTML-escape `entry.name` before using it as link text.\n2. Attribute-escape values used inside `href`.\n3. HTML-escape URI path components used in breadcrumbs.\n4. HTML-escape the current path used in the page title and heading.\n5. Add regression tests with file names containing HTML metacharacters.\n\nExample test payloads:\n\n    \"\u003e\u003cimg src=x onerror=alert(1)\u003e.txt\n    \u003cscript\u003ealert(1)\u003c/script\u003e.txt\n    a\u0026b.txt\n    quote\"test.txt\n    single\u0027test.txt\n\nThe secure output should render these as text only and should not create executable HTML or JavaScript.\n\n## Suggested Severity\n\nMedium.\n\nSuggested CVSS:\n\n`CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N`\n\nRationale:\n\n- The vulnerability is remotely reachable when an application exposes `ServeDir` directory listings.\n- Exploitation requires the attacker to create or influence a file or directory name in the served directory.\n- User interaction is required because a victim must view the affected directory listing.\n- The impact is browser-side script execution in the application origin.\n- Scope may change if the listing is served under a trusted authenticated application origin.\n\n## Additional Notes\n\nThis report is limited to the HTML directory listing generated by `ServeDir` when `DirectoryServeMode::HtmlFileList` is enabled.\n\nThis report is not claiming remote code execution on the server. The issue is browser-side cross-site scripting caused by unescaped file names and path values in generated HTML.",
  "id": "GHSA-cwv4-h3j5-w3cf",
  "modified": "2026-07-07T23:41:12Z",
  "published": "2026-07-07T23:41:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/plabayo/rama/security/advisories/GHSA-cwv4-h3j5-w3cf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/plabayo/rama/commit/89ddff578fd78bbebec99482d7030f28c07757a3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/plabayo/rama"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path"
}

GHSA-CX3J-QQXJ-9597

Vulnerability from github – Published: 2023-08-11 18:57 – Updated: 2023-08-25 18:55
VLAI
Summary
Critters Cross-site Scripting Vulnerability
Details

Impact

Critters version 0.0.17-0.0.19 have an issue when parsing the HTML which leads to a potential cross-site scripting (XSS) bug.

Patches

The bug has been fixed in v0.0.20.

Workarounds

Upgrading Critters version to >0.0.20 is the easiest fix. This is a non breaking version upgrade so we recommend all users to use v0.0.20.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.0.19"
      },
      "package": {
        "ecosystem": "npm",
        "name": "critters"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.17"
            },
            {
              "fixed": "0.0.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-3481"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-11T18:57:53Z",
    "nvd_published_at": "2023-08-21T11:15:07Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nCritters version 0.0.17-0.0.19 have an issue when parsing the HTML which leads to a potential [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) bug.\n\n### Patches\nThe bug has been fixed in `v0.0.20`.\n\n### Workarounds\nUpgrading Critters version to `\u003e0.0.20` is the easiest fix. This is a non breaking version upgrade so we recommend all users to use `v0.0.20`.",
  "id": "GHSA-cx3j-qqxj-9597",
  "modified": "2023-08-25T18:55:56Z",
  "published": "2023-08-11T18:57:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/GoogleChromeLabs/critters/security/advisories/GHSA-cx3j-qqxj-9597"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3481"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GoogleChromeLabs/critters/pull/133"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GoogleChromeLabs/critters/commit/7757902c9e0b3285d516359b3cb602cd9d50d80e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/GoogleChromeLabs/critters"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Critters Cross-site Scripting Vulnerability"
}

GHSA-CXQQ-H5HH-JGQ2

Vulnerability from github – Published: 2022-09-21 00:00 – Updated: 2025-11-03 21:30
VLAI
Details

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-39957"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-693"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-20T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional \"charset\" parameter in order to receive the response in an encoded form. Depending on the \"charset\", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.",
  "id": "GHSA-cxqq-h5hh-jgq2",
  "modified": "2025-11-03T21:30:44Z",
  "published": "2022-09-21T00:00:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39957"
    },
    {
      "type": "WEB",
      "url": "https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202305-25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F39F-G3GV-88JQ

Vulnerability from github – Published: 2022-11-16 12:00 – Updated: 2022-11-18 21:30
VLAI
Details

A vulnerability was found in Simple History Plugin. It has been rated as critical. This issue affects some unknown processing of the component Header Handler. The manipulation of the argument X-Forwarded-For leads to improper output neutralization for logs. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-213785 was assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-117",
      "CWE-74"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-16T08:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability was found in Simple History Plugin. It has been rated as critical. This issue affects some unknown processing of the component Header Handler. The manipulation of the argument X-Forwarded-For leads to improper output neutralization for logs. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-213785 was assigned to this vulnerability.",
  "id": "GHSA-f39f-g3gv-88jq",
  "modified": "2022-11-18T21:30:17Z",
  "published": "2022-11-16T12:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4011"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/142cPciqIhNbfKhhxIwbrYFTegLvnwin_/view"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/1AJXip8UG_ADbxtokPzAb61-lEg-xLebZ/view"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.213785"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F4VW-X54C-H32V

Vulnerability from github – Published: 2022-03-12 00:00 – Updated: 2022-03-19 00:01
VLAI
Details

CAMS for HIS Log Server contained in the following Yokogawa Electric products fails to properly neutralize log outputs: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, and Exaopc versions from R3.72.00 to R3.79.00.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22151"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-11T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "CAMS for HIS Log Server contained in the following Yokogawa Electric products fails to properly neutralize log outputs: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, and Exaopc versions from R3.72.00 to R3.79.00.",
  "id": "GHSA-f4vw-x54c-h32v",
  "modified": "2022-03-19T00:01:22Z",
  "published": "2022-03-12T00:00:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22151"
    },
    {
      "type": "WEB",
      "url": "https://web-material3.yokogawa.com/1/32094/files/YSAR-22-0001-E.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F74C-M4CG-RGJ3

Vulnerability from github – Published: 2025-05-12 15:30 – Updated: 2025-05-13 00:31
VLAI
Details

Radware Cloud Web Application Firewall (WAF) before 2025-05-07 allows remote attackers to bypass firewall filters by adding a special character to the request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56524"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-12T15:15:58Z",
    "severity": "CRITICAL"
  },
  "details": "Radware Cloud Web Application Firewall (WAF) before 2025-05-07 allows remote attackers to bypass firewall filters by adding a special character to the request.",
  "id": "GHSA-f74c-m4cg-rgj3",
  "modified": "2025-05-13T00:31:11Z",
  "published": "2025-05-12T15:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56524"
    },
    {
      "type": "WEB",
      "url": "https://radware.com/solutions/cloud-security"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/722229"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F7HX-FQXW-RVVJ

Vulnerability from github – Published: 2020-05-27 16:37 – Updated: 2023-01-20 22:02
VLAI
Summary
Insufficient output escaping of attachment names in PHPMailer
Details

Impact

CWE-116: Incorrect output escaping.

An attachment added like this (note the double quote within the attachment name, which is entirely valid):

$mail->addAttachment('/tmp/attachment.tmp', 'filename.html";.jpg');

Will result in a message containing these headers:

Content-Type: application/octet-stream; name="filename.html";.jpg"
Content-Disposition: attachment; filename="filename.html";.jpg"

The attachment will be named filename.html, and the trailing ";.jpg" will be ignored. Mail filters that reject .html attachments but permit .jpg attachments may be fooled by this.

Note that the MIME type itself is obtained automatically from the source filename (in this case attachment.tmp, which maps to a generic application/octet-stream type), and not the name given to the attachment (though these are the same if a separate name is not provided), though it can be set explicitly in other parameters to attachment methods.

Patches

Patched in PHPMailer 6.1.6 by escaping double quotes within the name using a backslash, as per RFC822 section 3.4.1, resulting in correctly escaped headers like this:

Content-Type: application/octet-stream; name="filename.html\";.jpg"
Content-Disposition: attachment; filename="filename.html\";.jpg"

Workarounds

Reject or filter names and filenames containing double quote (") characters before passing them to attachment functions such as addAttachment().

References

CVE-2020-13625. PHPMailer 6.1.6 release

For more information

If you have any questions or comments about this advisory: * Open an issue in the PHPMailer repo

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpmailer/phpmailer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-13625"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-05-27T16:34:44Z",
    "nvd_published_at": "2020-06-08T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nCWE-116: Incorrect output escaping.\n\nAn attachment added like this (note the double quote within the attachment name, which is entirely valid):\n\n    $mail-\u003eaddAttachment(\u0027/tmp/attachment.tmp\u0027, \u0027filename.html\";.jpg\u0027);\n\nWill result in a message containing these headers:\n\n    Content-Type: application/octet-stream; name=\"filename.html\";.jpg\"\n    Content-Disposition: attachment; filename=\"filename.html\";.jpg\"\n\nThe attachment will be named `filename.html`, and the trailing `\";.jpg\"` will be ignored. Mail filters that reject `.html` attachments but permit `.jpg` attachments may be fooled by this.\n\nNote that the MIME type itself is obtained automatically from the *source filename* (in this case `attachment.tmp`, which maps to a generic `application/octet-stream` type), and not the *name* given to the attachment (though these are the same if a separate name is not provided), though it can be set explicitly in other parameters to attachment methods.\n\n### Patches\nPatched in PHPMailer 6.1.6 by escaping double quotes within the name using a backslash, as per RFC822 section 3.4.1, resulting in correctly escaped headers like this:\n\n    Content-Type: application/octet-stream; name=\"filename.html\\\";.jpg\"\n    Content-Disposition: attachment; filename=\"filename.html\\\";.jpg\"\n\n### Workarounds\nReject or filter names and filenames containing double quote (`\"`) characters before passing them to attachment functions such as `addAttachment()`.\n\n### References\n[CVE-2020-13625](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13625).\n[PHPMailer 6.1.6 release](https://github.com/PHPMailer/PHPMailer/releases/tag/v6.1.6)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the PHPMailer repo](https://github.com/PHPMailer/PHPMailer/issues)",
  "id": "GHSA-f7hx-fqxw-rvvj",
  "modified": "2023-01-20T22:02:41Z",
  "published": "2020-05-27T16:37:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-f7hx-fqxw-rvvj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13625"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPMailer/PHPMailer/commit/c2796cb1cb99d7717290b48c4e6f32cb6c60b7b3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PHPMailer/PHPMailer"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPMailer/PHPMailer/releases/tag/v6.1.6"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00014.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EFM3BZABL6RUHTVMXSC7OFMP4CKWMRPJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMH4TC5XTS3KZVGMSKEPPBZ2XTZCKKCX"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4505-1"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient output escaping of attachment names in PHPMailer"
}

Mitigation MIT-4.3
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
  • Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability.
Mitigation MIT-27
Architecture and Design

Strategy: Parameterization

  • If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
  • For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection.
Mitigation
Architecture and Design Implementation

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

Mitigation
Architecture and Design

In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input.

Mitigation
Architecture and Design

Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).

Mitigation
Requirements

Fully specify which encodings are required by components that will be communicating with each other.

Mitigation
Implementation

When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.

CAPEC-104: Cross Zone Scripting

An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.

CAPEC-73: User-Controlled Filename

An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

CAPEC-85: AJAX Footprinting

This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.