Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CVEs (433)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-4041 1Redhat 1Ansible Runner Nov 21, 2024 Aug 24, 2022 N/A· v4 7.8 HIGH· v3 N/A· v2 A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansible_runner.interface.run_command, can lead to parameters getting executed as host's shell command. A developer could un...Show more A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansible_runner.interface.run_command, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual environment.Show less
CVE-2020-36599 1Omniauth 1Omniauth Nov 21, 2024 Aug 18, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.
CVE-2022-35153 1Fusionpbx 1Fusionpbx Nov 21, 2024 Aug 18, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 FusionPBX 5.0.1 was discovered to contain a command injection vulnerability via /fax/fax_send.php.
CVE-2022-2619 2Fedoraproject Google 2Chrome Fedora Nov 21, 2024 Aug 12, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Insufficient validation of untrusted input in Settings in Google Chrome prior to 104.0.5112.79 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page vi...Show more Insufficient validation of untrusted input in Settings in Google Chrome prior to 104.0.5112.79 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted HTML page.Show less
CVE-2022-2241 1Fifu 1Featured Image From Url Nov 21, 2024 Aug 1, 2022 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furtherm...Show more The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of validation, sanitisation and escaping in some of them, it could also lead to Stored XSS issuesShow less
CVE-2022-36446 1Webmin 1Webmin Nov 21, 2024 Jul 25, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.
CVE-2022-2099 1Woocommerce 1Woocommerce Nov 21, 2024 Jul 17, 2022 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles
CVE-2022-20230 1Google 1Android Nov 21, 2024 Jul 13, 2022 N/A· v4 5.5 MEDIUM· v3 1.9 LOW· v2 In choosePrivateKeyAlias of KeyChain.java, there is a possible access to the user's certificate due to improper input validation. This could lead to local information disclosure with no additional execution privileges ne...Show more In choosePrivateKeyAlias of KeyChain.java, there is a possible access to the user's certificate due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-221859869Show less
CVE-2022-34820 1Siemens 15Simatic Cp 1242 7 V2 Firmware Simatic Cp 1243 1 FirmwareSimatic Cp 1243 7 Lte Eu Firmware+12 more Nov 21, 2024 Jul 12, 2022 N/A· v4 9.8 CRITICAL· v3 9.3 HIGH· v2 A vulnerability has been identified in SIMATIC CP 1242-7 V2 (All versions < V3.3.46), SIMATIC CP 1243-1 (All versions < V3.3.46), SIMATIC CP 1243-7 LTE EU (All versions < V3.3.46), SIMATIC CP 1243-7 LTE US (All versions...Show more A vulnerability has been identified in SIMATIC CP 1242-7 V2 (All versions < V3.3.46), SIMATIC CP 1243-1 (All versions < V3.3.46), SIMATIC CP 1243-7 LTE EU (All versions < V3.3.46), SIMATIC CP 1243-7 LTE US (All versions < V3.3.46), SIMATIC CP 1243-8 IRC (All versions < V3.3.46), SIMATIC CP 1542SP-1 IRC (All versions >= V2.0 < V2.2.28), SIMATIC CP 1543-1 (All versions < V3.0.22), SIMATIC CP 1543SP-1 (All versions >= V2.0 < V2.2.28), SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL (All versions >= V2.0 < V2.2.28), SIPLUS ET 200SP CP 1543SP-1 ISEC (All versions >= V2.0 < V2.2.28), SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL (All versions >= V2.0 < V2.2.28), SIPLUS NET CP 1242-7 V2 (All versions < V3.3.46), SIPLUS NET CP 1543-1 (All versions < V3.0.22), SIPLUS S7-1200 CP 1243-1 (All versions < V3.3.46), SIPLUS S7-1200 CP 1243-1 RAIL (All versions < V3.3.46). The application does not correctly escape some user provided fields during the authentication process. This could allow an attacker to inject custom commands and execute arbitrary code with elevated privileges.Show less
CVE-2022-32549 1Apache 2Sling Api Sling Commons Log Nov 21, 2024 Jun 22, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files.
CVE-2022-23079 1Getmotoradmin 1Motor Admin Nov 21, 2024 Jun 22, 2022 N/A· v4 N/A· v3 6.8 MEDIUM· v2 In motor-admin versions 0.0.1 through 0.2.56 are vulnerable to host header injection in the password reset functionality where malicious actor can send fake password reset email to arbitrary victim.
CVE-2022-29258 1Xwiki 1Xwiki Nov 21, 2024 May 31, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 XWiki Platform Filter UI provides a generic user interface to convert from a XWiki Filter input stream to an output stream with settings for each stream. Starting with versions 6.0-milestone-2 and 5.4.4 and prior to vers...Show more XWiki Platform Filter UI provides a generic user interface to convert from a XWiki Filter input stream to an output stream with settings for each stream. Starting with versions 6.0-milestone-2 and 5.4.4 and prior to versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3, XWiki Platform Filter UI contains a possible cross-site scripting vector in the `Filter.FilterStreamDescriptorForm` wiki page related to pretty much all the form fields printed in the home page of the application. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3. The easiest workaround is to edit the wiki page `Filter.FilterStreamDescriptorForm` (with wiki editor) according to the instructions in the GitHub Security Advisory.Show less
CVE-2022-29252 1Xwiki 1Xwiki Nov 21, 2024 May 25, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 XWiki Platform Wiki UI Main Wiki is a package for managing subwikis. Starting with version 5.3-milestone-2, XWiki Platform Wiki UI Main Wiki contains a possible cross-site scripting vector in the `WikiManager.JoinWiki `...Show more XWiki Platform Wiki UI Main Wiki is a package for managing subwikis. Starting with version 5.3-milestone-2, XWiki Platform Wiki UI Main Wiki contains a possible cross-site scripting vector in the `WikiManager.JoinWiki ` wiki page related to the "requestJoin" field. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3. The easiest available workaround is to edit the wiki page `WikiManager.JoinWiki` (with wiki editor) according to the suggestion provided in the GitHub Security Advisory.Show less
CVE-2022-29251 1Xwiki 1Xwiki Nov 21, 2024 May 25, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 XWiki Platform Flamingo Theme UI is a tool that allows customization and preview of any Flamingo-based skin. Starting with versions 6.2.4 and 6.3-rc-1, a possible cross-site scripting vector is present in the `FlamingoTh...Show more XWiki Platform Flamingo Theme UI is a tool that allows customization and preview of any Flamingo-based skin. Starting with versions 6.2.4 and 6.3-rc-1, a possible cross-site scripting vector is present in the `FlamingoThemesCode.WebHomeSheet` wiki page related to the "newThemeName" form field. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3. The easiest available workaround is to edit the wiki page `FlamingoThemesCode.WebHomeSheet` (with wiki editor) according to the suggestion provided in the GitHub Security Advisory.Show less
CVE-2022-29599 2Apache Debian 2Debian Linux Maven Shared Utils Nov 21, 2024 May 23, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.
CVE-2022-28960 1Spip 1Spip Nov 21, 2024 May 19, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A PHP injection vulnerability in Spip before v3.2.8 allows attackers to execute arbitrary PHP code via the _oups parameter at /ecrire.
CVE-2022-30966 1Jenkins 1Random String Parameter Nov 21, 2024 May 17, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Jenkins Random String Parameter Plugin 1.0 and earlier does not escape the name and description of Random String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability e...Show more Jenkins Random String Parameter Plugin 1.0 and earlier does not escape the name and description of Random String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.Show less
CVE-2021-23266 1Craftercms 1Crafter Cms Nov 21, 2024 May 16, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator.
CVE-2022-30781 1Gitea 1Gitea Nov 21, 2024 May 16, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Gitea before 1.16.7 does not escape git fetch remote.
CVE-2021-39027 1Ibm 1Guardium Data Encryption Nov 21, 2024 May 6, 2022 N/A· v4 5.0 MEDIUM· v3 4.0 MEDIUM· v2 IBM Guardium Data Encryption (GDE) 4.0.0 and 5.0.0 prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the inte...Show more IBM Guardium Data Encryption (GDE) 4.0.0 and 5.0.0 prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. IBM X-Force ID: 213865.Show less

Previous 1...151617...22 Next