Improper Encoding or Escaping of Output

CVE-2021-23266

Medium

4.3/10

Summary

An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator. This issue affects craftercms versions 3.1.x prior to 3.1.18.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-116 - Improper Encoding or Escaping of Output

The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References

Advisory
Advisory

Advisory Timeline

Published May 16, 2022

Improper Encoding or Escaping of Output

CVE-2021-23266

Summary

CWE-116 - Improper Encoding or Escaping of Output

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS