Common Weakness Enumeration

CWE-134

Allowed

Use of Externally-Controlled Format String

Abstraction: Base · Status: Draft

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

499 vulnerabilities reference this CWE, most recent first.

CVE-2017-3859 (GCVE-0-2017-3859)

Vulnerability from cvelistv5 – Published: 2017-03-22 19:00 – Updated: 2024-08-05 14:39
VLAI
Summary
A vulnerability in the DHCP code for the Zero Touch Provisioning feature of Cisco ASR 920 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a format string vulnerability when processing a crafted DHCP packet for Zero Touch Provisioning. An attacker could exploit this vulnerability by sending a specially crafted DHCP packet to an affected device. An exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition. This vulnerability affects Cisco ASR 920 Series Aggregation Services Routers that are running an affected release of Cisco IOS XE Software (3.13 through 3.18) and are listening on the DHCP server port. By default, the devices do not listen on the DHCP server port. Cisco Bug IDs: CSCuy56385.
Severity
No CVSS data available.
CWE
Assigner
References
URL Tags
http://www.securitytracker.com/id/1038104 vdb-entryx_refsource_SECTRACK
http://www.securityfocus.com/bid/97008 vdb-entryx_refsource_BID
https://tools.cisco.com/security/center/content/C… x_refsource_CONFIRM
Impacted products
Vendor Product Version
n/a Cisco IOS XE Software for Cisco ASR 920 Series Routers Affected: Cisco IOS XE Software for Cisco ASR 920 Series Routers
Date Public
2017-03-22 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:39:41.133Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1038104",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1038104"
          },
          {
            "name": "97008",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/97008"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-ztp"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco IOS XE Software for Cisco ASR 920 Series Routers",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Cisco IOS XE Software for Cisco ASR 920 Series Routers"
            }
          ]
        }
      ],
      "datePublic": "2017-03-22T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the DHCP code for the Zero Touch Provisioning feature of Cisco ASR 920 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a format string vulnerability when processing a crafted DHCP packet for Zero Touch Provisioning. An attacker could exploit this vulnerability by sending a specially crafted DHCP packet to an affected device. An exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition. This vulnerability affects Cisco ASR 920 Series Aggregation Services Routers that are running an affected release of Cisco IOS XE Software (3.13 through 3.18) and are listening on the DHCP server port. By default, the devices do not listen on the DHCP server port. Cisco Bug IDs: CSCuy56385."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-134",
              "description": "CWE-134",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-07-11T09:57:01.000Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "1038104",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1038104"
        },
        {
          "name": "97008",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/97008"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-ztp"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "ID": "CVE-2017-3859",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco IOS XE Software for Cisco ASR 920 Series Routers",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Cisco IOS XE Software for Cisco ASR 920 Series Routers"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the DHCP code for the Zero Touch Provisioning feature of Cisco ASR 920 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a format string vulnerability when processing a crafted DHCP packet for Zero Touch Provisioning. An attacker could exploit this vulnerability by sending a specially crafted DHCP packet to an affected device. An exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition. This vulnerability affects Cisco ASR 920 Series Aggregation Services Routers that are running an affected release of Cisco IOS XE Software (3.13 through 3.18) and are listening on the DHCP server port. By default, the devices do not listen on the DHCP server port. Cisco Bug IDs: CSCuy56385."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-134"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1038104",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1038104"
            },
            {
              "name": "97008",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/97008"
            },
            {
              "name": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-ztp",
              "refsource": "CONFIRM",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-ztp"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2017-3859",
    "datePublished": "2017-03-22T19:00:00.000Z",
    "dateReserved": "2016-12-21T00:00:00.000Z",
    "dateUpdated": "2024-08-05T14:39:41.133Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2017-0898 (GCVE-0-2017-0898)

Vulnerability from cvelistv5 – Published: 2017-09-15 19:00 – Updated: 2024-09-17 01:36
VLAI
Summary
Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap.
Severity
No CVSS data available.
CWE
  • CWE-134 - Format String Vulnerability (CWE-134)
Assigner
References
URL Tags
https://usn.ubuntu.com/3685-1/ vendor-advisoryx_refsource_UBUNTU
https://hackerone.com/reports/212241 x_refsource_MISC
https://access.redhat.com/errata/RHSA-2018:0585 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:0378 vendor-advisoryx_refsource_REDHAT
https://www.debian.org/security/2017/dsa-4031 vendor-advisoryx_refsource_DEBIAN
http://www.securityfocus.com/bid/100862 vdb-entryx_refsource_BID
http://www.securitytracker.com/id/1039363 vdb-entryx_refsource_SECTRACK
https://access.redhat.com/errata/RHSA-2017:3485 vendor-advisoryx_refsource_REDHAT
https://lists.debian.org/debian-lts-announce/2018… mailing-listx_refsource_MLIST
https://access.redhat.com/errata/RHSA-2018:0583 vendor-advisoryx_refsource_REDHAT
https://github.com/mruby/mruby/issues/3722 x_refsource_MISC
https://www.ruby-lang.org/en/news/2017/09/14/spri… x_refsource_MISC
https://security.gentoo.org/glsa/201710-18 vendor-advisoryx_refsource_GENTOO
Impacted products
Vendor Product Version
HackerOne Ruby Affected: Versions before 2.4.2, 2.3.5, and 2.2.8
Create a notification for this product.
Date Public
2017-09-15 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T13:25:17.095Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-3685-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3685-1/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/212241"
          },
          {
            "name": "RHSA-2018:0585",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0585"
          },
          {
            "name": "RHSA-2018:0378",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0378"
          },
          {
            "name": "DSA-4031",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2017/dsa-4031"
          },
          {
            "name": "100862",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/100862"
          },
          {
            "name": "1039363",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1039363"
          },
          {
            "name": "RHSA-2017:3485",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:3485"
          },
          {
            "name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
          },
          {
            "name": "RHSA-2018:0583",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0583"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/mruby/mruby/issues/3722"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/"
          },
          {
            "name": "GLSA-201710-18",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201710-18"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Ruby",
          "vendor": "HackerOne",
          "versions": [
            {
              "status": "affected",
              "version": "Versions before 2.4.2, 2.3.5, and 2.2.8"
            }
          ]
        }
      ],
      "datePublic": "2017-09-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-134",
              "description": "Format String Vulnerability (CWE-134)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-07-14T09:57:01.000Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "name": "USN-3685-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3685-1/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/212241"
        },
        {
          "name": "RHSA-2018:0585",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0585"
        },
        {
          "name": "RHSA-2018:0378",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0378"
        },
        {
          "name": "DSA-4031",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2017/dsa-4031"
        },
        {
          "name": "100862",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/100862"
        },
        {
          "name": "1039363",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1039363"
        },
        {
          "name": "RHSA-2017:3485",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:3485"
        },
        {
          "name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
        },
        {
          "name": "RHSA-2018:0583",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0583"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mruby/mruby/issues/3722"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/"
        },
        {
          "name": "GLSA-201710-18",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201710-18"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "DATE_PUBLIC": "2017-09-15T00:00:00",
          "ID": "CVE-2017-0898",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Ruby",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Versions before 2.4.2, 2.3.5, and 2.2.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "HackerOne"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Format String Vulnerability (CWE-134)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "USN-3685-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3685-1/"
            },
            {
              "name": "https://hackerone.com/reports/212241",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/212241"
            },
            {
              "name": "RHSA-2018:0585",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0585"
            },
            {
              "name": "RHSA-2018:0378",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0378"
            },
            {
              "name": "DSA-4031",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2017/dsa-4031"
            },
            {
              "name": "100862",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/100862"
            },
            {
              "name": "1039363",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1039363"
            },
            {
              "name": "RHSA-2017:3485",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2017:3485"
            },
            {
              "name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
            },
            {
              "name": "RHSA-2018:0583",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0583"
            },
            {
              "name": "https://github.com/mruby/mruby/issues/3722",
              "refsource": "MISC",
              "url": "https://github.com/mruby/mruby/issues/3722"
            },
            {
              "name": "https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/",
              "refsource": "MISC",
              "url": "https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/"
            },
            {
              "name": "GLSA-201710-18",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201710-18"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2017-0898",
    "datePublished": "2017-09-15T19:00:00.000Z",
    "dateReserved": "2016-11-30T00:00:00.000Z",
    "dateUpdated": "2024-09-17T01:36:46.258Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2015-10088 (GCVE-0-2015-10088)

Vulnerability from cvelistv5 – Published: 2023-03-05 05:00 – Updated: 2024-08-06 08:58
VLAI
Title
ayttm proxy.c http_connect format string
Summary
A vulnerability, which was classified as critical, was found in ayttm up to 0.5.0.89. This affects the function http_connect in the library libproxy/proxy.c. The manipulation leads to format string. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The patch is named 40e04680018614a7d2b68566b261b061a0597046. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-222267.
CWE
Assigner
References
Impacted products
Vendor Product Version
n/a ayttm Affected: 0.5.0.0
Affected: 0.5.0.1
Affected: 0.5.0.2
Affected: 0.5.0.3
Affected: 0.5.0.4
Affected: 0.5.0.5
Affected: 0.5.0.6
Affected: 0.5.0.7
Affected: 0.5.0.8
Affected: 0.5.0.9
Affected: 0.5.0.10
Affected: 0.5.0.11
Affected: 0.5.0.12
Affected: 0.5.0.13
Affected: 0.5.0.14
Affected: 0.5.0.15
Affected: 0.5.0.16
Affected: 0.5.0.17
Affected: 0.5.0.18
Affected: 0.5.0.19
Affected: 0.5.0.20
Affected: 0.5.0.21
Affected: 0.5.0.22
Affected: 0.5.0.23
Affected: 0.5.0.24
Affected: 0.5.0.25
Affected: 0.5.0.26
Affected: 0.5.0.27
Affected: 0.5.0.28
Affected: 0.5.0.29
Affected: 0.5.0.30
Affected: 0.5.0.31
Affected: 0.5.0.32
Affected: 0.5.0.33
Affected: 0.5.0.34
Affected: 0.5.0.35
Affected: 0.5.0.36
Affected: 0.5.0.37
Affected: 0.5.0.38
Affected: 0.5.0.39
Affected: 0.5.0.40
Affected: 0.5.0.41
Affected: 0.5.0.42
Affected: 0.5.0.43
Affected: 0.5.0.44
Affected: 0.5.0.45
Affected: 0.5.0.46
Affected: 0.5.0.47
Affected: 0.5.0.48
Affected: 0.5.0.49
Affected: 0.5.0.50
Affected: 0.5.0.51
Affected: 0.5.0.52
Affected: 0.5.0.53
Affected: 0.5.0.54
Affected: 0.5.0.55
Affected: 0.5.0.56
Affected: 0.5.0.57
Affected: 0.5.0.58
Affected: 0.5.0.59
Affected: 0.5.0.60
Affected: 0.5.0.61
Affected: 0.5.0.62
Affected: 0.5.0.63
Affected: 0.5.0.64
Affected: 0.5.0.65
Affected: 0.5.0.66
Affected: 0.5.0.67
Affected: 0.5.0.68
Affected: 0.5.0.69
Affected: 0.5.0.70
Affected: 0.5.0.71
Affected: 0.5.0.72
Affected: 0.5.0.73
Affected: 0.5.0.74
Affected: 0.5.0.75
Affected: 0.5.0.76
Affected: 0.5.0.77
Affected: 0.5.0.78
Affected: 0.5.0.79
Affected: 0.5.0.80
Affected: 0.5.0.81
Affected: 0.5.0.82
Affected: 0.5.0.83
Affected: 0.5.0.84
Affected: 0.5.0.85
Affected: 0.5.0.86
Affected: 0.5.0.87
Affected: 0.5.0.88
Affected: 0.5.0.89
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T08:58:26.476Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "technical-description",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.222267"
          },
          {
            "tags": [
              "signature",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?ctiid.222267"
          },
          {
            "tags": [
              "related",
              "x_transferred"
            ],
            "url": "https://sourceforge.net/p/ayttm/mailman/message/34397158/"
          },
          {
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://github.com/ayttm/ayttm/commit/40e04680018614a7d2b68566b261b061a0597046"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ayttm",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "0.5.0.0"
            },
            {
              "status": "affected",
              "version": "0.5.0.1"
            },
            {
              "status": "affected",
              "version": "0.5.0.2"
            },
            {
              "status": "affected",
              "version": "0.5.0.3"
            },
            {
              "status": "affected",
              "version": "0.5.0.4"
            },
            {
              "status": "affected",
              "version": "0.5.0.5"
            },
            {
              "status": "affected",
              "version": "0.5.0.6"
            },
            {
              "status": "affected",
              "version": "0.5.0.7"
            },
            {
              "status": "affected",
              "version": "0.5.0.8"
            },
            {
              "status": "affected",
              "version": "0.5.0.9"
            },
            {
              "status": "affected",
              "version": "0.5.0.10"
            },
            {
              "status": "affected",
              "version": "0.5.0.11"
            },
            {
              "status": "affected",
              "version": "0.5.0.12"
            },
            {
              "status": "affected",
              "version": "0.5.0.13"
            },
            {
              "status": "affected",
              "version": "0.5.0.14"
            },
            {
              "status": "affected",
              "version": "0.5.0.15"
            },
            {
              "status": "affected",
              "version": "0.5.0.16"
            },
            {
              "status": "affected",
              "version": "0.5.0.17"
            },
            {
              "status": "affected",
              "version": "0.5.0.18"
            },
            {
              "status": "affected",
              "version": "0.5.0.19"
            },
            {
              "status": "affected",
              "version": "0.5.0.20"
            },
            {
              "status": "affected",
              "version": "0.5.0.21"
            },
            {
              "status": "affected",
              "version": "0.5.0.22"
            },
            {
              "status": "affected",
              "version": "0.5.0.23"
            },
            {
              "status": "affected",
              "version": "0.5.0.24"
            },
            {
              "status": "affected",
              "version": "0.5.0.25"
            },
            {
              "status": "affected",
              "version": "0.5.0.26"
            },
            {
              "status": "affected",
              "version": "0.5.0.27"
            },
            {
              "status": "affected",
              "version": "0.5.0.28"
            },
            {
              "status": "affected",
              "version": "0.5.0.29"
            },
            {
              "status": "affected",
              "version": "0.5.0.30"
            },
            {
              "status": "affected",
              "version": "0.5.0.31"
            },
            {
              "status": "affected",
              "version": "0.5.0.32"
            },
            {
              "status": "affected",
              "version": "0.5.0.33"
            },
            {
              "status": "affected",
              "version": "0.5.0.34"
            },
            {
              "status": "affected",
              "version": "0.5.0.35"
            },
            {
              "status": "affected",
              "version": "0.5.0.36"
            },
            {
              "status": "affected",
              "version": "0.5.0.37"
            },
            {
              "status": "affected",
              "version": "0.5.0.38"
            },
            {
              "status": "affected",
              "version": "0.5.0.39"
            },
            {
              "status": "affected",
              "version": "0.5.0.40"
            },
            {
              "status": "affected",
              "version": "0.5.0.41"
            },
            {
              "status": "affected",
              "version": "0.5.0.42"
            },
            {
              "status": "affected",
              "version": "0.5.0.43"
            },
            {
              "status": "affected",
              "version": "0.5.0.44"
            },
            {
              "status": "affected",
              "version": "0.5.0.45"
            },
            {
              "status": "affected",
              "version": "0.5.0.46"
            },
            {
              "status": "affected",
              "version": "0.5.0.47"
            },
            {
              "status": "affected",
              "version": "0.5.0.48"
            },
            {
              "status": "affected",
              "version": "0.5.0.49"
            },
            {
              "status": "affected",
              "version": "0.5.0.50"
            },
            {
              "status": "affected",
              "version": "0.5.0.51"
            },
            {
              "status": "affected",
              "version": "0.5.0.52"
            },
            {
              "status": "affected",
              "version": "0.5.0.53"
            },
            {
              "status": "affected",
              "version": "0.5.0.54"
            },
            {
              "status": "affected",
              "version": "0.5.0.55"
            },
            {
              "status": "affected",
              "version": "0.5.0.56"
            },
            {
              "status": "affected",
              "version": "0.5.0.57"
            },
            {
              "status": "affected",
              "version": "0.5.0.58"
            },
            {
              "status": "affected",
              "version": "0.5.0.59"
            },
            {
              "status": "affected",
              "version": "0.5.0.60"
            },
            {
              "status": "affected",
              "version": "0.5.0.61"
            },
            {
              "status": "affected",
              "version": "0.5.0.62"
            },
            {
              "status": "affected",
              "version": "0.5.0.63"
            },
            {
              "status": "affected",
              "version": "0.5.0.64"
            },
            {
              "status": "affected",
              "version": "0.5.0.65"
            },
            {
              "status": "affected",
              "version": "0.5.0.66"
            },
            {
              "status": "affected",
              "version": "0.5.0.67"
            },
            {
              "status": "affected",
              "version": "0.5.0.68"
            },
            {
              "status": "affected",
              "version": "0.5.0.69"
            },
            {
              "status": "affected",
              "version": "0.5.0.70"
            },
            {
              "status": "affected",
              "version": "0.5.0.71"
            },
            {
              "status": "affected",
              "version": "0.5.0.72"
            },
            {
              "status": "affected",
              "version": "0.5.0.73"
            },
            {
              "status": "affected",
              "version": "0.5.0.74"
            },
            {
              "status": "affected",
              "version": "0.5.0.75"
            },
            {
              "status": "affected",
              "version": "0.5.0.76"
            },
            {
              "status": "affected",
              "version": "0.5.0.77"
            },
            {
              "status": "affected",
              "version": "0.5.0.78"
            },
            {
              "status": "affected",
              "version": "0.5.0.79"
            },
            {
              "status": "affected",
              "version": "0.5.0.80"
            },
            {
              "status": "affected",
              "version": "0.5.0.81"
            },
            {
              "status": "affected",
              "version": "0.5.0.82"
            },
            {
              "status": "affected",
              "version": "0.5.0.83"
            },
            {
              "status": "affected",
              "version": "0.5.0.84"
            },
            {
              "status": "affected",
              "version": "0.5.0.85"
            },
            {
              "status": "affected",
              "version": "0.5.0.86"
            },
            {
              "status": "affected",
              "version": "0.5.0.87"
            },
            {
              "status": "affected",
              "version": "0.5.0.88"
            },
            {
              "status": "affected",
              "version": "0.5.0.89"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability, which was classified as critical, was found in ayttm up to 0.5.0.89. This affects the function http_connect in the library libproxy/proxy.c. The manipulation leads to format string. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The patch is named 40e04680018614a7d2b68566b261b061a0597046. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-222267."
        },
        {
          "lang": "de",
          "value": "Es wurde eine kritische Schwachstelle in ayttm bis 0.5.0.89 gefunden. Es geht dabei um die Funktion http_connect in der Bibliothek libproxy/proxy.c. Dank Manipulation mit unbekannten Daten kann eine format string-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie ist schwierig auszunutzen. Der Patch wird als 40e04680018614a7d2b68566b261b061a0597046 bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 4.6,
            "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-134",
              "description": "CWE-134 Format String",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-20T09:06:11.995Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.222267"
        },
        {
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.222267"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://sourceforge.net/p/ayttm/mailman/message/34397158/"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/ayttm/ayttm/commit/40e04680018614a7d2b68566b261b061a0597046"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-03-03T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2023-03-03T00:00:00.000Z",
          "value": "CVE reserved"
        },
        {
          "lang": "en",
          "time": "2023-03-03T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2023-03-31T08:31:13.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "ayttm proxy.c http_connect format string"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2015-10088",
    "datePublished": "2023-03-05T05:00:05.655Z",
    "dateReserved": "2023-03-03T08:03:38.826Z",
    "dateUpdated": "2024-08-06T08:58:26.476Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2012-10055 (GCVE-0-2012-10055)

Vulnerability from cvelistv5 – Published: 2025-08-13 20:33 – Updated: 2026-07-15 01:23 Unsupported When Assigned
VLAI
Title
ComSndFTP v1.3.7 Beta USER Format String RCE
Summary
ComSndFTP FTP Server version 1.3.7 Beta contains a format string vulnerability in its handling of the USER command. By sending a specially crafted username containing format specifiers, a remote attacker can overwrite a hardcoded function pointer in memory (specifically WSACleanup from Ws2_32.dll). This allows the attacker to redirect execution flow and bypass DEP protections using a ROP chain, ultimately leading to arbitrary code execution. The vulnerability is exploitable without authentication and affects default configurations.
SSVC
Exploitation: poc Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-134 - Use of Externally-Controlled Format String
Assigner
Impacted products
Vendor Product Version
ComSndFTP FTP Server Affected: 1.3.7 Beta
Create a notification for this product.
Date Public
2012-06-08 00:00
Credits
ChaoYi Huang
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2012-10055",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-14T13:49:56.063256Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-14T13:49:59.657Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb"
          },
          {
            "tags": [
              "exploit"
            ],
            "url": "https://www.exploit-db.com/exploits/19024"
          },
          {
            "tags": [
              "exploit"
            ],
            "url": "https://www.exploit-db.com/exploits/19177"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "Format string parsing in FTP login handler"
          ],
          "product": "FTP Server",
          "vendor": "ComSndFTP",
          "versions": [
            {
              "status": "affected",
              "version": "1.3.7 Beta"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:cerberusftp:ftp_server:1.3.7_beta:*:*:*:*:*:*:*",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "ChaoYi Huang"
        }
      ],
      "datePublic": "2012-06-08T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "ComSndFTP FTP Server version 1.3.7 Beta contains a format string vulnerability in its handling of the USER command. By sending a specially crafted username containing format specifiers, a remote attacker can overwrite a hardcoded function pointer in memory (specifically WSACleanup from Ws2_32.dll). This allows the attacker to redirect execution flow and bypass DEP protections using a ROP chain, ultimately leading to arbitrary code execution. The vulnerability is exploitable without authentication and affects default configurations."
            }
          ],
          "value": "ComSndFTP FTP Server version 1.3.7 Beta contains a format string vulnerability in its handling of the USER command. By sending a specially crafted username containing format specifiers, a remote attacker can overwrite a hardcoded function pointer in memory (specifically WSACleanup from Ws2_32.dll). This allows the attacker to redirect execution flow and bypass DEP protections using a ROP chain, ultimately leading to arbitrary code execution. The vulnerability is exploitable without authentication and affects default configurations."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-135",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-135 Format String Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-134",
              "description": "CWE-134 Use of Externally-Controlled Format String",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-15T01:23:14.475Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "exploit"
          ],
          "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://www.exploit-db.com/exploits/19024"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://www.exploit-db.com/exploits/19177"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://web.archive.org/web/20120317214524/http://ftp.comsnd.com/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/comsndftp-user-format-string-rce"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "tags": [
        "unsupported-when-assigned"
      ],
      "title": "ComSndFTP v1.3.7 Beta USER Format String RCE",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2012-10055",
    "datePublished": "2025-08-13T20:33:06.598Z",
    "dateReserved": "2025-08-11T18:15:05.776Z",
    "dateUpdated": "2026-07-15T01:23:14.475Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2011-10029 (GCVE-0-2011-10029)

Vulnerability from cvelistv5 – Published: 2025-08-20 15:40 – Updated: 2026-05-15 11:13 Unsupported When Assigned
VLAI
Title
Solar FTP Server <= 2.1.1 Malformed USER Denial of Service
Summary
Solar FTP Server fails to properly handle format strings passed to the USER command. When a specially crafted string containing format specifiers is sent, the server crashes due to a read access violation in the __output_1() function of sfsservice.exe. This results in a denial of service (DoS) condition.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-134 - Use of Externally-Controlled Format String
Assigner
Impacted products
Vendor Product Version
Flexbyte Software Solar FTP Server Affected: 0 , ≤ 2.1.1 (semver)
Create a notification for this product.
Date Public
2011-02-22 00:00
Credits
x000 C4SS!0 G0M3S
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2011-10029",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-20T18:20:37.213026Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-20T18:20:58.477Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "sfsservice.exe",
            "USER command"
          ],
          "product": "Solar FTP Server",
          "vendor": "Flexbyte Software",
          "versions": [
            {
              "lessThanOrEqual": "2.1.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:flexbyte:solar_ftp_server:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "2.1.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "x000"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "C4SS!0 G0M3S"
        }
      ],
      "datePublic": "2011-02-22T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Solar FTP Server fails to properly handle format strings passed to the USER command. When a specially crafted string containing format specifiers is sent, the server crashes due to a read access violation in the __output_1() function of sfsservice.exe. This results in a denial of service (DoS) condition."
            }
          ],
          "value": "Solar FTP Server fails to properly handle format strings passed to the USER command. When a specially crafted string containing format specifiers is sent, the server crashes due to a read access violation in the __output_1() function of sfsservice.exe. This results in a denial of service (DoS) condition."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-153",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-153 Input Data Manipulation"
            }
          ]
        },
        {
          "capecId": "CAPEC-125",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-125 Flooding"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-134",
              "description": "CWE-134 Use of Externally-Controlled Format String",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-15T11:13:48.260Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "exploit"
          ],
          "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/dos/windows/ftp/solarftp_user.rb"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://www.exploit-db.com/exploits/16204"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://web.archive.org/web/20111102141514/https://solarftp.com/"
        },
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://web.archive.org/web/20111009122553/http://solarftp.com/blog/news/solar-ftp-server-2-1-2.html"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/solar-ftp-server-malformed-user-dos"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "tags": [
        "unsupported-when-assigned"
      ],
      "title": "Solar FTP Server \u003c= 2.1.1 Malformed USER Denial of Service",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2011-10029",
    "datePublished": "2025-08-20T15:40:31.746Z",
    "dateReserved": "2025-08-19T15:21:42.204Z",
    "dateUpdated": "2026-05-15T11:13:48.260Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2010-10017 (GCVE-0-2010-10017)

Vulnerability from cvelistv5 – Published: 2025-08-30 13:49 – Updated: 2026-05-15 11:13 Unsupported When Assigned
VLAI
Title
WM Downloader 3.1.2.2 Buffer Overflow via Malformed M3U File
Summary
WM Downloader version 3.1.2.2 is vulnerable to a buffer overflow when processing a specially crafted .m3u playlist file. The application fails to properly validate input length, allowing an attacker to overwrite structured exception handler (SEH) records and execute arbitrary code. Exploitation occurs locally when a user opens the malicious file, and the payload executes with the privileges of the current user.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
  • CWE-134 - Use of Externally-Controlled Format String
Assigner
Impacted products
Vendor Product Version
WM Downloader WM Downloader Affected: 0 , ≤ 3.1.2.2 (custom)
Create a notification for this product.
Date Public
2010-07-28 00:00
Credits
fdiskyou
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2010-10017",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-02T20:37:41.268966Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-02T20:38:50.034Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "M3U playlist file parser"
          ],
          "product": "WM Downloader",
          "vendor": "WM Downloader",
          "versions": [
            {
              "lessThanOrEqual": "3.1.2.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "fdiskyou"
        }
      ],
      "datePublic": "2010-07-28T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "WM Downloader version 3.1.2.2 is vulnerable to a buffer overflow when processing a specially crafted .m3u playlist file. The application fails to properly validate input length, allowing an attacker to overwrite structured exception handler (SEH) records and execute arbitrary code. Exploitation occurs locally when a user opens the malicious file, and the payload executes with the privileges of the current user."
            }
          ],
          "value": "WM Downloader version 3.1.2.2 is vulnerable to a buffer overflow when processing a specially crafted .m3u playlist file. The application fails to properly validate input length, allowing an attacker to overwrite structured exception handler (SEH) records and execute arbitrary code. Exploitation occurs locally when a user opens the malicious file, and the payload executes with the privileges of the current user."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100 Overflow Buffers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-120",
              "description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-134",
              "description": "CWE-134 Use of Externally-Controlled Format String",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-15T11:13:23.660Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "exploit"
          ],
          "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/wm_downloader_m3u.rb"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://www.exploit-db.com/exploits/14497"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://www.exploit-db.com/exploits/16642"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.fortiguard.com/encyclopedia/ips/24038/wm-downloader-buffer-overflow"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/wm-downloader-buffer-overflow-via-malformed-m3u-file"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "tags": [
        "unsupported-when-assigned"
      ],
      "title": "WM Downloader 3.1.2.2 Buffer Overflow via Malformed M3U File",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2010-10017",
    "datePublished": "2025-08-30T13:49:28.100Z",
    "dateReserved": "2025-08-28T19:04:01.479Z",
    "dateUpdated": "2026-05-15T11:13:23.660Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-22H9-63C7-9WCC

Vulnerability from github – Published: 2022-05-17 05:44 – Updated: 2022-05-17 05:44
VLAI
Details

Format string vulnerability in PackageKit in Apple Mac OS X 10.6.x before 10.6.6 allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to interaction between Software Update and distribution scripts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-4013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-01-10T20:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Format string vulnerability in PackageKit in Apple Mac OS X 10.6.x before 10.6.6 allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to interaction between Software Update and distribution scripts.",
  "id": "GHSA-22h9-63c7-9wcc",
  "modified": "2022-05-17T05:44:27Z",
  "published": "2022-05-17T05:44:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4013"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2011//Jan/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/70309"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42841"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT4498"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1024938"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0050"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-233M-MR87-RR74

Vulnerability from github – Published: 2022-05-01 06:58 – Updated: 2022-05-01 06:58
VLAI
Details

Format string vulnerability in the raydium_log function in console.c in Raydium before SVN revision 310 allows local users to execute arbitrary code via format string specifiers in the format parameter, which are not properly handled in a call to raydium_console_line_add.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-2409"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-05-16T10:02:00Z",
    "severity": "MODERATE"
  },
  "details": "Format string vulnerability in the raydium_log function in console.c in Raydium before SVN revision 310 allows local users to execute arbitrary code via format string specifiers in the format parameter, which are not properly handled in a call to raydium_console_line_add.",
  "id": "GHSA-233m-mr87-rr74",
  "modified": "2022-05-01T06:58:59Z",
  "published": "2022-05-01T06:58:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-2409"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26514"
    },
    {
      "type": "WEB",
      "url": "http://aluigi.altervista.org/adv/raydiumx-adv.txt"
    },
    {
      "type": "WEB",
      "url": "http://raydium.org/svn.php"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/20097"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/900"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/433930/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/17986"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2006/1808"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-246X-MH97-F8H6

Vulnerability from github – Published: 2022-05-01 18:31 – Updated: 2022-05-01 18:31
VLAI
Details

Multiple format string vulnerabilities in Battlefront Dropteam 1.3.3 and earlier allow remote attackers to execute arbitrary code via format string specifiers in the (1) username, (2) password, and (3) nickname fields in a "0x01" packet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-5262"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-10-08T21:17:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple format string vulnerabilities in Battlefront Dropteam 1.3.3 and earlier allow remote attackers to execute arbitrary code via format string specifiers in the (1) username, (2) password, and (3) nickname fields in a \"0x01\" packet.",
  "id": "GHSA-246x-mh97-f8h6",
  "modified": "2022-05-01T18:31:49Z",
  "published": "2022-05-01T18:31:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5262"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36974"
    },
    {
      "type": "WEB",
      "url": "http://aluigi.altervista.org/adv/dropteamz-adv.txt"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/27107"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/3202"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/481616/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/25943"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-25J9-9WXP-HPP7

Vulnerability from github – Published: 2022-04-29 02:58 – Updated: 2025-04-03 04:01
VLAI
Details

Format string vulnerability in the auth_debug function in Courier-IMAP 1.6.0 through 2.2.1 and 3.x through 3.0.3, when login debugging (DEBUG_LOGIN) is enabled, allows remote attackers to execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2004-0777"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2004-10-20T04:00:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in the auth_debug function in Courier-IMAP 1.6.0 through 2.2.1 and 3.x through 3.0.3, when login debugging (DEBUG_LOGIN) is enabled, allows remote attackers to execute arbitrary code.",
  "id": "GHSA-25j9-9wxp-hpp7",
  "modified": "2025-04-03T04:01:29Z",
  "published": "2022-04-29T02:58:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2004-0777"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17034"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200408-19.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/10976"
    },
    {
      "type": "WEB",
      "url": "http://www.trustix.net/errata/2004/0043"
    },
    {
      "type": "WEB",
      "url": "http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=131"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Requirements

Choose a language that is not subject to this flaw.

Mitigation
Implementation

Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]

Mitigation
Build and Compilation

Run compilers and linkers with high warning levels, since they may detect incorrect usage.

CAPEC-135: Format String Injection

An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.

CAPEC-67: String Format Overflow in syslog()

This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.