Common Weakness Enumeration

CWE-134

Allowed

Use of Externally-Controlled Format String

Abstraction: Base · Status: Draft

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

501 vulnerabilities reference this CWE, most recent first.

GHSA-7XH8-F8CX-FXQ8

Vulnerability from github – Published: 2022-05-01 23:36 – Updated: 2022-05-01 23:36
VLAI
Details

Format string vulnerability in the embedded Internet Explorer component for Mirabilis ICQ 6 build 6043 allows remote servers to execute arbitrary code or cause a denial of service (crash) via unspecified vectors related to HTML code generation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-1120"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-03-03T22:44:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in the embedded Internet Explorer component for Mirabilis ICQ 6 build 6043 allows remote servers to execute arbitrary code or cause a denial of service (crash) via unspecified vectors related to HTML code generation.",
  "id": "GHSA-7xh8-f8cx-fxq8",
  "modified": "2022-05-01T23:36:50Z",
  "published": "2022-05-01T23:36:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1120"
    },
    {
      "type": "WEB",
      "url": "http://board.raidrush.ws/showthread.php?t=386983"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29138"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/28027"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/0701"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7XQ3-XC97-HHR3

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10
VLAI
Details

A Format String vulnerablity exists in TRENDnet TEW-755AP 1.11B03, TEW-755AP2KAC 1.11B03, TEW-821DAP2KAC 1.11B03, and TEW-825DAP 1.11B03, which could let a remote malicious user cause a denial of service due to a logic bug at address 0x40dcd0 when calling fprintf with "%s: key len = %d, too long\n" format. The two variables seem to be put in the wrong order. The vulnerability could be triggered by sending the POST request to apply_cgi with a long and unknown key in the request body.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-28846"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-10T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A Format String vulnerablity exists in TRENDnet TEW-755AP 1.11B03, TEW-755AP2KAC 1.11B03, TEW-821DAP2KAC 1.11B03, and TEW-825DAP 1.11B03, which could let a remote malicious user cause a denial of service due to a logic bug at address 0x40dcd0 when calling fprintf with \"%s: key len = %d, too long\\n\" format. The two variables seem to be put in the wrong order. The vulnerability could be triggered by sending the POST request to apply_cgi with a long and unknown key in the request body.",
  "id": "GHSA-7xq3-xc97-hhr3",
  "modified": "2022-05-24T19:10:31Z",
  "published": "2022-05-24T19:10:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28846"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zyw-200/EQUAFL/blob/main/TRENDnet%20ticket.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-83FF-CPF7-GHWF

Vulnerability from github – Published: 2024-02-20 03:30 – Updated: 2025-01-21 21:30
VLAI
Details

A format string vulnerability in a function of the IPSec VPN feature in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, and USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1 could allow an attacker to achieve unauthorized remote code execution by sending a sequence of specially crafted payloads containing an invalid pointer; however, such an attack would require detailed knowledge of an affected device’s memory layout and configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6764"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-20T03:15:07Z",
    "severity": "HIGH"
  },
  "details": "\n\n\n\n\n\n\n\n\n\n\n\nA format string vulnerability in a function of the IPSec VPN feature in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, and USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1 could allow an attacker to achieve unauthorized remote code execution by sending a sequence of specially crafted payloads containing an invalid pointer; however, such an attack would require detailed knowledge of an affected device\u2019s memory layout and configuration.\n\n\n\n",
  "id": "GHSA-83ff-cpf7-ghwf",
  "modified": "2025-01-21T21:30:45Z",
  "published": "2024-02-20T03:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6764"
    },
    {
      "type": "WEB",
      "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-aps-02-20-2024"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-84W9-H3XH-WGV5

Vulnerability from github – Published: 2022-10-25 19:00 – Updated: 2022-10-27 19:00
VLAI
Details

Four format string injection vulnerabilities exist in the UPnP logging functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted UPnP negotiation can lead to memory corruption, information disclosure, and denial of service. An attacker can host a malicious UPnP service to trigger these vulnerabilities.This vulnerability arises from format string injection via NewInternalClient XML tag, as used within the DoUpdateUPnPbyService action handler.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35880"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-25T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Four format string injection vulnerabilities exist in the UPnP logging functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted UPnP negotiation can lead to memory corruption, information disclosure, and denial of service. An attacker can host a malicious UPnP service to trigger these vulnerabilities.This vulnerability arises from format string injection via `NewInternalClient` XML tag, as used within the `DoUpdateUPnPbyService` action handler.",
  "id": "GHSA-84w9-h3xh-wgv5",
  "modified": "2022-10-27T19:00:32Z",
  "published": "2022-10-25T19:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35880"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1583"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-856P-VMG2-WHF5

Vulnerability from github – Published: 2022-05-01 23:39 – Updated: 2022-05-01 23:39
VLAI
Details

Format string vulnerability in Asterisk Open Source 1.6.x before 1.6.0-beta6 might allow remote attackers to execute arbitrary code via logging messages that are not properly handled by (1) the ast_verbose logging API call, or (2) the astman_append function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-1333"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-03-20T00:44:00Z",
    "severity": "MODERATE"
  },
  "details": "Format string vulnerability in Asterisk Open Source 1.6.x before 1.6.0-beta6 might allow remote attackers to execute arbitrary code via logging messages that are not properly handled by (1) the ast_verbose logging API call, or (2) the astman_append function.",
  "id": "GHSA-856p-vmg2-whf5",
  "modified": "2022-05-01T23:39:06Z",
  "published": "2022-05-01T23:39:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1333"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41301"
    },
    {
      "type": "WEB",
      "url": "http://downloads.digium.com/pub/security/AST-2008-004.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29426"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29456"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1019630"
    },
    {
      "type": "WEB",
      "url": "http://www.asterisk.org/node/48466"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2008/dsa-1525"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/489823/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/28311"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/0928"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-86Q3-6WJF-3984

Vulnerability from github – Published: 2022-12-09 18:30 – Updated: 2022-12-14 15:30
VLAI
Details

Crash in the USB HID protocol dissector in Wireshark 3.6.0 to 3.6.8 allows denial of service via packet injection or crafted capture file on Windows

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3724"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134",
      "CWE-74"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-09T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Crash in the USB HID protocol dissector in Wireshark 3.6.0 to 3.6.8 allows denial of service via packet injection or crafted capture file on Windows",
  "id": "GHSA-86q3-6wjf-3984",
  "modified": "2022-12-14T15:30:17Z",
  "published": "2022-12-09T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3724"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3724.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/issues/18384"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2022-08.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8768-9R9G-5FJ5

Vulnerability from github – Published: 2025-06-06 18:30 – Updated: 2025-06-06 18:30
VLAI
Details

A use of externally-controlled format string vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow remote attackers who have gained user access to obtain secret data or modify memory.

We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.6 ( 2025/03/20 ) and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22482"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-06T16:15:24Z",
    "severity": "LOW"
  },
  "details": "A use of externally-controlled format string vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow remote attackers who have gained user access to obtain secret data or modify memory.\n\nWe have already fixed the vulnerability in the following version:\nQsync Central 4.5.0.6 ( 2025/03/20 ) and later",
  "id": "GHSA-8768-9r9g-5fj5",
  "modified": "2025-06-06T18:30:31Z",
  "published": "2025-06-06T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22482"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-25-10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-894M-Q53C-4H82

Vulnerability from github – Published: 2022-05-17 02:30 – Updated: 2022-05-17 02:30
VLAI
Details

An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves the "Printing" component. A format-string vulnerability allows remote attackers to execute arbitrary code via a crafted ipp: or ipps: URL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2403"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-02T01:59:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves the \"Printing\" component. A format-string vulnerability allows remote attackers to execute arbitrary code via a crafted ipp: or ipps: URL.",
  "id": "GHSA-894m-q53c-4h82",
  "modified": "2022-05-17T02:30:38Z",
  "published": "2022-05-17T02:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2403"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT207615"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97140"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038138"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8C8G-735R-WQQJ

Vulnerability from github – Published: 2022-02-19 00:01 – Updated: 2022-03-19 00:01
VLAI
Details

This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16193.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24051"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-18T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16193.",
  "id": "GHSA-8c8g-735r-wqqj",
  "modified": "2022-03-19T00:01:44Z",
  "published": "2022-02-19T00:01:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24051"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKJRBYJAQCOPHSED43A3HUPNKQLDTFGD"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZFZVMJL5UDTOZMARLXQIMG3BTG6UNYW"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ4KDAGF3H4D4BDTHRAM6ZEAJJWWMRUO"
    },
    {
      "type": "WEB",
      "url": "https://mariadb.com/kb/en/security"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220318-0004"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-318"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8CJX-H52F-69JQ

Vulnerability from github – Published: 2022-05-01 18:34 – Updated: 2022-05-01 18:34
VLAI
Details

Format string vulnerability in TIBCO SmartPGM FX allows remote attackers to execute arbitrary code via format string specifiers in unspecified vectors. NOTE: as of 20071016, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-5545"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-10-18T20:17:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in TIBCO SmartPGM FX allows remote attackers to execute arbitrary code via format string specifiers in unspecified vectors.  NOTE: as of 20071016, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes.",
  "id": "GHSA-8cjx-h52f-69jq",
  "modified": "2022-05-01T18:34:29Z",
  "published": "2022-05-01T18:34:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5545"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/45276"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/3249"
    },
    {
      "type": "WEB",
      "url": "http://www.irmplc.com/index.php/111-Vendor-Alerts"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/482353/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/26092"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Requirements

Choose a language that is not subject to this flaw.

Mitigation
Implementation

Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]

Mitigation
Build and Compilation

Run compilers and linkers with high warning levels, since they may detect incorrect usage.

CAPEC-135: Format String Injection

An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.

CAPEC-67: String Format Overflow in syslog()

This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.