CWE-838
AllowedInappropriate Encoding for Output Context
Abstraction: Base · Status: Incomplete
The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.
16 vulnerabilities reference this CWE, most recent first.
GHSA-JHCF-J4HG-V64R
Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2023-09-26 19:48Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-18981"
],
"database_specific": {
"cwe_ids": [
"CWE-838"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-18T22:06:54Z",
"nvd_published_at": "2019-11-15T05:15:00Z",
"severity": "CRITICAL"
},
"details": "Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification.",
"id": "GHSA-jhcf-j4hg-v64r",
"modified": "2023-09-26T19:48:39Z",
"published": "2022-05-24T17:01:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18981"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/commit/0a5d80b2593b2ebe35d19756b730ba33aa049106"
},
{
"type": "PACKAGE",
"url": "https://github.com/pimcore/pimcore"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/compare/v6.2.1...v6.2.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Pimcore Access Control Issues"
}
GHSA-M37V-MHQJ-22CM
Vulnerability from github – Published: 2023-08-02 00:30 – Updated: 2025-07-09 15:30Inappropriate implementation in Web API Permission Prompts in Google Chrome prior to 115.0.5790.98 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2023-3735"
],
"database_specific": {
"cwe_ids": [
"CWE-838"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-01T23:15:32Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in Web API Permission Prompts in Google Chrome prior to 115.0.5790.98 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-m37v-mhqj-22cm",
"modified": "2025-07-09T15:30:31Z",
"published": "2023-08-02T00:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3735"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2023/07/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1394410"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PQKT7EGDD2P3L7S3NXEDDRCPK4NNZNWJ"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202401-34"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MV2J-4MM8-9XGV
Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2025-12-18 15:30In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.
{
"affected": [],
"aliases": [
"CVE-2019-6110"
],
"database_specific": {
"cwe_ids": [
"CWE-838"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-31T18:29:00Z",
"severity": "MODERATE"
},
"details": "In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.",
"id": "GHSA-mv2j-4mm8-9xgv",
"modified": "2025-12-18T15:30:24Z",
"published": "2022-05-13T01:22:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6110"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
},
{
"type": "WEB",
"url": "https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c"
},
{
"type": "WEB",
"url": "https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201903-16"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190213-0001"
},
{
"type": "WEB",
"url": "https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46193"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q8Q6-CCRM-HRM9
Vulnerability from github – Published: 2024-01-10 00:30 – Updated: 2024-01-10 00:30Proofpoint Enterprise Protection contains a vulnerability in the email delivery agent that allows an unauthenticated attacker to inject improperly encoded HTML into the email body of a message through the email subject. The vulnerability is caused by inappropriate encoding when rewriting the email before delivery.This issue affects Proofpoint Enterprise Protection: from 8.20.2 before patch 4809, from 8.20.0 before patch 4805, from 8.18.6 before patch 4804 and all other prior versions.
{
"affected": [],
"aliases": [
"CVE-2023-5770"
],
"database_specific": {
"cwe_ids": [
"CWE-838"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-09T22:15:43Z",
"severity": "MODERATE"
},
"details": "Proofpoint Enterprise Protection contains a vulnerability in the email delivery agent that allows an unauthenticated attacker to inject improperly encoded HTML into the email body of a message through the email subject. The vulnerability is caused by inappropriate encoding when rewriting the email before delivery.This issue affects Proofpoint Enterprise Protection: from 8.20.2 before patch 4809, from 8.20.0 before patch 4805, from 8.18.6 before patch 4804 and all other prior versions.\n\n",
"id": "GHSA-q8q6-ccrm-hrm9",
"modified": "2024-01-10T00:30:21Z",
"published": "2024-01-10T00:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5770"
},
{
"type": "WEB",
"url": "https://www.proofpoint.com/us/security/security-advisories/pfpt-sa-2023-0009"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VVH5-7V3M-J3MJ
Vulnerability from github – Published: 2024-05-31 21:30 – Updated: 2025-05-15 21:03The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0"
},
{
"fixed": "4.3.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-34006"
],
"database_specific": {
"cwe_ids": [
"CWE-838"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-04T17:37:34Z",
"nvd_published_at": "2024-05-31T21:15:09Z",
"severity": "MODERATE"
},
"details": "The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered.",
"id": "GHSA-vvh5-7v3m-j3mj",
"modified": "2025-05-15T21:03:23Z",
"published": "2024-05-31T21:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34006"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/cd85e090f3feb06e6eff65d1499a67353d82d3cb"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=458395"
},
{
"type": "WEB",
"url": "http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-80585"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Moodle Unsanitized HTML in site log for config_log_created"
}
GHSA-XPC5-66VP-J2WH
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53util.c in runV 1.0.0 for Docker mishandles a numeric username, which allows attackers to obtain root access by leveraging the presence of an initial numeric value on an /etc/passwd line, and then issuing a "docker exec" command with that value in the -u argument, a similar issue to CVE-2016-3697.
{
"affected": [],
"aliases": [
"CVE-2018-9862"
],
"database_specific": {
"cwe_ids": [
"CWE-838"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-09T16:29:00Z",
"severity": "HIGH"
},
"details": "util.c in runV 1.0.0 for Docker mishandles a numeric username, which allows attackers to obtain root access by leveraging the presence of an initial numeric value on an /etc/passwd line, and then issuing a \"docker exec\" command with that value in the -u argument, a similar issue to CVE-2016-3697.",
"id": "GHSA-xpc5-66vp-j2wh",
"modified": "2022-05-13T01:53:57Z",
"published": "2022-05-13T01:53:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9862"
},
{
"type": "WEB",
"url": "https://github.com/hyperhq/hyperstart/pull/348"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103738"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Output Encoding
Use context-aware encoding. That is, understand which encoding is being used by the downstream component, and ensure that this encoding is used. If an encoding can be specified, do so, instead of assuming that the default encoding is the same as the default being assumed by the downstream component.
Mitigation
Strategy: Output Encoding
Where possible, use communications protocols or data formats that provide strict boundaries between control and data. If this is not feasible, ensure that the protocols or formats allow the communicating components to explicitly state which encoding/decoding method is being used. Some template frameworks provide built-in support.
Mitigation MIT-4.3
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
- Note that some template mechanisms provide built-in support for the appropriate encoding.
CAPEC-468: Generic Cross-Browser Cross-Domain Theft
An attacker makes use of Cascading Style Sheets (CSS) injection to steal data cross domain from the victim's browser. The attack works by abusing the standards relating to loading of CSS: 1. Send cookies on any load of CSS (including cross-domain) 2. When parsing returned CSS ignore all data that does not make sense before a valid CSS descriptor is found by the CSS parser.