CWE-134

High likelihood

Use of Externally-Controlled Format String

Parent: CWE-668 - Exposure of Resource to Wrong Sphere

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

389 vulnerabilities with CWE-134
CVE-2007-0753
macOS 10.3.9 and 10.4.9 - Local Remote Code Execution via VPN Daemon Format String
CVE-2007-2655
SurgeMail Webmail 3.1s-1 - Remote Code Execution via Format String Vulnerability
CVE-2007-2027
Elinks 0.11.1 - Format String Injection via Untrusted Gettext Message Catalog
CVE-2007-1251
Netrek Vanilla Server 2.12.0 - Remote Code Execution via Format String in Warning Message
CVE-2007-1006
Ekiga < 2.0.4 - Denial of Service and Remote Code Execution via Q.931 SETUP Packet
CVE-2007-0454
Samba 3.0.6-3.0.23d - Remote Code Execution via AFS VFS Module Format String
CVE-2007-0646
iMovie HD 6.0.3 and Safari in Mac OS X 10.4-10.4.10 - Denial of Service via Format String in Filename
CVE-2007-0344
Colloquy < 2.1 - Remote Code Execution via Format String in INVITE Channel Name
CVE-2007-0051
Apple iPhoto < 6.0.6 - Remote Code Execution via Crafted Photocast RSS Feed Title
CVE-2007-0017
VLC Media Player 0.7.0-0.8.6 - Remote Code Execution via Format String in CDDA/VCDX URI Handler
CVE-2006-6772
w3m - Remote Code Execution via Format String in SSL Certificate Common Name
CVE-2006-6751
XM Easy Personal FTP Server <5.2.1 - DoS
CVE-2006-3469
MySQL Server 4.1 < 4.1.21 and 5.0 < 1 April 2006 - Authenticated Denial of Service via date_format Function
CVE-2006-3628
Ethereal - Format String Vulnerability
CVE-2006-3573
Milan Mimica Sparklet < 0.9.4 - Remote Code Execution via Format String in Player Nickname
CVE-2006-1471
Apple Mac OS X 10.4-10.4.6 - Local Remote Code Execution via CF_syslog Format String
CVE-2006-2453
Dia - Format String Vulnerability
CVE-2006-2480
Dia 0.94 - Format String Vulnerability via Crafted .bmp Filename
CVE-2006-2409
Raydium - Remote Code Execution via Format String in raydium_log
CVE-2006-1840
Empire Server < 4.3.1 - Denial of Service via Format String Vulnerability in Load, Spy, and Bomb Functions
CVE-2006-1615
ClamAV < 0.88.1 - Remote Code Execution via Format String Vulnerability in Logging Code
CVE-2006-0743
Apache log4net 1.2.9 - Denial of Service via Format String in LocalSyslogAppender
CVE-2006-0771
PunkBuster < 1.180 - Remote Code Execution via Format String Specifiers in Invalid Cvar Values
CVE-2006-0705
Reflection for Secure IT Server - Authenticated Remote Code Execution via Format String Vulnerability
CVE-2006-0200
PHP 5.1.0-5.1.1 - Remote Code Execution via MySQL Error Message Format String Specifiers
Details
Vulnerabilities 389
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits