CWE-116
Improper Encoding or Escaping of Output
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CVE-2023-4393 (GCVE-0-2023-4393)
Vulnerability from cvelistv5 – Published: 2023-10-29 23:13 – Updated: 2024-09-25 11:55
VLAI
Title
HTML and SMTP Injection in LiquidFiles
Summary
HTML and SMTP injections on the registration page of LiquidFiles versions 3.7.13 and below, allow an attacker to perform more advanced phishing attacks against an organization.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LiquidFiles Pty Ltd | LiquidFiles |
Affected:
0 , ≤ 3.7.13
(Major)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:24:04.605Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2023-4393"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4393",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-09T17:02:49.903745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T17:07:33.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LiquidFiles",
"vendor": "LiquidFiles Pty Ltd",
"versions": [
{
"lessThanOrEqual": "3.7.13",
"status": "affected",
"version": "0",
"versionType": "Major"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "HTML and SMTP injections on the registration page of LiquidFiles versions 3.7.13 and below, allow an attacker to perform more advanced phishing attacks against an organization."
}
],
"value": "HTML and SMTP injections on the registration page of LiquidFiles versions 3.7.13 and below, allow an attacker to perform more advanced phishing attacks against an organization."
}
],
"impacts": [
{
"capecId": "CAPEC-148",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-148 Content Spoofing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-147",
"description": "CWE-147: Improper Neutralization of Input Terminators",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T11:55:18.386Z",
"orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"shortName": "TML"
},
"references": [
{
"url": "https://www.themissinglink.com.au/security-advisories/cve-2023-4393"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HTML and SMTP Injection in LiquidFiles",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"assignerShortName": "TML",
"cveId": "CVE-2023-4393",
"datePublished": "2023-10-29T23:13:02.588Z",
"dateReserved": "2023-08-17T01:02:50.748Z",
"dateUpdated": "2024-09-25T11:55:18.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45135 (GCVE-0-2023-45135)
Vulnerability from cvelistv5 – Published: 2023-10-25 19:29 – Updated: 2024-09-10 14:41
VLAI
Title
XWiki users can be tricked to execute scripts as the create page action doesn't display the page's title
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In `org.xwiki.platform:xwiki-platform-web` versions 7.2-milestone-2 until 14.10.12 and `org.xwiki.platform:xwiki-platform-web-templates` prior to versions 14.10.12 and 15.5-rc-1, it is possible to pass a title to the page creation action that isn't displayed at first but then executed in the second step. This can be used by an attacker to trick a victim to execute code, allowing script execution if the victim has script right or remote code execution including full access to the XWiki instance if the victim has programming right.
For the attack to work, the attacker needs to convince the victim to visit a link like `<xwiki-host>/xwiki/bin/create/NonExistingSpace/WebHome?title=$services.logging.getLogger(%22foo%22).error(%22Script%20executed!%22)` where `<xwiki-host>` is the URL of the Wiki installation and to then click on the "Create" button on that page. The page looks like a regular XWiki page that the victim would also see when clicking the button to create a page that doesn't exist yet, the malicious code is not displayed anywhere on that page. After clicking the "Create" button, the malicious title would be displayed but at this point, the code has already been executed and the attacker could use this code also to hide the attack, e.g., by redirecting the victim again to the same page with an innocent title. It thus seems plausible that this attack could work if the attacker can place a fake "create page" button on a page which is possible with edit right.
This has been patched in `org.xwiki.platform:xwiki-platform-web` version 14.10.12 and `org.xwiki.platform:xwiki-platform-web-templates` versions 14.10.12 and 15.5-rc-1 by displaying the title already in the first step such that the victim can notice the attack before continuing. It is possible to manually patch the modified files from the patch in an existing installation. For the JavaScript change, the minified JavaScript file would need to be obtained from a build of XWiki and replaced accordingly.
Severity
9.1 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/xwiki/xwiki-platform/security/… | x_refsource_CONFIRM |
| https://github.com/xwiki/xwiki-platform/commit/19… | x_refsource_MISC |
| https://jira.xwiki.org/browse/XWIKI-20869 | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 7.2-milestone-2, < 14.10.12
Affected: >= 15.0-rc-1, < 15.5-rc-1 |
|
| xwiki | xwiki-platform |
Affected:
7.2-milestone-2 , < 14.10.12
(custom)
Affected: 15.0-rc-1 , < 15.5-rc-1 (custom) cpe:2.3:a:xwiki:xwiki-platform:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.528Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ghf6-2f42-mjh9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ghf6-2f42-mjh9"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/199e27ce7016757e66fa7cea99e718044a1b639b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/199e27ce7016757e66fa7cea99e718044a1b639b"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-20869",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XWIKI-20869"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xwiki:xwiki-platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"lessThan": "14.10.12",
"status": "affected",
"version": "7.2-milestone-2",
"versionType": "custom"
},
{
"lessThan": "15.5-rc-1",
"status": "affected",
"version": "15.0-rc-1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45135",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T14:38:48.320503Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T14:41:32.479Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.2-milestone-2, \u003c 14.10.12"
},
{
"status": "affected",
"version": "\u003e= 15.0-rc-1, \u003c 15.5-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In `org.xwiki.platform:xwiki-platform-web` versions 7.2-milestone-2 until 14.10.12 and `org.xwiki.platform:xwiki-platform-web-templates` prior to versions 14.10.12 and 15.5-rc-1, it is possible to pass a title to the page creation action that isn\u0027t displayed at first but then executed in the second step. This can be used by an attacker to trick a victim to execute code, allowing script execution if the victim has script right or remote code execution including full access to the XWiki instance if the victim has programming right.\n\nFor the attack to work, the attacker needs to convince the victim to visit a link like `\u003cxwiki-host\u003e/xwiki/bin/create/NonExistingSpace/WebHome?title=$services.logging.getLogger(%22foo%22).error(%22Script%20executed!%22)` where `\u003cxwiki-host\u003e` is the URL of the Wiki installation and to then click on the \"Create\" button on that page. The page looks like a regular XWiki page that the victim would also see when clicking the button to create a page that doesn\u0027t exist yet, the malicious code is not displayed anywhere on that page. After clicking the \"Create\" button, the malicious title would be displayed but at this point, the code has already been executed and the attacker could use this code also to hide the attack, e.g., by redirecting the victim again to the same page with an innocent title. It thus seems plausible that this attack could work if the attacker can place a fake \"create page\" button on a page which is possible with edit right.\n\nThis has been patched in `org.xwiki.platform:xwiki-platform-web` version 14.10.12 and `org.xwiki.platform:xwiki-platform-web-templates` versions 14.10.12 and 15.5-rc-1 by displaying the title already in the first step such that the victim can notice the attack before continuing. It is possible to manually patch the modified files from the patch in an existing installation. For the JavaScript change, the minified JavaScript file would need to be obtained from a build of XWiki and replaced accordingly."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-25T19:29:04.882Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ghf6-2f42-mjh9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ghf6-2f42-mjh9"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/199e27ce7016757e66fa7cea99e718044a1b639b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/199e27ce7016757e66fa7cea99e718044a1b639b"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-20869",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-20869"
}
],
"source": {
"advisory": "GHSA-ghf6-2f42-mjh9",
"discovery": "UNKNOWN"
},
"title": "XWiki users can be tricked to execute scripts as the create page action doesn\u0027t display the page\u0027s title"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-45135",
"datePublished": "2023-10-25T19:29:04.882Z",
"dateReserved": "2023-10-04T16:02:46.329Z",
"dateUpdated": "2024-09-10T14:41:32.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10441 (GCVE-0-2024-10441)
Vulnerability from cvelistv5 – Published: 2025-03-19 02:09 – Updated: 2025-03-28 01:06
VLAI
Summary
Improper encoding or escaping of output vulnerability in the system plugin daemon in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allows remote attackers to execute arbitrary code via unspecified vectors.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.synology.com/en-global/security/advis… | vendor-advisory |
| https://www.synology.com/en-global/security/advis… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Synology | DiskStation Manager (DSM) |
Affected:
7.2.2 , < 7.2.2-72806-1
(semver)
Affected: 7.2.1 , < 7.2.1-69057-6 (semver) Affected: 7.2 , < 7.2-64570-4 (semver) Affected: 7.1 , < 7.1.1-42962-7 (semver) Unknown: 0 , < 7.0 (semver) |
|
| Synology | BeeStation OS (BSM) |
Affected:
1.1 , < 1.1-65374
(semver)
Affected: 1.0 , < 1.1-65374 (semver) Unknown: 0 , < 1.0 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10441",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T13:16:45.541041Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T13:17:23.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "DiskStation Manager (DSM)",
"vendor": "Synology",
"versions": [
{
"lessThan": "7.2.2-72806-1",
"status": "affected",
"version": "7.2.2",
"versionType": "semver"
},
{
"lessThan": "7.2.1-69057-6",
"status": "affected",
"version": "7.2.1",
"versionType": "semver"
},
{
"lessThan": "7.2-64570-4",
"status": "affected",
"version": "7.2",
"versionType": "semver"
},
{
"lessThan": "7.1.1-42962-7",
"status": "affected",
"version": "7.1",
"versionType": "semver"
},
{
"lessThan": "7.0",
"status": "unknown",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "BeeStation OS (BSM)",
"vendor": "Synology",
"versions": [
{
"lessThan": "1.1-65374",
"status": "affected",
"version": "1.1",
"versionType": "semver"
},
{
"lessThan": "1.1-65374",
"status": "affected",
"version": "1.0",
"versionType": "semver"
},
{
"lessThan": "1.0",
"status": "unknown",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ryan Emmons (@the_emmons)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper encoding or escaping of output vulnerability in the system plugin daemon in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allows remote attackers to execute arbitrary code via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T01:06:48.075Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:20 DSM (PWN2OWN 2024)",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_20"
},
{
"name": "Synology-SA-24:23 BeeStation (PWN2OWN 2024)",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_23"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2024-10441",
"datePublished": "2025-03-19T02:09:56.387Z",
"dateReserved": "2024-10-28T02:22:16.500Z",
"dateUpdated": "2025-03-28T01:06:48.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1874 (GCVE-0-2024-1874)
Vulnerability from cvelistv5 – Published: 2024-04-29 03:57 – Updated: 2025-11-04 18:22
VLAI
Title
Command injection via array-ish $command parameter of proc_open()
Summary
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
Severity
9.4 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
10 references
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| PHP Group | PHP |
Affected:
8.1.* , < 8.1.28
(semver)
Affected: 8.2.* , < 8.2.18 (semver) Affected: 8.3.* , < 8.3.5 (semver) |
|
| php_group | php |
Affected:
8.1.0
cpe:2.3:a:php_group:php:8.1.0:*:*:*:*:*:*:* |
|
| php_group | php |
Affected:
8.2.0
cpe:2.3:a:php_group:php:8.2.0:*:*:*:*:*:*:* |
|
| php_group | php |
Affected:
8.3.0
cpe:2.3:a:php_group:php:8.3.0:*:*:*:*:*:*:* |
Date Public
2024-04-11 17:15
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:php_group:php:8.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "php",
"vendor": "php_group",
"versions": [
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:php_group:php:8.2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "php",
"vendor": "php_group",
"versions": [
{
"status": "affected",
"version": "8.2.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:php_group:php:8.3.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "php",
"vendor": "php_group",
"versions": [
{
"status": "affected",
"version": "8.3.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1874",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-29T13:05:18.510843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:00:58.913Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:22:36.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240510-0009/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"
},
{
"url": "https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/"
},
{
"url": "https://www.kb.cert.org/vuls/id/123335"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"Windows"
],
"product": "PHP",
"vendor": "PHP Group",
"versions": [
{
"lessThan": "8.1.28",
"status": "affected",
"version": "8.1.*",
"versionType": "semver"
},
{
"lessThan": "8.2.18",
"status": "affected",
"version": "8.2.*",
"versionType": "semver"
},
{
"lessThan": "8.3.5",
"status": "affected",
"version": "8.3.*",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This problem only present in Windows versions of PHP.\u0026nbsp;"
}
],
"value": "This problem only present in Windows versions of PHP."
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "RyotaK"
}
],
"datePublic": "2024-04-11T17:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T04:06:17.168Z",
"orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"shortName": "php"
},
"references": [
{
"url": "https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240510-0009/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/06/07/1"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/"
}
],
"source": {
"advisory": "https://github.com/php/php-src/security/advisories/GHSA-pc52-254",
"discovery": "EXTERNAL"
},
"title": "Command injection via array-ish $command parameter of proc_open()",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Using proc_open() string syntax avoids the problem.\u0026nbsp;"
}
],
"value": "Using proc_open() string syntax avoids the problem."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
"assignerShortName": "php",
"cveId": "CVE-2024-1874",
"datePublished": "2024-04-29T03:57:35.624Z",
"dateReserved": "2024-02-25T04:39:00.479Z",
"dateUpdated": "2025-11-04T18:22:36.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-22199 (GCVE-0-2024-22199)
Vulnerability from cvelistv5 – Published: 2024-01-11 17:39 – Updated: 2024-11-14 14:45
VLAI
Title
Django Template Engine Vulnerable to XSS
Summary
This package provides universal methods to use multiple template engines with the Fiber web framework using the Views interface. This vulnerability specifically impacts web applications that render user-supplied data through this template engine, potentially leading to the execution of malicious scripts in users' browsers when visiting affected web pages. The vulnerability has been addressed, the template engine now defaults to having autoescape set to `true`, effectively mitigating the risk of XSS attacks.
Severity
9.3 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gofiber/template/security/advi… | x_refsource_CONFIRM |
| https://github.com/gofiber/template/commit/28cff3… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:35:34.940Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gofiber/template/security/advisories/GHSA-4mq2-gc4j-cmw6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gofiber/template/security/advisories/GHSA-4mq2-gc4j-cmw6"
},
{
"name": "https://github.com/gofiber/template/commit/28cff3ac4d4c117ab25b5396954676d624b6cb46",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gofiber/template/commit/28cff3ac4d4c117ab25b5396954676d624b6cb46"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22199",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T14:45:35.643060Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T14:45:58.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "template",
"vendor": "gofiber",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This package provides universal methods to use multiple template engines with the Fiber web framework using the Views interface. This vulnerability specifically impacts web applications that render user-supplied data through this template engine, potentially leading to the execution of malicious scripts in users\u0027 browsers when visiting affected web pages. The vulnerability has been addressed, the template engine now defaults to having autoescape set to `true`, effectively mitigating the risk of XSS attacks.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-11T17:39:45.745Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gofiber/template/security/advisories/GHSA-4mq2-gc4j-cmw6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gofiber/template/security/advisories/GHSA-4mq2-gc4j-cmw6"
},
{
"name": "https://github.com/gofiber/template/commit/28cff3ac4d4c117ab25b5396954676d624b6cb46",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gofiber/template/commit/28cff3ac4d4c117ab25b5396954676d624b6cb46"
}
],
"source": {
"advisory": "GHSA-4mq2-gc4j-cmw6",
"discovery": "UNKNOWN"
},
"title": "Django Template Engine Vulnerable to XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-22199",
"datePublished": "2024-01-11T17:39:45.745Z",
"dateReserved": "2024-01-08T04:59:27.371Z",
"dateUpdated": "2024-11-14T14:45:58.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27938 (GCVE-0-2024-27938)
Vulnerability from cvelistv5 – Published: 2024-03-11 21:18 – Updated: 2024-08-27 19:48
VLAI
Title
SMTP Smuggling in Postal
Summary
Postal is an open source SMTP server. Postal versions less than 3.0.0 are vulnerable to SMTP Smuggling attacks which may allow incoming e-mails to be spoofed. This, in conjunction with a cooperative outgoing SMTP service, would allow for an incoming e-mail to be received by Postal addressed from a server that a user has 'authorised' to send mail on their behalf but were not the genuine author of the e-mail. Postal is not affected for sending outgoing e-mails as email is re-encoded with `<CR><LF>` line endings when transmitted over SMTP. This issue has been addressed and users should upgrade to Postal v3.0.0 or higher. Once upgraded, Postal will only accept End of DATA sequences which are explicitly `<CR><LF>.<CR><LF>`. If a non-compliant sequence is detected it will be logged to the SMTP server log. There are no workarounds for this issue.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/postalserver/postal/security/a… | x_refsource_CONFIRM |
| https://github.com/postalserver/postal/commit/0140dc4 | x_refsource_MISC |
| https://sec-consult.com/blog/detail/smtp-smugglin… | x_refsource_MISC |
| https://www.postfix.org/smtp-smuggling.html | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| postalserver | postal |
Affected:
< 3.0.0
|
|
| postalserver | postal |
Affected:
0 , < 3.0.0
(custom)
cpe:2.3:a:postalserver:postal:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:41:55.742Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/postalserver/postal/security/advisories/GHSA-j42r-6c99-hqf2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/postalserver/postal/security/advisories/GHSA-j42r-6c99-hqf2"
},
{
"name": "https://github.com/postalserver/postal/commit/0140dc4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/postalserver/postal/commit/0140dc4"
},
{
"name": "https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide"
},
{
"name": "https://www.postfix.org/smtp-smuggling.html",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.postfix.org/smtp-smuggling.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:postalserver:postal:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "postal",
"vendor": "postalserver",
"versions": [
{
"lessThan": "3.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27938",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T19:45:59.549699Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T19:48:22.783Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "postal",
"vendor": "postalserver",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Postal is an open source SMTP server. Postal versions less than 3.0.0 are vulnerable to SMTP Smuggling attacks which may allow incoming e-mails to be spoofed. This, in conjunction with a cooperative outgoing SMTP service, would allow for an incoming e-mail to be received by Postal addressed from a server that a user has \u0027authorised\u0027 to send mail on their behalf but were not the genuine author of the e-mail. Postal is not affected for sending outgoing e-mails as email is re-encoded with `\u003cCR\u003e\u003cLF\u003e` line endings when transmitted over SMTP. This issue has been addressed and users should upgrade to Postal v3.0.0 or higher. Once upgraded, Postal will only accept End of DATA sequences which are explicitly `\u003cCR\u003e\u003cLF\u003e.\u003cCR\u003e\u003cLF\u003e`. If a non-compliant sequence is detected it will be logged to the SMTP server log. There are no workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-11T21:18:14.988Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/postalserver/postal/security/advisories/GHSA-j42r-6c99-hqf2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/postalserver/postal/security/advisories/GHSA-j42r-6c99-hqf2"
},
{
"name": "https://github.com/postalserver/postal/commit/0140dc4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/postalserver/postal/commit/0140dc4"
},
{
"name": "https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide",
"tags": [
"x_refsource_MISC"
],
"url": "https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide"
},
{
"name": "https://www.postfix.org/smtp-smuggling.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.postfix.org/smtp-smuggling.html"
}
],
"source": {
"advisory": "GHSA-j42r-6c99-hqf2",
"discovery": "UNKNOWN"
},
"title": "SMTP Smuggling in Postal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27938",
"datePublished": "2024-03-11T21:18:14.988Z",
"dateReserved": "2024-02-28T15:14:14.217Z",
"dateUpdated": "2024-08-27T19:48:22.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28245 (GCVE-0-2024-28245)
Vulnerability from cvelistv5 – Published: 2024-03-25 19:53 – Updated: 2024-08-02 00:48
VLAI
Title
KaTeX's \includegraphics does not escape filename
Summary
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\includegraphics` that runs arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/KaTeX/KaTeX/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/KaTeX/KaTeX/commit/c5897fcd1f7… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:katex:katex:0.11.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "katex",
"vendor": "katex",
"versions": [
{
"lessThan": "0.16.10",
"status": "affected",
"version": "0.11.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28245",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-26T19:26:52.258854Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T15:39:52.863Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.569Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/KaTeX/KaTeX/security/advisories/GHSA-f98w-7cxr-ff2h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/KaTeX/KaTeX/security/advisories/GHSA-f98w-7cxr-ff2h"
},
{
"name": "https://github.com/KaTeX/KaTeX/commit/c5897fcd1f73da9612a53e6b5544f1d776e17770",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/KaTeX/KaTeX/commit/c5897fcd1f73da9612a53e6b5544f1d776e17770"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "KaTeX",
"vendor": "KaTeX",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.11.0, \u003c 0.6.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\\includegraphics` that runs arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX v0.16.10 to remove this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-25T19:53:01.320Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/KaTeX/KaTeX/security/advisories/GHSA-f98w-7cxr-ff2h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/KaTeX/KaTeX/security/advisories/GHSA-f98w-7cxr-ff2h"
},
{
"name": "https://github.com/KaTeX/KaTeX/commit/c5897fcd1f73da9612a53e6b5544f1d776e17770",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/KaTeX/KaTeX/commit/c5897fcd1f73da9612a53e6b5544f1d776e17770"
}
],
"source": {
"advisory": "GHSA-f98w-7cxr-ff2h",
"discovery": "UNKNOWN"
},
"title": "KaTeX\u0027s \\includegraphics does not escape filename"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28245",
"datePublished": "2024-03-25T19:53:01.320Z",
"dateReserved": "2024-03-07T14:33:30.036Z",
"dateUpdated": "2024-08-02T00:48:49.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29894 (GCVE-0-2024-29894)
Vulnerability from cvelistv5 – Published: 2024-05-13 14:24 – Updated: 2025-02-13 17:47
VLAI
Title
Cacti Cross-site Scripting vulnerability when using JavaScript based messaging API
Summary
Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js to fix CVE-2023-50250 (among others). However, it still generates the code out of unescaped PHP variables `$title` and `$header`. If those variables contain single quotes, they can be used to inject JavaScript code. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. Version 1.2.27 fixes this issue.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Cacti/cacti/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/Cacti/cacti/security/advisorie… | x_refsource_MISC |
| https://lists.fedoraproject.org/archives/list/pac… |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cacti:cacti:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cacti",
"vendor": "cacti",
"versions": [
{
"lessThan": "1.2.27",
"status": "affected",
"version": "-",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29894",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-13T17:24:33.915547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:56:59.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:17:58.331Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Cacti/cacti/security/advisories/GHSA-grj5-8fcj-34gh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Cacti/cacti/security/advisories/GHSA-grj5-8fcj-34gh"
},
{
"name": "https://github.com/Cacti/cacti/security/advisories/GHSA-xwqc-7jc4-xm73",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Cacti/cacti/security/advisories/GHSA-xwqc-7jc4-xm73"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cacti",
"vendor": "Cacti",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.27"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js to fix CVE-2023-50250 (among others). However, it still generates the code out of unescaped PHP variables `$title` and `$header`. If those variables contain single quotes, they can be used to inject JavaScript code. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. Version 1.2.27 fixes this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T16:09:25.526Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Cacti/cacti/security/advisories/GHSA-grj5-8fcj-34gh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Cacti/cacti/security/advisories/GHSA-grj5-8fcj-34gh"
},
{
"name": "https://github.com/Cacti/cacti/security/advisories/GHSA-xwqc-7jc4-xm73",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Cacti/cacti/security/advisories/GHSA-xwqc-7jc4-xm73"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/"
}
],
"source": {
"advisory": "GHSA-grj5-8fcj-34gh",
"discovery": "UNKNOWN"
},
"title": "Cacti Cross-site Scripting vulnerability when using JavaScript based messaging API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29894",
"datePublished": "2024-05-13T14:24:32.871Z",
"dateReserved": "2024-03-21T15:12:08.998Z",
"dateUpdated": "2025-02-13T17:47:43.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31866 (GCVE-0-2024-31866)
Vulnerability from cvelistv5 – Published: 2024-04-09 16:09 – Updated: 2025-02-13 17:51
VLAI
Title
Apache Zeppelin: Interpreter download command does not escape malicious code injection
Summary
Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.
The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
3 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.8.2 , < 0.11.1
(semver)
|
|
| apache_software_foundation | apache_zeppelin |
Affected:
0.8.2 , < 0.11.1
(semver)
cpe:2.3:a:apache_software_foundation:apache_zeppelin:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:50.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4715"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/jpkbq3oktopt34x2n5wnhzc2r1410ddd"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/10"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_zeppelin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_zeppelin",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0.8.2",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31866",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T13:59:15.091777Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T14:33:03.134Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-interpreter",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0.8.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Esa Hiltunen"
},
{
"lang": "en",
"type": "finder",
"value": "https://teragrep.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\u003cbr\u003e\u003cbr\u003eThe attackers can execute shell scripts or malicious code by overriding configuration like\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eZEPPELIN_INTP_CLASSPATH_OVERRIDES.\u003c/span\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\n\nThe attackers can execute shell scripts or malicious code by overriding configuration like\u00a0ZEPPELIN_INTP_CLASSPATH_OVERRIDES.\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:07:49.092Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4715"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/jpkbq3oktopt34x2n5wnhzc2r1410ddd"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/10"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Interpreter download command does not escape malicious code injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31866",
"datePublished": "2024-04-09T16:09:12.117Z",
"dateReserved": "2024-04-06T11:51:00.551Z",
"dateUpdated": "2025-02-13T17:51:59.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34355 (GCVE-0-2024-34355)
Vulnerability from cvelistv5 – Published: 2024-05-14 14:01 – Updated: 2024-08-02 02:51
VLAI
Title
TYPO3 vulnerable to an HTML Injection in the History Module
Summary
TYPO3 is an enterprise content management system. Starting in version 13.0.0 and prior to version 13.1.1, the history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject malicious HTML markup. Exploiting this vulnerability requires a valid backend user account. TYPO3 version 13.1.1 fixes the problem described.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/TYPO3/typo3/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/TYPO3/typo3/commit/56afa304ba8… | x_refsource_MISC |
| https://typo3.org/security/advisory/typo3-core-sa… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34355",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-15T13:21:14.096134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:42:41.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:51:11.144Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/TYPO3/typo3/security/advisories/GHSA-xjwx-78x7-q6jc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-xjwx-78x7-q6jc"
},
{
"name": "https://github.com/TYPO3/typo3/commit/56afa304ba8b5ad302e15df5def71bcc8d820375",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TYPO3/typo3/commit/56afa304ba8b5ad302e15df5def71bcc8d820375"
},
{
"name": "https://typo3.org/security/advisory/typo3-core-sa-2024-007",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://typo3.org/security/advisory/typo3-core-sa-2024-007"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "typo3",
"vendor": "TYPO3",
"versions": [
{
"status": "affected",
"version": "\u003e= 13.0.0, \u003c 13.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TYPO3 is an enterprise content management system. Starting in version 13.0.0 and prior to version 13.1.1, the history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject malicious HTML markup. Exploiting this vulnerability requires a valid backend user account. TYPO3 version 13.1.1 fixes the problem described."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-14T14:01:32.753Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/TYPO3/typo3/security/advisories/GHSA-xjwx-78x7-q6jc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-xjwx-78x7-q6jc"
},
{
"name": "https://github.com/TYPO3/typo3/commit/56afa304ba8b5ad302e15df5def71bcc8d820375",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TYPO3/typo3/commit/56afa304ba8b5ad302e15df5def71bcc8d820375"
},
{
"name": "https://typo3.org/security/advisory/typo3-core-sa-2024-007",
"tags": [
"x_refsource_MISC"
],
"url": "https://typo3.org/security/advisory/typo3-core-sa-2024-007"
}
],
"source": {
"advisory": "GHSA-xjwx-78x7-q6jc",
"discovery": "UNKNOWN"
},
"title": "TYPO3 vulnerable to an HTML Injection in the History Module"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34355",
"datePublished": "2024-05-14T14:01:32.753Z",
"dateReserved": "2024-05-02T06:36:32.438Z",
"dateUpdated": "2024-08-02T02:51:11.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation ID: MIT-4.3
Phase: Architecture and Design
Strategy: Libraries or Frameworks
Description:
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
- Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability.
Mitigation ID: MIT-27
Phase: Architecture and Design
Strategy: Parameterization
Description:
- If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
- For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection.
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.
Mitigation
Phase: Architecture and Design
Description:
- In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input.
Mitigation
Phase: Architecture and Design
Description:
- Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).
Mitigation
Phase: Requirements
Description:
- Fully specify which encodings are required by components that will be communicating with each other.
Mitigation
Phase: Implementation
Description:
- When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.
CAPEC-104: Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.
CAPEC-73: User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.