Common Weakness Enumeration

CWE-134

Allowed

Use of Externally-Controlled Format String

Abstraction: Base · Status: Draft

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

501 vulnerabilities reference this CWE, most recent first.

GHSA-CF67-7J7R-89Q3

Vulnerability from github – Published: 2022-04-29 02:59 – Updated: 2025-04-03 04:01
VLAI
Details

Format string vulnerability in log.c in rssh before 2.2.2 allows remote authenticated users to execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2004-1628"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2004-10-23T04:00:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in log.c in rssh before 2.2.2 allows remote authenticated users to execute arbitrary code.",
  "id": "GHSA-cf67-7j7r-89q3",
  "modified": "2025-04-03T04:01:37Z",
  "published": "2022-04-29T02:59:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2004-1628"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17831"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=109855982425122\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/12954"
    },
    {
      "type": "WEB",
      "url": "http://www.gentoo.org/security/en/glsa/glsa-200410-28.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.pizzashack.org/rssh"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-CF8H-9592-VMXR

Vulnerability from github – Published: 2023-07-17 18:31 – Updated: 2024-04-04 06:11
VLAI
Details

A format string vulnerability in the Zyxel ATP series firmware versions 5.10 through 5.36 Patch 2, USG FLEX series firmware versions 5.00 through 5.36 Patch 2, USG FLEX 50(W) series firmware versions 5.10 through 5.36 Patch 2, USG20(W)-VPN series firmware versions 5.10 through 5.36 Patch 2, and VPN series firmware versions 5.00 through 5.36 Patch 2, could allow an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted PPPoE configuration on an affected device when the cloud management mode is enabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-17T18:15:09Z",
    "severity": "HIGH"
  },
  "details": "A format string vulnerability in the Zyxel ATP series firmware versions 5.10 through 5.36 Patch 2, USG FLEX series firmware versions 5.00 through 5.36 Patch 2,  USG FLEX 50(W) series firmware versions 5.10 through 5.36 Patch 2, USG20(W)-VPN series firmware versions 5.10 through 5.36 Patch 2, and VPN series firmware versions 5.00 through 5.36 Patch 2, could allow an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted PPPoE configuration on an affected device when the cloud management mode is enabled.",
  "id": "GHSA-cf8h-9592-vmxr",
  "modified": "2024-04-04T06:11:20Z",
  "published": "2023-07-17T18:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33011"
    },
    {
      "type": "WEB",
      "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-wlan-controllers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CG98-RW53-3V8H

Vulnerability from github – Published: 2022-05-01 18:34 – Updated: 2022-05-01 18:34
VLAI
Details

Format string vulnerability in the logging function in the Oracle OPMN daemon, as used on Oracle Enterprise Grid Console server 10.2.0.1, allows remote attackers to execute arbitrary code via format string specifiers in the URI in an HTTP request to port 6003, aka Oracle reference number 6296175. NOTE: this might be the same issue as CVE-2007-0282 or CVE-2007-0280, but there are insufficient details to be sure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-5561"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-10-18T20:17:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in the logging function in the Oracle OPMN daemon, as used on Oracle Enterprise Grid Console server 10.2.0.1, allows remote attackers to execute arbitrary code via format string specifiers in the URI in an HTTP request to port 6003, aka Oracle reference number 6296175.  NOTE: this might be the same issue as CVE-2007-0282 or CVE-2007-0280, but there are insufficient details to be sure.",
  "id": "GHSA-cg98-rw53-3v8h",
  "modified": "2022-05-01T18:34:30Z",
  "published": "2022-05-01T18:34:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5561"
    },
    {
      "type": "WEB",
      "url": "http://www.irmplc.com/index.php/111-Vendor-Alerts"
    },
    {
      "type": "WEB",
      "url": "http://www.irmplc.com/index.php/142-Advisory-021"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-CQJC-HXF6-JX3W

Vulnerability from github – Published: 2022-05-02 03:57 – Updated: 2022-05-02 03:57
VLAI
Details

Format string vulnerability in Ipswitch WS_FTP Professional 12 before 12.2 allows remote attackers to cause a denial of service (crash) via format string specifiers in the status code portion of an HTTP response.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-4775"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-04-21T14:30:00Z",
    "severity": "MODERATE"
  },
  "details": "Format string vulnerability in Ipswitch WS_FTP Professional 12 before 12.2 allows remote attackers to cause a denial of service (crash) via format string specifiers in the status code portion of an HTTP response.",
  "id": "GHSA-cqjc-hxf6-jx3w",
  "modified": "2022-05-02T03:57:55Z",
  "published": "2022-05-02T03:57:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-4775"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53098"
    },
    {
      "type": "WEB",
      "url": "http://docs.ipswitch.com/WS_FTP%20122/ReleaseNotes/English/index.htm?k_id=ipswitch_com_ftp_documents_worldwide_ws_ftp122releasenotesenglish#link23"
    },
    {
      "type": "WEB",
      "url": "http://www.exploit-db.com/exploits/9607"
    },
    {
      "type": "WEB",
      "url": "http://www.packetstormsecurity.org/0909-exploits/nocoolnameforawsftppoc.pl.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/36297"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-CR56-64WJ-Q2R7

Vulnerability from github – Published: 2026-01-20 21:31 – Updated: 2026-01-20 21:31
VLAI
Details

HackerOne community member Faraz Ahmed (PakCyberbot) has reported a format string injection in the Revive Adserver settings. When specific character combinations are used in a setting, the admin user console could be disabled due to a fatal PHP error.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21640"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-20T21:16:06Z",
    "severity": "LOW"
  },
  "details": "HackerOne community member Faraz Ahmed (PakCyberbot) has reported a format string injection in the Revive Adserver settings. When specific character combinations are used in a setting, the admin user console could be disabled due to a fatal PHP error.",
  "id": "GHSA-cr56-64wj-q2r7",
  "modified": "2026-01-20T21:31:35Z",
  "published": "2026-01-20T21:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21640"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3445332"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CVFG-5HFC-WCQ7

Vulnerability from github – Published: 2022-05-17 01:09 – Updated: 2022-05-17 01:09
VLAI
Details

Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary code via format string specifiers in a string that is misused as a class name, leading to incorrect error handling.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-8617"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-01-19T05:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary code via format string specifiers in a string that is misused as a class name, leading to incorrect error handling.",
  "id": "GHSA-cvfg-5hfc-wcq7",
  "modified": "2022-05-17T01:09:07Z",
  "published": "2022-05-17T01:09:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8617"
    },
    {
      "type": "WEB",
      "url": "https://github.com/php/php-src/commit/b101a6bbd4f2181c360bd38e7683df4a03cba83e"
    },
    {
      "type": "WEB",
      "url": "https://bugs.php.net/bug.php?id=71105"
    },
    {
      "type": "WEB",
      "url": "http://php.net/ChangeLog-7.php"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1034543"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CVPQ-CVHW-884V

Vulnerability from github – Published: 2022-05-13 01:15 – Updated: 2022-05-13 01:15
VLAI
Details

Format string vulnerability in the Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted response, aka "Print Spooler Service Format String Vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-1851"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-08-15T01:55:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in the Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted response, aka \"Print Spooler Service Format String Vulnerability.\"",
  "id": "GHSA-cvpq-cvhw-884v",
  "modified": "2022-05-13T01:15:39Z",
  "published": "2022-05-13T01:15:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1851"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-054"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15531"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA12-227A.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-CW9M-X55V-H5JW

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

On Audi A7 MMI 2014 vehicles, the Bluetooth stack in Audi A7 MMI Multiplayer with version (N+R_CN_AU_P0395) mishandles %x and %s format string specifiers in a device name. This may lead to memory content leaks and potentially crash the services.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27524"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-11T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "On Audi A7 MMI 2014 vehicles, the Bluetooth stack in Audi A7 MMI Multiplayer with version (N+R_CN_AU_P0395) mishandles %x and %s format string specifiers in a device name. This may lead to memory content leaks and potentially crash the services.",
  "id": "GHSA-cw9m-x55v-h5jw",
  "modified": "2022-05-24T17:34:02Z",
  "published": "2022-05-24T17:34:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27524"
    },
    {
      "type": "WEB",
      "url": "https://tiger-team-1337.blogspot.com/2020/10/audi-a7-2014-mmi-mishandles-format.html"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/Kevin2600/status/1316380576593571840"
    },
    {
      "type": "WEB",
      "url": "https://www.youtube.com/watch?v=BQUVgAdhwQs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-CWQW-MV4M-VQGQ

Vulnerability from github – Published: 2022-05-17 03:08 – Updated: 2022-05-17 03:08
VLAI
Details

Format string vulnerability in Cisco Email Security Appliance (ESA) 7.6.0 and 8.0.0 allows remote attackers to cause a denial of service (memory overwrite or service outage) via format string specifiers in an HTTP request, aka Bug ID CSCug21497.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-6285"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-09-14T01:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Format string vulnerability in Cisco Email Security Appliance (ESA) 7.6.0 and 8.0.0 allows remote attackers to cause a denial of service (memory overwrite or service outage) via format string specifiers in an HTTP request, aka Bug ID CSCug21497.",
  "id": "GHSA-cwqw-mv4m-vqgq",
  "modified": "2022-05-17T03:08:18Z",
  "published": "2022-05-17T03:08:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-6285"
    },
    {
      "type": "WEB",
      "url": "http://tools.cisco.com/security/center/viewAlert.x?alertId=40844"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1033531"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-CXJG-C3FC-C47Q

Vulnerability from github – Published: 2022-05-01 23:35 – Updated: 2022-05-01 23:35
VLAI
Details

Format string vulnerability in EMC DiskXtender MediaStor 6.20.060 allows remote authenticated users to execute arbitrary code via a crafted message to the RPC interface.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-0963"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-04-14T16:05:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in EMC DiskXtender MediaStor 6.20.060 allows remote authenticated users to execute arbitrary code via a crafted message to the RPC interface.",
  "id": "GHSA-cxjg-c3fc-c47q",
  "modified": "2022-05-01T23:35:09Z",
  "published": "2022-05-01T23:35:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-0963"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41773"
    },
    {
      "type": "WEB",
      "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=685"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29778"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/44417"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/28727"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/28729"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1019829"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/1198/references"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Requirements

Choose a language that is not subject to this flaw.

Mitigation
Implementation

Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]

Mitigation
Build and Compilation

Run compilers and linkers with high warning levels, since they may detect incorrect usage.

CAPEC-135: Format String Injection

An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.

CAPEC-67: String Format Overflow in syslog()

This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.