Common Weakness Enumeration

CWE-116

Allowed-with-Review

Improper Encoding or Escaping of Output

Abstraction: Class · Status: Draft

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

612 vulnerabilities reference this CWE, most recent first.

GHSA-2J22-PR5W-6GQ8

Vulnerability from github – Published: 2026-03-26 22:19 – Updated: 2026-03-26 22:19
VLAI
Summary
Loofah has improper detection of disallowed URIs via `allowed_uri?`
Details

Summary

Loofah::HTML5::Scrub.allowed_uri? does not correctly reject javascript: URIs when the scheme is split by HTML entity-encoded control characters such as 
 (carriage return), 
 (line feed), or 	 (tab).

Details

The allowed_uri? method strips literal control characters before decoding HTML entities. Payloads like java
script:alert(1) survive the control character strip, then 
 is decoded to a carriage return, producing java\rscript:alert(1).

Note that the Loofah sanitizer's default sanitize() path is not affected because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the allowed_uri? string-level helper when passing HTML-encoded strings.

Impact

Applications that call Loofah::HTML5::Scrub.allowed_uri? to validate user-controlled URLs and then render approved URLs into href or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS).

This only affects Loofah 2.25.0.

Mitigation

Upgrade to Loofah >= 2.25.1.

Credit

Responsibly reported by HackOne user @smlee.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "loofah"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.25.0"
            },
            {
              "fixed": "2.25.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.25.0"
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T22:19:02Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "## Summary\n\n`Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject `javascript:` URIs when the scheme is split by HTML entity-encoded control characters such as `\u0026#13;` (carriage return), `\u0026#10;` (line feed), or `\u0026#9;` (tab).\n\n## Details\n\nThe `allowed_uri?` method strips literal control characters before decoding HTML entities. Payloads like `java\u0026#13;script:alert(1)` survive the control character strip, then `\u0026#13;` is decoded to a carriage return, producing `java\\rscript:alert(1)`.\n\nNote that the Loofah sanitizer\u0027s default `sanitize()` path is **not affected** because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the `allowed_uri?` string-level helper when passing HTML-encoded strings.\n\n## Impact\n\nApplications that call `Loofah::HTML5::Scrub.allowed_uri?` to validate user-controlled URLs and then render approved URLs into `href` or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS).\n\nThis only affects Loofah `2.25.0`.\n\n## Mitigation\n\nUpgrade to Loofah \u003e= `2.25.1`.\n\n## Credit\n\nResponsibly reported by HackOne user @smlee.",
  "id": "GHSA-2j22-pr5w-6gq8",
  "modified": "2026-03-26T22:19:02Z",
  "published": "2026-03-26T22:19:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/flavorjones/loofah/security/advisories/GHSA-46fp-8f5p-pf2m"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flavorjones/loofah/commit/f4ebc9c5193dde759a57541062e490e86fc7c068"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/flavorjones/loofah"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flavorjones/loofah/releases/tag/v2.25.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/GHSA-46fp-8f5p-pf2m.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Loofah has improper detection of disallowed URIs via `allowed_uri?`"
}

GHSA-2M6P-HM3W-6JM3

Vulnerability from github – Published: 2026-05-19 14:44 – Updated: 2026-06-09 11:56
VLAI
Summary
HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft
Details

Summary

A stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of the <video-player> component.

The component allows javascript: URIs in the source attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data such as JWT tokens and more.

Details

The vulnerability is present in the <video-player> web component used within the HAX CMS editor.

The application fails to validate or sanitize user-supplied input in the following attributes: - source - source-data

These attributes accept arbitrary URI schemes, including javascript:, which leads to execution of attacker-controlled JavaScript in the browser.

Example vulnerable usage:

<video-player 
  source="javascript:alert(document.domain)" 
  source-type="external">
</video-player>

Because this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.

The root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering. Because this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.

The root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering.

PoC

Steps to reproduce: 1. Log in to HAX CMS as user. 2. Create a website or any page and switch to the HTML source editor (<>). 3. Insert the following payload:

<video-player source="javascript:alert('JWT: '+localStorage.getItem('jwt').substring(0,30))" source-type="external"></video-player>

image

Save the page.

Reload or revisit or send the page.

Result image

A JavaScript alert executes. The JWT token is exposed. This confirms arbitrary JavaScript execution in the victim’s browser.

Impact

This vulnerability allows stored XSS leading to:

  • Theft of JWT authentication tokens
  • Session hijacking
  • Full account takeover
  • Execution of arbitrary JavaScript in victim browsers

If an administrator views a malicious page, this can lead to full CMS compromise.

Attack complexity: Low
Privileges required: Low (any authenticated user)
User interaction: Required

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 25.0.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@haxtheweb/haxcms-nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 25.0.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@haxtheweb/video-player"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46496"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T14:44:34Z",
    "nvd_published_at": "2026-06-05T19:16:34Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of the `\u003cvideo-player\u003e` component.\n\nThe component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim\u2019s browser and access sensitive data such as JWT tokens and more.\n\n### Details\nThe vulnerability is present in the `\u003cvideo-player\u003e` web component used within the HAX CMS editor.\n\nThe application fails to validate or sanitize user-supplied input in the following attributes:\n- `source`\n- `source-data`\n\nThese attributes accept arbitrary URI schemes, including `javascript:`, which leads to execution of attacker-controlled JavaScript in the browser.\n\nExample vulnerable usage:\n```html\n\u003cvideo-player \n  source=\"javascript:alert(document.domain)\" \n  source-type=\"external\"\u003e\n\u003c/video-player\u003e\n```\n\n\nBecause this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.\n\nThe root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering.\nBecause this content is stored and rendered to other users, the vulnerability is classified as a stored XSS.\n\nThe root cause is the lack of URI scheme validation and improper sanitization of component attributes before rendering.\n\n\n### PoC\n\nSteps to reproduce:\n1. Log in to HAX CMS as user.\n2. Create a website or any page and switch to the HTML source editor (`\u003c\u003e`).\n3. Insert the following payload:\n\n```html\n\u003cvideo-player source=\"javascript:alert(\u0027JWT: \u0027+localStorage.getItem(\u0027jwt\u0027).substring(0,30))\" source-type=\"external\"\u003e\u003c/video-player\u003e\n```\n\u003cimg width=\"2456\" height=\"1405\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ea037043-7ff7-4840-bed0-1091692c6289\" /\u003e\n\n\nSave the page.\n\nReload or revisit or send the page.\n\nResult\n\u003cimg width=\"2468\" height=\"1394\" alt=\"image\" src=\"https://github.com/user-attachments/assets/543bbf69-900d-4e2d-bd6b-0658fb5aa899\" /\u003e\n\n\nA JavaScript alert executes.\nThe JWT token is exposed.\nThis confirms arbitrary JavaScript execution in the victim\u2019s browser.\n\n\n### Impact\n\nThis vulnerability allows stored XSS leading to:\n\n- Theft of JWT authentication tokens \n- Session hijacking\n- Full account takeover\n- Execution of arbitrary JavaScript in victim browsers\n\nIf an administrator views a malicious page, this can lead to full CMS compromise.\n\nAttack complexity: Low  \nPrivileges required: Low (any authenticated user)  \nUser interaction: Required",
  "id": "GHSA-2m6p-hm3w-6jm3",
  "modified": "2026-06-09T11:56:45Z",
  "published": "2026-05-19T14:44:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46496"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/haxtheweb/issues"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "HAX CMS: Stored XSS via \u0027\u003cvideo-player\u003e\u0027 component allows arbitrary JavaScript execution and token theft"
}

GHSA-2MM6-624X-FQRR

Vulnerability from github – Published: 2025-11-27 12:30 – Updated: 2026-06-09 16:12
VLAI
Summary
pretix has Email Content Injection Through Maliciously Formatted Names
Details

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pretix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "2025.7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pretix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2025.8.0"
            },
            {
              "fixed": "2025.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pretix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2025.9.0"
            },
            {
              "fixed": "2025.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-13742"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-09T16:12:33Z",
    "nvd_published_at": "2025-11-27T11:15:47Z",
    "severity": "LOW"
  },
  "details": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer\u0027s name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing.",
  "id": "GHSA-2mm6-624x-fqrr",
  "modified": "2026-06-09T16:12:34Z",
  "published": "2025-11-27T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13742"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pretix/pretix"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pretix/PYSEC-2025-154.yaml"
    },
    {
      "type": "WEB",
      "url": "https://pretix.eu/about/en/blog/20251126-release-2025-9-1"
    },
    {
      "type": "WEB",
      "url": "https://pretix.eu/about/en/security"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20251129201933/https://pretix.eu/about/en/blog/20251127-release-2025-9-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:N/SI:L/SA:L/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "pretix has Email Content Injection Through Maliciously Formatted Names"
}

GHSA-2PQM-Q853-JFVF

Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2026-05-28 21:31
VLAI
Details

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-6109"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-31T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.",
  "id": "GHSA-2pqm-q853-jfvf",
  "modified": "2026-05-28T21:31:48Z",
  "published": "2022-05-13T01:22:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6109"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3702"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
    },
    {
      "type": "WEB",
      "url": "https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c"
    },
    {
      "type": "WEB",
      "url": "https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W3YVQ2BPTOVDCFDVNC2GGF5P5ISFG37G"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W3YVQ2BPTOVDCFDVNC2GGF5P5ISFG37G"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201903-16"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190213-0001"
    },
    {
      "type": "WEB",
      "url": "https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3885-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2019/dsa-4387"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00058.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2QRJ-G9HQ-CHPH

Vulnerability from github – Published: 2025-05-13 20:17 – Updated: 2025-05-13 20:17
VLAI
Summary
Umbraco.Forms has HTML injection vulnerability in 'Send email' workflow
Details

Impact

The 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address (potentially bypassing spam and email client security systems).

Patches

This issue affects all (supported) versions Umbraco Forms and is patched in 13.4.2 and 15.1.2.

Workarounds

Unpatched or unsupported versions can workaround this issue by using the 'Send email with template (Razor)' workflow instead or writing a custom workflow type.

To avoid accidentally using the vulnerable workflow again, the SendEmail workflow type can be removed using the following composer (tested on Umbraco 10, 13, 14 and 15):

using Umbraco.Cms.Core.Composing;
using Umbraco.Forms.Core.Providers.Extensions;
using Umbraco.Forms.Core.Providers.WorkflowTypes;

internal sealed class RemoveFormsSendEmailWorkflowTypeComposer : IComposer
{
    public void Compose(IUmbracoBuilder builder)
        => builder.FormsWorkflows().Exclude<SendEmail>();
}
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Forms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "13.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "UmbracoForms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "last_affected": "8.13.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Forms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.0"
            },
            {
              "fixed": "15.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-47280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-13T20:17:36Z",
    "nvd_published_at": "2025-05-13T17:16:04Z",
    "severity": "LOW"
  },
  "details": "### Impact\nThe \u0027Send email\u0027 workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address (potentially bypassing spam and email client security systems).\n\n### Patches\nThis issue affects all (supported) versions Umbraco Forms and is patched in 13.4.2 and 15.1.2.\n\n### Workarounds\nUnpatched or unsupported versions can workaround this issue by using the \u0027Send email with template (Razor)\u0027 workflow instead or [writing a custom workflow type](https://docs.umbraco.com/umbraco-forms/developer/extending/adding-a-workflowtype).\n\nTo avoid accidentally using the vulnerable workflow again, the `SendEmail` workflow type can be removed using the following composer (tested on Umbraco 10, 13, 14 and 15):\n```c#\nusing Umbraco.Cms.Core.Composing;\nusing Umbraco.Forms.Core.Providers.Extensions;\nusing Umbraco.Forms.Core.Providers.WorkflowTypes;\n\ninternal sealed class RemoveFormsSendEmailWorkflowTypeComposer : IComposer\n{\n    public void Compose(IUmbracoBuilder builder)\n        =\u003e builder.FormsWorkflows().Exclude\u003cSendEmail\u003e();\n}\n```",
  "id": "GHSA-2qrj-g9hq-chph",
  "modified": "2025-05-13T20:17:36Z",
  "published": "2025-05-13T20:17:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-2qrj-g9hq-chph"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47280"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umbraco/Umbraco.Forms.Issues"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Umbraco.Forms has HTML injection vulnerability in \u0027Send email\u0027 workflow"
}

GHSA-2RR2-57V3-7CVX

Vulnerability from github – Published: 2024-09-17 15:31 – Updated: 2026-06-02 12:31
VLAI
Details

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Encoding or Escaping of Output, CWE - 83 Improper Neutralization of Script in Attributes in a Web Page vulnerability in Veribilim Software Veribase Order allows Stored XSS, Cross-Site Scripting (XSS), Exploit Script-Based APIs, XSS Through HTTP Headers.This issue affects Veribase Order: before v4.010.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7873"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-17T13:15:04Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027), Improper Encoding or Escaping of Output, CWE - 83 Improper Neutralization of Script in Attributes in a Web Page vulnerability in Veribilim Software Veribase Order allows Stored XSS, Cross-Site Scripting (XSS), Exploit Script-Based APIs, XSS Through HTTP Headers.This issue affects Veribase Order: before v4.010.3.",
  "id": "GHSA-2rr2-57v3-7cvx",
  "modified": "2026-06-02T12:31:24Z",
  "published": "2024-09-17T15:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7873"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-1485"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-24-1485"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2RRH-8PM2-3Q2C

Vulnerability from github – Published: 2023-10-22 06:30 – Updated: 2024-04-04 08:52
VLAI
Details

iTerm2 before 3.4.20 allow (potentially remote) code execution because of mishandling of certain escape sequences related to tmux integration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46300"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-22T04:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "iTerm2 before 3.4.20 allow (potentially remote) code execution because of mishandling of certain escape sequences related to tmux integration.",
  "id": "GHSA-2rrh-8pm2-3q2c",
  "modified": "2024-04-04T08:52:41Z",
  "published": "2023-10-22T06:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46300"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gnachman/iTerm2/commit/ae8192522661c34d1cbe57f6f9ef2ff0a337c2a5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gnachman/iTerm2/commit/b2268b03b5f3d4cd8ca275eaef5d16d0fac20009"
    },
    {
      "type": "WEB",
      "url": "https://blog.solidsnail.com/posts/2023-08-28-iterm2-rce"
    },
    {
      "type": "WEB",
      "url": "https://iterm2.com/news.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2V88-QQ7X-XQ5F

Vulnerability from github – Published: 2021-09-01 18:21 – Updated: 2021-09-01 18:20
VLAI
Summary
Improper Encoding or Escaping of Output in Asset Metadata Component
Details

Pimcore is an open source data & experience management platform. Prior to version 10.1.2, an authenticated user could add XSS code as a value of custom metadata on assets. There is a patch for this issue in Pimcore version 10.1.2. As a workaround, users may apply the patch manually.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 10.1.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/pimcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39170"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-01T18:20:20Z",
    "nvd_published_at": "2021-09-01T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Pimcore is an open source data \u0026 experience management platform. Prior to version 10.1.2, an authenticated user could add XSS code as a value of custom metadata on assets. There is a patch for this issue in Pimcore version 10.1.2. As a workaround, users may apply the patch manually.",
  "id": "GHSA-2v88-qq7x-xq5f",
  "modified": "2021-09-01T18:20:20Z",
  "published": "2021-09-01T18:21:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-2v88-qq7x-xq5f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39170"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/pull/10178"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/pull/10178.patch"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/pull/10206"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pimcore/pimcore"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/c3e4cf79-a4b5-4982-af27-729f66281501"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/e4cb9cd8-89cf-427c-8d2e-37ca40099bf2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Encoding or Escaping of Output in Asset Metadata Component"
}

GHSA-32CW-QM55-8QJ6

Vulnerability from github – Published: 2025-09-19 15:31 – Updated: 2025-09-22 18:30
VLAI
Details

Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:AtMentions) allows Cross-Site Scripting (XSS). This issue affects BlueSpice: from 5 through 5.1.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46703"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-19T14:15:45Z",
    "severity": "MODERATE"
  },
  "details": "Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:AtMentions) allows Cross-Site Scripting (XSS).\nThis issue affects BlueSpice: from 5 through 5.1.1.",
  "id": "GHSA-32cw-qm55-8qj6",
  "modified": "2025-09-22T18:30:34Z",
  "published": "2025-09-19T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46703"
    },
    {
      "type": "WEB",
      "url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2025-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-33C7-2MPW-HG34

Vulnerability from github – Published: 2020-07-29 18:07 – Updated: 2024-11-18 22:32
VLAI
Summary
Log injection in uvicorn
Details

This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "uvicorn"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7694"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-07-29T17:37:27Z",
    "nvd_published_at": "2020-07-27T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it\u0027s been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn\u0027s access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that\u0027s displaying the logs (either in real time or from a file).",
  "id": "GHSA-33c7-2mpw-hg34",
  "modified": "2024-11-18T22:32:53Z",
  "published": "2020-07-29T18:07:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7694"
    },
    {
      "type": "WEB",
      "url": "https://github.com/encode/uvicorn/issues/723"
    },
    {
      "type": "WEB",
      "url": "https://github.com/encode/uvicorn/commit/895807f94ea9a8e588605c12076b7d7517cda503"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/encode/uvicorn"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/uvicorn/PYSEC-2020-150.yaml"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-PYTHON-UVICORN-575560"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Log injection in uvicorn"
}

Mitigation MIT-4.3
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
  • Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability.
Mitigation MIT-27
Architecture and Design

Strategy: Parameterization

  • If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
  • For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection.
Mitigation
Architecture and Design Implementation

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

Mitigation
Architecture and Design

In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input.

Mitigation
Architecture and Design

Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).

Mitigation
Requirements

Fully specify which encodings are required by components that will be communicating with each other.

Mitigation
Implementation

When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.

CAPEC-104: Cross Zone Scripting

An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.

CAPEC-73: User-Controlled Filename

An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

CAPEC-85: AJAX Footprinting

This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.