CWE-116
Allowed-with-ReviewImproper Encoding or Escaping of Output
Abstraction: Class · Status: Draft
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
612 vulnerabilities reference this CWE, most recent first.
GHSA-V72V-M6VQ-49VH
Vulnerability from github – Published: 2023-06-01 18:30 – Updated: 2024-04-04 04:27In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can use a specially crafted web URL in their browser to cause log file poisoning. The attack requires the attacker to have secure shell (SSH) access to the instance and use a terminal program that supports a certain feature set to execute the attack successfully.
{
"affected": [],
"aliases": [
"CVE-2023-32712"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-01T17:15:10Z",
"severity": "LOW"
},
"details": "In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can use a specially crafted web URL in their browser to cause log file poisoning. The attack requires the attacker to have secure shell (SSH) access to the instance and use a terminal program that supports a certain feature set to execute the attack successfully.",
"id": "GHSA-v72v-m6vq-49vh",
"modified": "2024-04-04T04:27:54Z",
"published": "2023-06-01T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32712"
},
{
"type": "WEB",
"url": "https://advisory.splunk.com/advisories/SVD-2023-0606"
},
{
"type": "WEB",
"url": "https://research.splunk.com/application/de3908dc-1298-446d-84b9-fa81d37e959b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V772-658Q-978P
Vulnerability from github – Published: 2026-06-23 15:32 – Updated: 2026-06-30 03:37ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.
{
"affected": [],
"aliases": [
"CVE-2026-56379"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-23T13:16:46Z",
"severity": "LOW"
},
"details": "ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.",
"id": "GHSA-v772-658q-978p",
"modified": "2026-06-30T03:37:08Z",
"published": "2026-06-23T15:32:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xpg8-7m6m-jf56"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56379"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:32961"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-56379"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491700"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-56379.json"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/imagemagick-command-injection-via-svg-decoder"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-V82W-4932-72HF
Vulnerability from github – Published: 2023-03-30 18:30 – Updated: 2025-02-18 18:33PDFZorro PDFZorro Online r20220428 using TCPDF 6.2.5, despite having workflows claiming to correctly remove redacted information from a supplied PDF file, does not properly sanitize this information in all cases, causing redacted information, including images and text embedded in the PDF file, to be leaked unintentionally. In cases where PDF text objects are present it is possible to copy-paste redacted information into the system clipboard. Once a document is "locked" and marked for redaction once, all redactions performed after this feature is triggered are vulnerable.
{
"affected": [],
"aliases": [
"CVE-2022-30351"
],
"database_specific": {
"cwe_ids": [
"CWE-1116",
"CWE-116"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-30T16:15:00Z",
"severity": "HIGH"
},
"details": "PDFZorro PDFZorro Online r20220428 using TCPDF 6.2.5, despite having workflows claiming to correctly remove redacted information from a supplied PDF file, does not properly sanitize this information in all cases, causing redacted information, including images and text embedded in the PDF file, to be leaked unintentionally. In cases where PDF text objects are present it is possible to copy-paste redacted information into the system clipboard. Once a document is \"locked\" and marked for redaction once, all redactions performed after this feature is triggered are vulnerable.",
"id": "GHSA-v82w-4932-72hf",
"modified": "2025-02-18T18:33:02Z",
"published": "2023-03-30T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30351"
},
{
"type": "WEB",
"url": "https://arxiv.org/pdf/2206.02285.pdf"
},
{
"type": "WEB",
"url": "https://www.pdfzorro.com/pdf-edit"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VCC4-2C75-VC9V
Vulnerability from github – Published: 2026-06-16 21:28 – Updated: 2026-06-16 21:28Summary
Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as <<>img src=x onerror=alert()>, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow client-side XSS in cases where untrusted strings are rendered unsafely.
Details
The vulnerability originates from funcStripHTML in:
caddy/caddy/caddyhttp/templates/tplcontext.go
func (TemplateContext) funcStripHTML(s string) string {
var buf bytes.Buffer
var inTag, inQuotes bool
var tagStart int
for i, ch := range s {
if inTag {
if ch == '>' && !inQuotes {
inTag = false
} else if ch == '<' && !inQuotes {
// false start
buf.WriteString(s[tagStart:i])
tagStart = i
} else if ch == '"' {
inQuotes = !inQuotes
}
continue
}
if ch == '<' {
inTag = true
tagStart = i
continue
}
buf.WriteRune(ch)
}
if inTag {
// false start
buf.WriteString(s[tagStart:])
}
return buf.String()
}
POC
Caddyfile setup
:8080 {
root * ./site
file_server
templates
}
Template file (index.html)
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>StripHTML Bypass Test</title>
</head>
<body>
<p>{{ stripHTML "<<>img src=x onerror=alert('XSS')>" }}</p>
</body>
</html>
The payload exploits the false start branch to smuggle a literal < back into the output, then uses the following > to terminate the parser’s tag state, leaving a valid tag behind.
Tested in v2.11.3
Impact
Malformed HTML can bypass stripHTML, potentially allowing arbitrary HTML or JavaScript to be rendered if the output is used unsafely, leading to client-side XSS.
AI Disclosure
AI assisted in writing the report description; however, the discovery of the issue has been done manually.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.11.3"
},
"package": {
"ecosystem": "Go",
"name": "github.com/caddyserver/caddy/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/caddyserver/caddy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52846"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-16T21:28:55Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nCaddy\u2019s `stripHTML` template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as `\u003c\u003c\u003eimg src=x onerror=alert()\u003e`, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow client-side XSS in cases where untrusted strings are rendered unsafely.\n\n---\n\n### Details\nThe vulnerability originates from `funcStripHTML` in:\n\n[caddy/caddy/caddyhttp/templates/tplcontext.go](https://github.com/caddyserver/caddy/blob/77e9ce7404c4a76853e101a9f5687a929ee56654/modules/caddyhttp/templates/tplcontext.go)\n\n```go\nfunc (TemplateContext) funcStripHTML(s string) string {\n var buf bytes.Buffer\n var inTag, inQuotes bool\n var tagStart int\n for i, ch := range s {\n if inTag {\n if ch == \u0027\u003e\u0027 \u0026\u0026 !inQuotes {\n inTag = false\n } else if ch == \u0027\u003c\u0027 \u0026\u0026 !inQuotes {\n // false start\n buf.WriteString(s[tagStart:i])\n tagStart = i\n } else if ch == \u0027\"\u0027 {\n inQuotes = !inQuotes\n }\n continue\n }\n if ch == \u0027\u003c\u0027 {\n inTag = true\n tagStart = i\n continue\n }\n buf.WriteRune(ch)\n }\n if inTag {\n // false start\n buf.WriteString(s[tagStart:])\n }\n return buf.String()\n}\n```\n\n### POC\n\nCaddyfile setup\n\n```\n:8080 {\n root * ./site\n file_server\n templates\n}\n```\n\nTemplate file (index.html)\n\n```html\n\u003c!DOCTYPE html\u003e\n\u003chtml lang=\"en\"\u003e\n\u003chead\u003e\n \u003cmeta charset=\"UTF-8\"\u003e\n \u003ctitle\u003eStripHTML Bypass Test\u003c/title\u003e\n\u003c/head\u003e\n\u003cbody\u003e\n \u003cp\u003e{{ stripHTML \"\u003c\u003c\u003eimg src=x onerror=alert(\u0027XSS\u0027)\u003e\" }}\u003c/p\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\nThe payload exploits the false start branch to smuggle a literal \u003c back into the output, then uses the following \u003e to terminate the parser\u2019s tag state, leaving a valid \u003cimg ...\u003e tag behind.\n\nTested in v2.11.3\n\n### Impact\n\nMalformed HTML can bypass stripHTML, potentially allowing arbitrary HTML or JavaScript to be rendered if the output is used unsafely, leading to client-side XSS.\n\n### AI Disclosure\n\nAI assisted in writing the report description; however, the discovery of the issue has been done manually.",
"id": "GHSA-vcc4-2c75-vc9v",
"modified": "2026-06-16T21:28:55Z",
"published": "2026-06-16T21:28:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-vcc4-2c75-vc9v"
},
{
"type": "PACKAGE",
"url": "https://github.com/caddyserver/caddy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Caddy: stripHTML template function bypass"
}
GHSA-VHFP-P9XR-GG6W
Vulnerability from github – Published: 2023-02-01 06:30 – Updated: 2023-02-08 21:30Dell EMC Data Protection Central, versions 19.1 through 19.7, contains a Host Header Injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary \u2018Host\u2019 header values to poison a web cache or trigger redirections.
{
"affected": [],
"aliases": [
"CVE-2022-45102"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-01T06:15:00Z",
"severity": "MODERATE"
},
"details": "Dell EMC Data Protection Central, versions 19.1 through 19.7, contains a Host Header Injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary \\u2018Host\\u2019 header values to poison a web cache or trigger redirections.",
"id": "GHSA-vhfp-p9xr-gg6w",
"modified": "2023-02-08T21:30:22Z",
"published": "2023-02-01T06:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45102"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000206329/dsa-2022-348-dell-emc-data-protection-central-security-update-for-proprietary-code-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VMHH-XH3G-J992
Vulnerability from github – Published: 2022-05-25 22:40 – Updated: 2022-06-08 17:31Impact
We found a possible XSS vector in the FlamingoThemesCode.WebHomeSheet wiki page related to the "newThemeName" form field.
Patches
The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3.
Workarounds
The easiest workaround is to edit the wiki page FlamingoThemesCode.WebHomeSheet (with wiki editor) and change the line
<input type="hidden" name="newThemeName" id="newThemeName" value="$request.newThemeName" />
into
<input type="hidden" name="newThemeName" id="newThemeName" value="$escapetool.xml($request.newThemeName)" />
References
- https://jira.xwiki.org/browse/XWIKI-19294
- https://github.com/xwiki/xwiki-platform/commit/bd935320bee3c27cf7548351b1d0f935f116d437
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki * Email us at security mailing list
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-flamingo-theme-ui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "12.10.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-flamingo-theme-ui"
},
"ranges": [
{
"events": [
{
"introduced": "13.0.0"
},
{
"fixed": "13.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-flamingo-theme-ui"
},
"ranges": [
{
"events": [
{
"introduced": "13.5.0"
},
{
"fixed": "13.10.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-29251"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-25T22:40:57Z",
"nvd_published_at": "2022-05-25T21:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nWe found a possible XSS vector in the `FlamingoThemesCode.WebHomeSheet` wiki page related to the \"newThemeName\" form field.\n\n### Patches\n\nThe issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3.\n\n### Workarounds\nThe easiest workaround is to edit the wiki page `FlamingoThemesCode.WebHomeSheet` (with wiki editor) and change the line\n\n```\n\u003cinput type=\"hidden\" name=\"newThemeName\" id=\"newThemeName\" value=\"$request.newThemeName\" /\u003e\n```\n\ninto\n\n```\n\u003cinput type=\"hidden\" name=\"newThemeName\" id=\"newThemeName\" value=\"$escapetool.xml($request.newThemeName)\" /\u003e\n```\n\n### References\n * https://jira.xwiki.org/browse/XWIKI-19294\n * https://github.com/xwiki/xwiki-platform/commit/bd935320bee3c27cf7548351b1d0f935f116d437\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki](https://jira.xwiki.org)\n* Email us at [security mailing list](mailto:security@xwiki.org)",
"id": "GHSA-vmhh-xh3g-j992",
"modified": "2022-06-08T17:31:04Z",
"published": "2022-05-25T22:40:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vmhh-xh3g-j992"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29251"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/bd935320bee3c27cf7548351b1d0f935f116d437"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-19294"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Cross-site Scripting in the Flamingo theme manager"
}
GHSA-VMJ4-FFR3-XXP8
Vulnerability from github – Published: 2025-10-10 21:31 – Updated: 2025-10-10 21:31A HTML injection vulnerability exists in Perfex CRM v3.3.1. The application fails to sanitize user input in the "Bill To" address field within the estimate module. As a result, arbitrary HTML can be injected and rendered unescaped in client-facing documents.
{
"affected": [],
"aliases": [
"CVE-2025-55903"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-10T20:15:37Z",
"severity": "HIGH"
},
"details": "A HTML injection vulnerability exists in Perfex CRM v3.3.1. The application fails to sanitize user input in the \"Bill To\" address field within the estimate module. As a result, arbitrary HTML can be injected and rendered unescaped in client-facing documents.",
"id": "GHSA-vmj4-ffr3-xxp8",
"modified": "2025-10-10T21:31:16Z",
"published": "2025-10-10T21:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55903"
},
{
"type": "WEB",
"url": "https://codecanyon.net/item/perfex-powerful-open-source-crm/14013737"
},
{
"type": "WEB",
"url": "https://github.com/ajansha/CVE-2025-55903"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VP3J-PPF5-CQPF
Vulnerability from github – Published: 2026-02-05 21:32 – Updated: 2026-02-05 21:32Tanium addressed an improper output sanitization vulnerability in Tanium Appliance.
{
"affected": [],
"aliases": [
"CVE-2025-15312"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-05T19:15:52Z",
"severity": "MODERATE"
},
"details": "Tanium addressed an improper output sanitization vulnerability in Tanium Appliance.",
"id": "GHSA-vp3j-ppf5-cqpf",
"modified": "2026-02-05T21:32:41Z",
"published": "2026-02-05T21:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15312"
},
{
"type": "WEB",
"url": "https://security.tanium.com/TAN-2025-003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VP8C-39Q7-PXQC
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2025-11-25 18:32A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
{
"affected": [],
"aliases": [
"CVE-2019-11717"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-23T14:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability exists where the caret (\"^\") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.",
"id": "GHSA-vp8c-39q7-pxqc",
"modified": "2025-11-25T18:32:16Z",
"published": "2022-05-24T16:51:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11717"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1548306"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00002.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201908-12"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201908-20"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2019-21"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2019-22"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2019-23"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VP9Q-X4HQ-PP7P
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42The csv_log_html function in library/edihistory/edih_csv_inc.php in OpenEMR 5.0.0 and prior allows attackers to bypass intended access restrictions via a crafted name.
{
"affected": [],
"aliases": [
"CVE-2017-12064"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-01T05:29:00Z",
"severity": "HIGH"
},
"details": "The csv_log_html function in library/edihistory/edih_csv_inc.php in OpenEMR 5.0.0 and prior allows attackers to bypass intended access restrictions via a crafted name.",
"id": "GHSA-vp9q-x4hq-pp7p",
"modified": "2022-05-13T01:42:36Z",
"published": "2022-05-13T01:42:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12064"
},
{
"type": "WEB",
"url": "https://github.com/openemr/openemr/commit/b8963a5ca483211ed8de71f18227a0e66a2582ad"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-4.3
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
- Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability.
Mitigation MIT-27
Strategy: Parameterization
- If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
- For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection.
Mitigation
Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.
Mitigation
In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input.
Mitigation
Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).
Mitigation
Fully specify which encodings are required by components that will be communicating with each other.
Mitigation
When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.
CAPEC-104: Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.
CAPEC-73: User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.