Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CVEs (434)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-39027 1Ibm 1Guardium Data Encryption Nov 21, 2024 May 6, 2022 N/A· v4 5.0 MEDIUM· v3 4.0 MEDIUM· v2 IBM Guardium Data Encryption (GDE) 4.0.0 and 5.0.0 prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the inte...Show more IBM Guardium Data Encryption (GDE) 4.0.0 and 5.0.0 prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. IBM X-Force ID: 213865.Show less
CVE-2021-29854 1Ibm 2Maximo Application Suite Maximo Asset Management Nov 21, 2024 May 3, 2022 N/A· v4 7.2 HIGH· v3 4.3 MEDIUM· v2 IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exp...Show more IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 205680.Show less
CVE-2022-0935 1Livehelperchat 1Live Helper Chat Nov 21, 2024 Apr 7, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Host Header injection in password Reset in GitHub repository livehelperchat/livehelperchat prior to 3.97.
CVE-2022-0741 1Gitlab 1Gitlab Nov 21, 2024 Apr 1, 2022 N/A· v4 7.5 HIGH· v3 4.3 MEDIUM· v2 Improper input validation in all versions of GitLab CE/EE using sendmail to send emails allowed an attacker to steal environment variables via specially crafted email addresses.
CVE-2022-0450 1Freshlightlab 1Menu Image, Icons Made Easy Nov 21, 2024 Mar 28, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 The Menu Image, Icons made easy WordPress plugin before 3.0.6 does not have authorisation and CSRF checks when saving menu settings, and does not validate, sanitise and escape them. As a result, any authenticate users, s...Show more The Menu Image, Icons made easy WordPress plugin before 3.0.6 does not have authorisation and CSRF checks when saving menu settings, and does not validate, sanitise and escape them. As a result, any authenticate users, such as subscriber can update the settings or arbitrary menu and put Cross-Site Scripting payloads in them which will be triggered in the related menu in the frontendShow less
CVE-2022-26174 1Beekeeperstudio 1Beekeeper Studio Nov 21, 2024 Mar 21, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A remote code execution (RCE) vulnerability in Beekeeper Studio v3.2.0 allows attackers to execute arbitrary code via a crafted payload injected into the display fields.
CVE-2021-45848 2Fedoraproject Nicotine Plus 2Fedora Nicotine+ Nov 21, 2024 Mar 15, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Denial of service (DoS) vulnerability in Nicotine+ 3.0.3 and later allows a user with a modified Soulseek client to crash Nicotine+ by sending a file download request with a file path containing a null character.
CVE-2022-22734 1Sedlex 1Simple Quotation Nov 21, 2024 Mar 14, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The Simple Quotation WordPress plugin through 1.3.2 does not have CSRF check when creating or editing a quote and does not sanitise and escape Quotes. As a result, attacker could make a logged in admin create or edit arb...Show more The Simple Quotation WordPress plugin through 1.3.2 does not have CSRF check when creating or editing a quote and does not sanitise and escape Quotes. As a result, attacker could make a logged in admin create or edit arbitrary quote, and put Cross-Site Scripting payloads in themShow less
CVE-2022-22151 1Yokogawa 5Centum Cs 3000 Entry Firmware Centum Cs 3000 FirmwareCentum Vp Entry Firmware+2 more Nov 21, 2024 Mar 11, 2022 N/A· v4 8.1 HIGH· v3 4.9 MEDIUM· v2 CAMS for HIS Log Server contained in the following Yokogawa Electric products fails to properly neutralize log outputs: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, fro...Show more CAMS for HIS Log Server contained in the following Yokogawa Electric products fails to properly neutralize log outputs: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, and Exaopc versions from R3.72.00 to R3.79.00.Show less
CVE-2020-27958 1Osu 1Ohio Supercomputer Center Open Ondemand Nov 21, 2024 Feb 26, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The Job Composer app in Ohio Supercomputer Center Open OnDemand before 1.7.19 and 1.8.x before 1.8.18 allows remote authenticated users to provide crafted input in a job template.
CVE-2022-25235 5Debian FedoraprojectLibexpat Project+2 more 6Debian Linux FedoraHttp Server+3 more May 5, 2025 Feb 16, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
CVE-2021-43106 1Compassplus 2Tranzware Online Tranzware Online Financial Institution Maintenance Interface Nov 21, 2024 Feb 14, 2022 N/A· v4 6.1 MEDIUM· v3 5.8 MEDIUM· v2 A Header Injection vulnerability exists in Compass Plus TranzWare Online FIMI Web Interface Tranzware Online (TWO) 5.3.33.3 F38 and FIMI 4.2.19.4 25.The HTTP host header can be manipulated and cause the application to be...Show more A Header Injection vulnerability exists in Compass Plus TranzWare Online FIMI Web Interface Tranzware Online (TWO) 5.3.33.3 F38 and FIMI 4.2.19.4 25.The HTTP host header can be manipulated and cause the application to behave in unexpected ways. Any changes made to the header would just cause the request to be sent to a completely different Domain/IP address. This is due to that the server implicitly trusts the Host header, and fails to validate or escape it properly. An attacker can use this input to redirect target users to a malicious domain/web page. This would result in expanding the potential to further attacks and malicious actions.Show less
CVE-2022-23620 1Xwiki 1Xwiki Nov 21, 2024 Feb 9, 2022 N/A· v4 5.4 MEDIUM· v3 5.8 MEDIUM· v2 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions AbstractSxExportURLFactoryActionHandler#processSx does not escape anything from SSX document r...Show more XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions AbstractSxExportURLFactoryActionHandler#processSx does not escape anything from SSX document references when serializing it on filesystem, it is possible to for the HTML export process to contain reference elements containing filesystem syntax like "../", "./". or "/" in general. The referenced elements are not properly escaped. This issue has been resolved in version 13.6-rc-1. This issue can be worked around by limiting or disabling document export.Show less
CVE-2022-24682 1Synacor 1Zimbra Collaboration Suite Nov 4, 2025 Feb 9, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executabl...Show more An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.Show less
CVE-2022-0220 1Welaunch 1Wordpress Gdpr&ccpa Nov 21, 2024 Feb 1, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type....Show more The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim's browser. Due to v1.9.26 adding a CSRF check, the XSS is only exploitable against unauthenticated users (as they all share the same nonce)Show less
CVE-2022-23603 1Itunesrpc Remastered Project 1Itunesrpc Remastered May 5, 2025 Feb 1, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 iTunesRPC-Remastered is a discord rich presence application for use with iTunes & Apple Music. In code before commit 24f43aa user input is not properly sanitized and code injection is possible. Users are advised to upgra...Show more iTunesRPC-Remastered is a discord rich presence application for use with iTunes & Apple Music. In code before commit 24f43aa user input is not properly sanitized and code injection is possible. Users are advised to upgrade as soon as is possible. There are no known workarounds for this issue.Show less
CVE-2022-22992 1Westerndigital 1My Cloud Os Nov 21, 2024 Jan 28, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 A command injection remote code execution vulnerability was discovered on Western Digital My Cloud Devices that could allow an attacker to execute arbitrary system commands on the device. The vulnerability was addressed...Show more A command injection remote code execution vulnerability was discovered on Western Digital My Cloud Devices that could allow an attacker to execute arbitrary system commands on the device. The vulnerability was addressed by escaping individual arguments to shell functions coming from user input.Show less
CVE-2021-45226 1Coins Global 1Coins Construction Cloud Nov 21, 2024 Jan 24, 2022 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in COINS Construction Cloud 11.12. Due to improper validation of user-controlled HTTP headers, attackers can cause it to send password-reset e-mails pointing to arbitrary websites.
CVE-2022-0210 1Buffercode 1Random Banner Nov 21, 2024 Jan 18, 2022 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 The Random Banner WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the category parameter found in the ~/include/models/model.php file which allowed attackers with administra...Show more The Random Banner WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the category parameter found in the ~/include/models/model.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.Show less
CVE-2022-0124 1Gitlab 1Gitlab Nov 21, 2024 Jan 18, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. Gitlab's Slack integration is incorrectly validating user input and allows to craft malici...Show more An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. Gitlab's Slack integration is incorrectly validating user input and allows to craft malicious URLs that are sent to slack.Show less

Previous 1...161718...22 Next