Common Weakness Enumeration

CWE-150

Allowed

Improper Neutralization of Escape, Meta, or Control Sequences

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

114 vulnerabilities reference this CWE, most recent first.

CVE-2020-6932 (GCVE-0-2020-6932)

Vulnerability from cvelistv5 – Published: 2020-08-12 12:21 – Updated: 2025-08-22 15:16
VLAI
Summary
An information disclosure and remote code execution vulnerability in the slinger web server of the BlackBerry QNX Software Development Platform versions 6.4.0 to 6.6.0 could allow an attacker to potentially read arbitrary files and run arbitrary executables in the context of the web server.
CWE
  • CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences
Assigner
References
Impacted products
Vendor Product Version
BlackBerry QNX Software Development Platform (SDP) Affected: 6.4.0 , ≤ 6.6.0 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:18:01.477Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000061411"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "QNX Software Development Platform (SDP)",
          "vendor": "BlackBerry",
          "versions": [
            {
              "lessThanOrEqual": "6.6.0",
              "status": "affected",
              "version": "6.4.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn information disclosure and remote code execution vulnerability in the slinger web server of the BlackBerry QNX Software Development Platform versions 6.4.0 to 6.6.0 could allow an attacker to potentially read arbitrary files and run arbitrary executables in the context of the web server.\u003c/p\u003e"
            }
          ],
          "value": "An information disclosure and remote code execution vulnerability in the slinger web server of the BlackBerry QNX Software Development Platform versions 6.4.0 to 6.6.0 could allow an attacker to potentially read arbitrary files and run arbitrary executables in the context of the web server."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-64",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-64 Using Slashes and URL Encoding Combined to Bypass Validation Logic"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-150",
              "description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-22T15:16:18.943Z",
        "orgId": "dbe78b00-5e7b-4fda-8748-329789ecfc5c",
        "shortName": "blackberry"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000061411"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@blackberry.com",
          "ID": "CVE-2020-6932",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An information disclosure and remote code execution vulnerability in the slinger web server of the BlackBerry QNX Software Development Platform versions 6.4.0 to 6.6.0 could allow an attacker to potentially read arbitrary files and run arbitrary executables in the context of the web server."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://support.blackberry.com/kb/articleDetail?articleNumber=000061411",
              "refsource": "MISC",
              "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000061411"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dbe78b00-5e7b-4fda-8748-329789ecfc5c",
    "assignerShortName": "blackberry",
    "cveId": "CVE-2020-6932",
    "datePublished": "2020-08-12T12:21:32.000Z",
    "dateReserved": "2020-01-13T00:00:00.000Z",
    "dateUpdated": "2025-08-22T15:16:18.943Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2017-0899 (GCVE-0-2017-0899)

Vulnerability from cvelistv5 – Published: 2017-08-31 20:00 – Updated: 2024-09-17 02:20
VLAI
Summary
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
Severity
No CVSS data available.
CWE
  • CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)
Assigner
References
Impacted products
Vendor Product Version
HackerOne RubyGems Affected: Versions before 2.6.13
Create a notification for this product.
Date Public
2017-08-27 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T13:25:16.395Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2018:0585",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0585"
          },
          {
            "name": "DSA-3966",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2017/dsa-3966"
          },
          {
            "name": "RHSA-2018:0378",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0378"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/226335"
          },
          {
            "name": "1039249",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1039249"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491"
          },
          {
            "name": "RHSA-2017:3485",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:3485"
          },
          {
            "name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
          },
          {
            "name": "RHSA-2018:0583",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0583"
          },
          {
            "name": "GLSA-201710-01",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201710-01"
          },
          {
            "name": "100576",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/100576"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://blog.rubygems.org/2017/08/27/2.6.13-released.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "RubyGems",
          "vendor": "HackerOne",
          "versions": [
            {
              "status": "affected",
              "version": "Versions before 2.6.13"
            }
          ]
        }
      ],
      "datePublic": "2017-08-27T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-150",
              "description": "Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-07-14T09:57:01.000Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "name": "RHSA-2018:0585",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0585"
        },
        {
          "name": "DSA-3966",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2017/dsa-3966"
        },
        {
          "name": "RHSA-2018:0378",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0378"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/226335"
        },
        {
          "name": "1039249",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1039249"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491"
        },
        {
          "name": "RHSA-2017:3485",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:3485"
        },
        {
          "name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
        },
        {
          "name": "RHSA-2018:0583",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0583"
        },
        {
          "name": "GLSA-201710-01",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201710-01"
        },
        {
          "name": "100576",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/100576"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://blog.rubygems.org/2017/08/27/2.6.13-released.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "DATE_PUBLIC": "2017-08-27T00:00:00",
          "ID": "CVE-2017-0899",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "RubyGems",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Versions before 2.6.13"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "HackerOne"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2018:0585",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0585"
            },
            {
              "name": "DSA-3966",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2017/dsa-3966"
            },
            {
              "name": "RHSA-2018:0378",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0378"
            },
            {
              "name": "https://hackerone.com/reports/226335",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/226335"
            },
            {
              "name": "1039249",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1039249"
            },
            {
              "name": "https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1",
              "refsource": "MISC",
              "url": "https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1"
            },
            {
              "name": "https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491",
              "refsource": "MISC",
              "url": "https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491"
            },
            {
              "name": "RHSA-2017:3485",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2017:3485"
            },
            {
              "name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
            },
            {
              "name": "RHSA-2018:0583",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0583"
            },
            {
              "name": "GLSA-201710-01",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201710-01"
            },
            {
              "name": "100576",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/100576"
            },
            {
              "name": "http://blog.rubygems.org/2017/08/27/2.6.13-released.html",
              "refsource": "MISC",
              "url": "http://blog.rubygems.org/2017/08/27/2.6.13-released.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2017-0899",
    "datePublished": "2017-08-31T20:00:00.000Z",
    "dateReserved": "2016-11-30T00:00:00.000Z",
    "dateUpdated": "2024-09-17T02:20:54.846Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-2755-2MM4-RM5C

Vulnerability from github – Published: 2026-04-22 21:32 – Updated: 2026-05-18 18:31
VLAI
Details

http.cookies.Morsel.js_output() returns an inline snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-150"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-22T20:16:42Z",
    "severity": "LOW"
  },
  "details": "http.cookies.Morsel.js_output() returns an inline \u003cscript\u003e snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence \u003c/script\u003e inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
  "id": "GHSA-2755-2mm4-rm5c",
  "modified": "2026-05-18T18:31:23Z",
  "published": "2026-04-22T21:32:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6019"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/issues/90309"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/pull/148848"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8"
    },
    {
      "type": "WEB",
      "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-27QH-8CXX-2CR5

Vulnerability from github – Published: 2026-03-27 19:54 – Updated: 2026-03-27 19:54
VLAI
Summary
AWS SDK for PHP has CloudFront Policy Document Injection via Special Characters
Details

Summary

This notification is related to the CloudFront signing utilities in the AWS SDK for PHP, which are used to generate Amazon CloudFront signed URLs and signed cookies. A defense-in-depth enhancement has been implemented to improve handling of special characters, such as double quotes and backslashes, in input values.

Impact

The CloudFront signing utilities build policy documents that define access restrictions for signed URLs and cookies. If an application passes unsanitized input containing special characters to these utilities, the resulting policy document may not reflect the application's intended access restrictions. While the SDK was functioning safely within the requirements of the shared responsibility model, additional safeguards have been added to support secure customer implementations. Applications that already follow AWS security best practices for input validation are not impacted.

Impacted versions: 3.11.7 - 3.371.3

Patches

On 3/3/2026, an enhancement was made to the AWS SDK for PHP version 3.371.4. The enhancement ensures that special characters in input values are correctly handled. It is recommended to upgrade to the latest version.

Workarounds

No workarounds are needed, but customers should ensure that the application is following security best practices:

  • Implement proper input validation in application code before passing values to CloudFront signing utilities
  • Update to the latest AWS SDK release on a regular basis
  • Follow AWS security best practices for SDK configuration

References

For any questions or comments about this advisory, it is recommended to contact AWS Security via the vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Acknowledgement

The Amazon Inspector Security Research team is thanked for identifying this issue and working through the coordinated process.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.371.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "aws/aws-sdk-php"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.11.7"
            },
            {
              "fixed": "3.371.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-150",
      "CWE-20",
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T19:54:58Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThis notification is related to the [CloudFront signing utilities](https://github.com/aws/aws-sdk-php/blob/master/src/CloudFront/Signer.php) in the AWS SDK for PHP, which are used to generate Amazon CloudFront signed URLs and signed cookies. A defense-in-depth enhancement has been implemented to improve handling of special characters, such as double quotes and backslashes, in input values.\n\n### Impact\n\nThe CloudFront signing utilities build policy documents that define access restrictions for signed URLs and cookies. If an application passes unsanitized input containing special characters to these utilities, the resulting policy document may not reflect the application\u0027s intended access restrictions. While the SDK was functioning safely within the requirements of the shared responsibility model, additional safeguards have been added to support secure customer implementations. Applications that already follow AWS security best practices for input validation are not impacted.\n\n### Impacted versions: 3.11.7 - 3.371.3\n\n### Patches\n\nOn 3/3/2026, an enhancement was made to the AWS SDK for PHP version 3.371.4. The enhancement ensures that special characters in input values are correctly handled. It is recommended to upgrade to the latest version.\n\n### Workarounds\n\nNo workarounds are needed, but customers should ensure that the application is following security best practices:\n\n- Implement proper input validation in application code before passing values to CloudFront signing utilities\n- Update to the latest AWS SDK release on a regular basis\n- Follow AWS security best practices for SDK configuration\n\n### References\n\nFor any questions or comments about this advisory, it is recommended to contact AWS Security via the [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n\n### Acknowledgement\n\nThe Amazon Inspector Security Research team is thanked for identifying this issue and working through the coordinated process.",
  "id": "GHSA-27qh-8cxx-2cr5",
  "modified": "2026-03-27T19:54:59Z",
  "published": "2026-03-27T19:54:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-sdk-php/security/advisories/GHSA-27qh-8cxx-2cr5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aws/aws-sdk-php"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-sdk-php/blob/master/src/CloudFront/Signer.php"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-sdk-php/releases/tag/3.371.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AWS SDK for PHP has CloudFront Policy Document Injection via Special Characters"
}

GHSA-2QFR-Q5V6-M43Q

Vulnerability from github – Published: 2025-07-10 18:31 – Updated: 2025-11-05 00:31
VLAI
Details

Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations.

In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-150"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-10T17:15:46Z",
    "severity": "HIGH"
  },
  "details": "Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations.\n\nIn a logging configuration where CustomLog is used with \"%{varname}x\" or \"%{varname}c\" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.",
  "id": "GHSA-2qfr-q5v6-m43q",
  "modified": "2025-11-05T00:31:20Z",
  "published": "2025-07-10T18:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47252"
    },
    {
      "type": "WEB",
      "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/07/10/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/07/10/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3439-VQGJ-2GCF

Vulnerability from github – Published: 2026-03-26 18:31 – Updated: 2026-03-31 23:02
VLAI
Summary
Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences
Details

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences that enable screen manipulation, fake prompts, and clipboard hijacking. Mattermost Advisory ID: MMSA-2026-00599.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.4.0-rc1"
            },
            {
              "fixed": "11.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.3.0-rc1"
            },
            {
              "fixed": "11.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.2.0-rc1"
            },
            {
              "fixed": "11.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.11.0-rc1"
            },
            {
              "fixed": "10.11.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0-20260105080200-d27a2195068d"
            },
            {
              "fixed": "8.0.0-20260217110922-b7d4a1f1f59b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-3108"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-150"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-31T23:02:43Z",
    "nvd_published_at": "2026-03-26T17:16:41Z",
    "severity": "HIGH"
  },
  "details": "Mattermost versions 11.2.x \u003c= 11.2.2, 10.11.x \u003c= 10.11.10, 11.4.x \u003c= 11.4.0, 11.3.x \u003c= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences that enable screen manipulation, fake prompts, and clipboard hijacking. Mattermost Advisory ID: MMSA-2026-00599.",
  "id": "GHSA-3439-vqgj-2gcf",
  "modified": "2026-03-31T23:02:57Z",
  "published": "2026-03-26T18:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3108"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences"
}

GHSA-34R5-6J7W-235F

Vulnerability from github – Published: 2026-04-22 18:50 – Updated: 2026-04-22 18:50
VLAI
Summary
Inspektor Gadget uses unsanitized ANSI Escape Sequences In `columns` Output Mode
Details

Description

String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences.

Therefore, a maliciously forged – partially or completely – event payload, coming from an observed container, might inject the escape sequences into the terminal of ig operators, with various effects.

The columns output mode is the default when running ig run interactively.

PoC

Attachments

run.sh


#!/bin/bash
set -e

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
CONTAINER_NAME="poc-escape-inject"

echo "Make sure ig is running in another terminal:"
echo "  sudo ig run trace_open -c ${CONTAINER_NAME}"
echo ""
echo "Press Enter to continue..."
read -r

sudo docker run --rm \
    --name "${CONTAINER_NAME}" \
    -v "${SCRIPT_DIR}/escape_inject.c:/src/escape_inject.c:ro" \
    gcc:latest \
    bash -c "
        gcc -o /tmp/escape_inject /src/escape_inject.c && \
        /tmp/escape_inject
    "

escape_inject.c

#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>

static void read_file(const char *path)
{
    int fd = open(path, O_RDONLY);
    if (fd >= 0)
        close(fd);
}

static void create_file(const char *path)
{
    int fd = open(path, O_CREAT | O_WRONLY | O_TRUNC, 0644);
    if (fd >= 0)
        close(fd);
}

int main(void)
{
    printf("[1] normal activity\n");
    create_file("/tmp/app.log");
    printf("[2] malicious read of /etc/shadow\n");
    read_file("/etc/shadow");
    usleep(300000);
    printf("[3] tampering the log\n");
    create_file("/etc\x1b[1A/bashrc\x1b[1B\x1b[13C");
    usleep(300000);
    return 0;
}
  1. Setup a Linux host and build/install ig version 0.48.0
  2. Run the attached run.sh on a terminal
  3. Run sudo ig run trace_open -c poc-escape-inject on another terminal
  4. Press "Enter" on the terminal attached to run.sh
  5. Observe the events traced by ig
  6. Notice that, at some point, the line where /etc/shadow is logged is overwritten /etc/bashrc, demonstrating the log injection

Impact

The impact depends on the injection point – mostly due to length limitations – and on the terminal used by the operator when running displaying columns output.

At the very least, the injection can be used for Log Injection, by inserting new lines or deleting existing ones.

However, by leveraging Operating System Command (OSC) ANSI escape sequences, the impact on modern terminal can vary, possibly allowing an attacker to:

  • lead to DoS (Denial of Service)
  • write to the system clipboard
  • create hyperlinks to attacker-controlled servers
  • change window title
  • potentially execute code (see referenced resources)

Resources

  • https://www.youtube.com/watch?v=spb8Gk9Z09Y

Notes

The json output mode was already sanitizing the content.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/inspektor-gadget/inspektor-gadget"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.49.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25996"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-150"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-22T18:50:32Z",
    "nvd_published_at": "2026-02-12T21:16:02Z",
    "severity": "MODERATE"
  },
  "details": "### Description\nString fields from eBPF events in `columns` output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences. \n\nTherefore, a maliciously forged \u2013\u00a0partially or completely \u2013 event payload, coming from an observed container, might inject the escape sequences into the terminal of `ig` operators, with various effects.\n\nThe `columns` output mode is the default when running `ig run` interactively.\n\n### PoC\n\n#### Attachments\nrun.sh\n```bash\n\n#!/bin/bash\nset -e\n\nSCRIPT_DIR=\"$(cd \"$(dirname \"$0\")\" \u0026\u0026 pwd)\"\nCONTAINER_NAME=\"poc-escape-inject\"\n\necho \"Make sure ig is running in another terminal:\"\necho \"  sudo ig run trace_open -c ${CONTAINER_NAME}\"\necho \"\"\necho \"Press Enter to continue...\"\nread -r\n\nsudo docker run --rm \\\n    --name \"${CONTAINER_NAME}\" \\\n    -v \"${SCRIPT_DIR}/escape_inject.c:/src/escape_inject.c:ro\" \\\n    gcc:latest \\\n    bash -c \"\n        gcc -o /tmp/escape_inject /src/escape_inject.c \u0026\u0026 \\\n        /tmp/escape_inject\n    \"\n```\n\nescape_inject.c\n```c\n#include \u003cfcntl.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cunistd.h\u003e\n\nstatic void read_file(const char *path)\n{\n\tint fd = open(path, O_RDONLY);\n\tif (fd \u003e= 0)\n\t\tclose(fd);\n}\n\nstatic void create_file(const char *path)\n{\n\tint fd = open(path, O_CREAT | O_WRONLY | O_TRUNC, 0644);\n\tif (fd \u003e= 0)\n\t\tclose(fd);\n}\n\nint main(void)\n{\n\tprintf(\"[1] normal activity\\n\");\n\tcreate_file(\"/tmp/app.log\");\n\tprintf(\"[2] malicious read of /etc/shadow\\n\");\n\tread_file(\"/etc/shadow\");\n\tusleep(300000);\n\tprintf(\"[3] tampering the log\\n\");\n\tcreate_file(\"/etc\\x1b[1A/bashrc\\x1b[1B\\x1b[13C\");\n\tusleep(300000);\n\treturn 0;\n}\n```\n\n1. Setup a Linux host and build/install `ig` version `0.48.0`\n2. Run the attached `run.sh` on a terminal\n3. Run `sudo ig run trace_open -c poc-escape-inject` on another terminal\n4. Press \"Enter\" on the terminal attached to `run.sh`\n5. Observe the events traced by `ig`\n6. Notice that, at some point, the line where `/etc/shadow` is logged is overwritten `/etc/bashrc`, demonstrating the log injection\n\n\n### Impact\n\nThe impact depends on the injection point \u2013 mostly due to length limitations \u2013 and on the terminal used by the operator when running displaying `columns` output.\n\nAt the very least, the injection can be used for [Log Injection](https://owasp.org/www-community/attacks/Log_Injection), by inserting new lines or deleting existing ones.\n\nHowever, by leveraging Operating System Command (OSC) ANSI escape sequences, the impact on modern terminal can vary, possibly allowing an attacker to:\n\n- lead to DoS (Denial of Service)\n- write to the system clipboard\n- create hyperlinks to attacker-controlled servers\n- change window title\n- potentially execute code (see referenced resources)\n\n### Resources\n- https://www.youtube.com/watch?v=spb8Gk9Z09Y\n\n### Notes\n\nThe `json` output mode was already sanitizing the content.",
  "id": "GHSA-34r5-6j7w-235f",
  "modified": "2026-04-22T18:50:32Z",
  "published": "2026-04-22T18:50:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/inspektor-gadget/inspektor-gadget/security/advisories/GHSA-34r5-6j7w-235f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25996"
    },
    {
      "type": "WEB",
      "url": "https://github.com/inspektor-gadget/inspektor-gadget/commit/d59cf72971f9b7110d9c179dc8ae8b7a11dbd6d2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/inspektor-gadget/inspektor-gadget"
    },
    {
      "type": "WEB",
      "url": "https://github.com/inspektor-gadget/inspektor-gadget/releases/tag/v0.49.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Inspektor Gadget uses unsanitized ANSI Escape Sequences In `columns` Output Mode"
}

GHSA-4362-X25F-C5CH

Vulnerability from github – Published: 2026-02-05 21:32 – Updated: 2026-02-05 21:32
VLAI
Details

Tanium addressed an unauthorized code execution vulnerability in Tanium Appliance.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15311"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-150"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-05T19:15:52Z",
    "severity": "HIGH"
  },
  "details": "Tanium addressed an unauthorized code execution vulnerability in Tanium Appliance.",
  "id": "GHSA-4362-x25f-c5ch",
  "modified": "2026-02-05T21:32:41Z",
  "published": "2026-02-05T21:32:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15311"
    },
    {
      "type": "WEB",
      "url": "https://security.tanium.com/TAN-2025-002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4F3F-7MF9-QRHC

Vulnerability from github – Published: 2022-04-29 01:25 – Updated: 2024-08-22 18:31
VLAI
Details

The xterm terminal emulator in XFree86 4.2.0 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2003-0063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-150"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2003-03-03T05:00:00Z",
    "severity": "HIGH"
  },
  "details": "The xterm terminal emulator in XFree86 4.2.0 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user\u0027s terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.",
  "id": "GHSA-4f3f-7mf9-qrhc",
  "modified": "2024-08-22T18:31:18Z",
  "published": "2022-04-29T01:25:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0063"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=104612710031920\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2003/dsa-380"
    },
    {
      "type": "WEB",
      "url": "http://www.iss.net/security_center/static/11414.php"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/06/15/1"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2003-064.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2003-065.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2003-066.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2003-067.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/6940"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4F45-VH57-P56G

Vulnerability from github – Published: 2023-08-14 06:30 – Updated: 2024-04-04 06:54
VLAI
Details

An authentication bypass exists on CyberPower PowerPanel Enterprise by failing to sanitize meta-characters from the username, allowing an attacker to login into the application with the default user "cyberpower" by appending a non-printable character.An unauthenticated attacker can leverage this vulnerability to log in to the CypberPower PowerPanel Enterprise as an administrator with hardcoded default credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3265"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-150"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-14T05:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "An authentication bypass exists on CyberPower PowerPanel Enterprise by failing to sanitize meta-characters from the username, allowing an attacker to login into the application with the default user \"cyberpower\" by appending a non-printable character.An unauthenticated attacker can leverage this vulnerability to log in to the CypberPower PowerPanel Enterprise as an administrator with hardcoded default credentials.",
  "id": "GHSA-4f45-vh57-p56g",
  "modified": "2024-04-04T06:54:38Z",
  "published": "2023-08-14T06:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3265"
    },
    {
      "type": "WEB",
      "url": "https://www.trellix.com/en-us/about/newsroom/stories/research/the-threat-lurking-in-data-centers.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation

Developers should anticipate that escape, meta and control characters/sequences will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-28
Implementation

Strategy: Output Encoding

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Mitigation
Implementation

When using output from an LLM, neutralize or strip escape codes before redirecting output to the terminal or other rendering engine that would process the codes. The neutralization could require that the character be printable and/or allowable whitespace, such as a carriage return or newline. Be deliberate about what to allow.

Mitigation
Build and Compilation

When using an LLM: during tokenizer training, suppress escape codes from the tokenizer's vocabulary. Depending on context, this could be accomplished by removing the codes from input to the tokenizer, or removing the map from the string to its token ID. It is generally unlikely that this removal would adversely affect the quality or correctness of what is generated, e.g. advice requests for terminal settings to change colors.

CAPEC-134: Email Injection

An adversary manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol.

CAPEC-41: Using Meta-characters in E-mail Headers to Inject Malicious Payloads

This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

CAPEC-93: Log Injection-Tampering-Forging

This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.