Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CVEs (434)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-25646 1Ansible Collections Project 1Community.crypto Nov 21, 2024 Oct 29, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A flaw was found in Ansible Collection community.crypto. openssl_privatekey_info exposes private key in logs. This directly impacts confidentiality
CVE-2020-27604 1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Oct 21, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret,...Show more BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting.Show less
CVE-2020-9862 1Apple 7Icloud IpadosIphone Os+4 more Nov 21, 2024 Oct 16, 2020 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 A command injection issue existed in Web Inspector. This issue was addressed with improved escaping. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8, watchOS 6.2.8, Safari 13.1.2, iTunes 12.10.8 for Windows,...Show more A command injection issue existed in Web Inspector. This issue was addressed with improved escaping. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8, watchOS 6.2.8, Safari 13.1.2, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Copying a URL from Web Inspector may lead to command injection.Show less
CVE-2019-4326 1Hcltech 1Appscan Nov 21, 2024 Oct 6, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 "HCL AppScan Enterprise security rules update administration section of the web application console is missing HTTP Strict-Transport-Security Header."
CVE-2020-24592 1Mitel 1Micloud Management Portal Nov 21, 2024 Sep 25, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Mitel MiCloud Management Portal before 6.1 SP5 could allow an attacker, by sending a crafted request, to view system information due to insufficient output sanitization.
CVE-2020-6313 1Sap 1Netweaver Application Server Java Nov 21, 2024 Sep 9, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 SAP NetWeaver Application Server JAVA(XML Forms) versions 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user controlled inputs, which allows an authenticated User with special roles to store malicious content, that...Show more SAP NetWeaver Application Server JAVA(XML Forms) versions 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user controlled inputs, which allows an authenticated User with special roles to store malicious content, that when accessed by a victim, can perform malicious actions by executing JavaScript, leading to Stored Cross-Site Scripting.Show less
CVE-2020-24972 3Fedoraproject Kleopatra ProjectOpensuse 4Backports Sle FedoraKleopatra+1 more Nov 21, 2024 Aug 29, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG allows remote attackers to execute arbitrary code because openpgp4fpr: URLs are supported without safe handling of command-line options. The Qt platfo...Show more The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG allows remote attackers to execute arbitrary code because openpgp4fpr: URLs are supported without safe handling of command-line options. The Qt platformpluginpath command-line option can be used to load an arbitrary DLL.Show less
CVE-2020-16281 1Rangee 1Rangeeos Nov 21, 2024 Aug 20, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 The Kommbox component in Rangee GmbH RangeeOS 8.0.4 could allow a local authenticated attacker to escape from the restricted environment and execute arbitrary code due to unrestricted context menus being accessible.
CVE-2020-7694 1Encode 1Uvicorn Nov 21, 2024 Jul 27, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log...Show more This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file).Show less
CVE-2020-6261 1Sap 1Solution Manager Nov 21, 2024 Jul 1, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to perform a log injection into the trace file, due to Incomplete XML Validation. The readability of the trace file is impaired.
CVE-2017-18892 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized.
CVE-2020-5304 1Whitesourcesoftware 1Whitesource Nov 21, 2024 Jun 8, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The dashboard in WhiteSource Application Vulnerability Management (AVM) before version 20.4.1 allows Log Injection via a %0A%0D substring in the idp parameter to the /saml/login URI. This closes the current log and creat...Show more The dashboard in WhiteSource Application Vulnerability Management (AVM) before version 20.4.1 allows Log Injection via a %0A%0D substring in the idp parameter to the /saml/login URI. This closes the current log and creates a new log with one line of data. The attacker can also insert malicious data and false entries.Show less
CVE-2020-13625 4Canonical DebianFedoraproject+1 more 4Debian Linux FedoraPhpmailer+1 more Nov 21, 2024 Jun 8, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay process...Show more PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.Show less
CVE-2020-6227 1Sap 1Businessobjects Business Intelligence Platform Nov 21, 2024 Apr 14, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 SAP Business Objects Business Intelligence Platform (CMS / Auditing issues), version 4.2, allows attacker to send specially crafted GIOP packets to several services due to Improper Input Validation, allowing to forge add...Show more SAP Business Objects Business Intelligence Platform (CMS / Auditing issues), version 4.2, allows attacker to send specially crafted GIOP packets to several services due to Improper Input Validation, allowing to forge additional entries in GLF log files.Show less
CVE-2020-4282 1Ibm 1Security Information Queue Nov 21, 2024 Apr 8, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow an authenticated user to perform unauthorized actions by bypassing illegal character restrictions. X-Force ID: 176205.
CVE-2018-20586 1Bitcoin 1Bitcoin Core Nov 21, 2024 Mar 12, 2020 N/A· v4 5.3 MEDIUM· v3 4.3 MEDIUM· v2 bitcoind and Bitcoin-Qt prior to 0.17.1 allow injection of arbitrary data into the debug log via an RPC call.
CVE-2020-10235 1Froxlor 1Froxlor Nov 21, 2024 Mar 9, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in Froxlor before 0.10.14. Remote attackers with access to the installation routine could have executed arbitrary code via the database configuration options that were passed unescaped to exec, be...Show more An issue was discovered in Froxlor before 0.10.14. Remote attackers with access to the installation routine could have executed arbitrary code via the database configuration options that were passed unescaped to exec, because of _backupExistingDatabase in install/lib/class.FroxlorInstall.php.Show less
CVE-2013-2011 1Automattic 1W3 Super Cache Nov 21, 2024 Dec 26, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 WordPress W3 Super Cache Plugin before 1.3.2 contains a PHP code-execution vulnerability which could allow remote attackers to inject arbitrary code. This issue exists because of an incomplete fix for CVE-2013-2009.
CVE-2019-19714 1Contao 1Contao Nov 21, 2024 Dec 17, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. It is possible to inject insert tags into the login module which will be replaced when the page is rendered.
CVE-2019-11325 1Sensiolabs 1Symfony Nov 21, 2024 Nov 21, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is r...Show more An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.Show less

Previous 1...18 192021 22 Next