Common Weakness Enumeration

CWE-134

Allowed

Use of Externally-Controlled Format String

Abstraction: Base · Status: Draft

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

501 vulnerabilities reference this CWE, most recent first.

GHSA-FCMJ-QRC7-5X9G

Vulnerability from github – Published: 2022-05-01 01:58 – Updated: 2022-05-01 01:58
VLAI
Details

Format string vulnerability in ArcGIS for ESRI ArcInfo Workstation 9.0 allows local users to gain privileges via format string specifiers in the ARCHOME environment variable to (1) wservice or (2) lockmgr.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2005-1394"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2005-05-03T04:00:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in ArcGIS for ESRI ArcInfo Workstation 9.0 allows local users to gain privileges via format string specifiers in the ARCHOME environment variable to (1) wservice or (2) lockmgr.",
  "id": "GHSA-fcmj-qrc7-5x9g",
  "modified": "2022-05-01T01:58:10Z",
  "published": "2022-05-01T01:58:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-1394"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=full-disclosure\u0026m=111489411524630\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/15196"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1013852"
    },
    {
      "type": "WEB",
      "url": "http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch\u0026PID=14\u0026MetaID=1015"
    },
    {
      "type": "WEB",
      "url": "http://www.digitalmunition.com/DMA%5B2005-0425a%5D.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FFW7-89PG-VJX2

Vulnerability from github – Published: 2022-05-01 18:16 – Updated: 2022-05-01 18:16
VLAI
Details

Multiple format string vulnerabilities in the kavwebscan.CKAVWebScan ActiveX control (kavwebscan.dll) in Kaspersky Online Scanner before 5.0.98 allow remote attackers to execute arbitrary code via format string specifiers in "various string formatting functions," which trigger heap-based buffer overflows.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-3675"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-10-12T20:17:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple format string vulnerabilities in the kavwebscan.CKAVWebScan ActiveX control (kavwebscan.dll) in Kaspersky Online Scanner before 5.0.98 allow remote attackers to execute arbitrary code via format string specifiers in \"various string formatting functions,\" which trigger heap-based buffer overflows.",
  "id": "GHSA-ffw7-89pg-vjx2",
  "modified": "2022-05-01T18:16:04Z",
  "published": "2022-05-01T18:16:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-3675"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/37057"
    },
    {
      "type": "WEB",
      "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=606"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/27187"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1018800"
    },
    {
      "type": "WEB",
      "url": "http://www.kaspersky.com/news?id=207575572"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/26004"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/3455"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FGC4-C2M2-834G

Vulnerability from github – Published: 2022-05-01 18:32 – Updated: 2025-04-09 03:48
VLAI
Details

Format string vulnerability in the ext_yahoo_contact_added function in yahoo.c in Miranda IM 0.7.1 allows remote attackers to execute arbitrary code via a Y7 Buddy Authorization packet with format string specifiers in the contact Yahoo! handle (who).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-5396"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-11-10T00:46:00Z",
    "severity": "MODERATE"
  },
  "details": "Format string vulnerability in the ext_yahoo_contact_added function in yahoo.c in Miranda IM 0.7.1 allows remote attackers to execute arbitrary code via a Y7 Buddy Authorization packet with format string specifiers in the contact Yahoo!  handle (who).",
  "id": "GHSA-fgc4-c2m2-834g",
  "modified": "2025-04-09T03:48:14Z",
  "published": "2022-05-01T18:32:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5396"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/38362"
    },
    {
      "type": "WEB",
      "url": "http://miranda.svn.sourceforge.net/viewvc/miranda/trunk/miranda/protocols/Yahoo/yahoo.c?r1=6601\u0026r2=6699\u0026diff_format=l"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/27402"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/secunia_research/2007-89/advisory"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/26389"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/3823"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FGGW-7J3V-3JCW

Vulnerability from github – Published: 2023-05-01 18:30 – Updated: 2024-04-04 03:45
VLAI
Details

A format string vulnerability in a binary of the Zyxel NBG-418N v2 firmware versions prior to V1.00(AARP.14)C0 could allow a remote authenticated attacker to cause denial-of-service (DoS) conditions on an affected device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22923"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-01T17:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A format string vulnerability in a binary of the Zyxel NBG-418N v2 firmware versions prior to V1.00(AARP.14)C0 could allow a remote authenticated attacker to cause denial-of-service (DoS) conditions on an affected device.",
  "id": "GHSA-fggw-7j3v-3jcw",
  "modified": "2024-04-04T03:45:02Z",
  "published": "2023-05-01T18:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22923"
    },
    {
      "type": "WEB",
      "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nbg-418n-v2-home-router"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FMRC-W6M3-5HV4

Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2026-05-12 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: iwlwifi: dbg-tlv: ensure NUL termination

The iwl_fw_ini_debug_info_tlv is used as a string, so we must ensure the string is terminated correctly before using it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35845"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-17T15:15:21Z",
    "severity": "CRITICAL"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: dbg-tlv: ensure NUL termination\n\nThe iwl_fw_ini_debug_info_tlv is used as a string, so we must\nensure the string is terminated correctly before using it.",
  "id": "GHSA-fmrc-w6m3-5hv4",
  "modified": "2026-05-12T12:31:47Z",
  "published": "2024-05-17T15:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35845"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/71d4186d470e9cda7cd1a0921b4afda737c6f641"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/783d413f332a3ebec916664b366c28f58147f82c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/96aa40761673da045a7774f874487cdb50c6a2f7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c855a1a5b7e3de57e6b1b29563113d5e3bfdb89a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ea1d166fae14e05d49ffb0ea9fcd4658f8d3dcea"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fabe2db7de32a881e437ee69db32e0de785a6209"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fec14d1cdd92f340b9ba2bd220abf96f9609f2a9"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FRFF-9F6H-44CX

Vulnerability from github – Published: 2026-02-11 15:30 – Updated: 2026-02-11 21:30
VLAI
Details

A use of externally-controlled format string vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to obtain secret data or modify memory.

We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30269"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-11T13:15:51Z",
    "severity": "LOW"
  },
  "details": "A use of externally-controlled format string vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to obtain secret data or modify memory.\n\nWe have already fixed the vulnerability in the following version:\nQsync Central 5.0.0.4 ( 2026/01/20 ) and later",
  "id": "GHSA-frff-9f6h-44cx",
  "modified": "2026-02-11T21:30:38Z",
  "published": "2026-02-11T15:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30269"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-26-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FW9W-G53W-5V3P

Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37
VLAI
Details

An Externally Controlled Format String issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. String format specifiers based on user provided input are not properly validated, which could allow an attacker to execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-30T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "An Externally Controlled Format String issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. String format specifiers based on user provided input are not properly validated, which could allow an attacker to execute arbitrary code.",
  "id": "GHSA-fw9w-g53w-5v3p",
  "modified": "2022-05-13T01:37:46Z",
  "published": "2022-05-13T01:37:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12702"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-241-02"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100526"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FW9W-XF98-WVQV

Vulnerability from github – Published: 2022-05-17 04:13 – Updated: 2022-05-17 04:13
VLAI
Details

Format string vulnerability in the rrdtool module 1.4.7 for Python, as used in Zenoss, allows context-dependent attackers to cause a denial of service (crash) via format string specifiers to the rrdtool.graph function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-2131"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-01-04T21:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Format string vulnerability in the rrdtool module 1.4.7 for Python, as used in Zenoss, allows context-dependent attackers to cause a denial of service (crash) via format string specifiers to the rrdtool.graph function.",
  "id": "GHSA-fw9w-xf98-wvqv",
  "modified": "2022-05-17T04:13:17Z",
  "published": "2022-05-17T04:13:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2131"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oetiker/rrdtool-1.x/issues/396"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oetiker/rrdtool-1.x/pull/397"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=969296"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2013/04/18/5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2013/05/19/5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2013/05/31/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G3G6-P8C6-RV22

Vulnerability from github – Published: 2022-05-17 05:35 – Updated: 2022-05-17 05:35
VLAI
Details

Format string vulnerability in the debug-logging feature in Application Firewall in Apple Mac OS X before 10.7.2 allows local users to gain privileges via a crafted name of an executable file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-0185"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-10-14T10:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Format string vulnerability in the debug-logging feature in Application Firewall in Apple Mac OS X before 10.7.2 allows local users to gain privileges via a crafted name of an executable file.",
  "id": "GHSA-g3g6-p8c6-rv22",
  "modified": "2022-05-17T05:35:54Z",
  "published": "2022-05-17T05:35:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-0185"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT5002"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/50085"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/50092"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G639-FWP5-V85H

Vulnerability from github – Published: 2022-10-25 19:00 – Updated: 2022-10-28 12:00
VLAI
Details

Four format string injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. Specially-crafted configuration values can lead to memory corruption, information disclosure and denial of service. An attacker can modify a configuration value and then execute an XCMD to trigger these vulnerabilities.This vulnerability arises from format string injection via the ssid and ssid_hex configuration parameters, as used within the testWifiAP XCMD handler

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35874"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-25T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Four format string injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. Specially-crafted configuration values can lead to memory corruption, information disclosure and denial of service. An attacker can modify a configuration value and then execute an XCMD to trigger these vulnerabilities.This vulnerability arises from format string injection via the `ssid` and `ssid_hex` configuration parameters, as used within the `testWifiAP` XCMD handler",
  "id": "GHSA-g639-fwp5-v85h",
  "modified": "2022-10-28T12:00:34Z",
  "published": "2022-10-25T19:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35874"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1581"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Requirements

Choose a language that is not subject to this flaw.

Mitigation
Implementation

Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]

Mitigation
Build and Compilation

Run compilers and linkers with high warning levels, since they may detect incorrect usage.

CAPEC-135: Format String Injection

An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.

CAPEC-67: String Format Overflow in syslog()

This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.