CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (22,700)

page 1039 of 1,135

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2011-4332	Joomla Joomla!	—	0.00	Nov 23, 2011	Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.6.3 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2010-5054	Jamwiki Jamwiki	—	0.00	Nov 23, 2011	Cross-site scripting (XSS) vulnerability in Special:Login in JAMWiki before 0.8.4 allows remote attackers to inject arbitrary web script or HTML via the message parameter.
CVE-2010-5050	Zohocorp Manageengine Admanager Plus	—	0.00	Nov 23, 2011	Cross-site scripting (XSS) vulnerability in jsp/admin/tools/remote_share.jsp in ManageEngine ADManager Plus 4.4.0 allows remote attackers to inject arbitrary web script or HTML via the computerName parameter. NOTE: the provenance of this information is unknown; the details are…
CVE-2011-4465	IBM Lotus Mobile Connect	—	0.00	Nov 19, 2011	Cross-site scripting (XSS) vulnerability in IBM Lotus Mobile Connect (LMC) 6.1.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to a hidden redirect URL.
CVE-2011-2770	Earl Hood Man2html	—	0.00	Nov 17, 2011	Cross-site scripting (XSS) vulnerability in man2html.cgi.c in man2html 1.6, and possibly other version, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to error messages.
CVE-2011-4156	Microfocus Network Node Manager I	—	0.02	Nov 16, 2011	Cross-site scripting (XSS) vulnerability in HP Network Node Manager i (NNMi) 9.0x and 9.1x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2011-4155.
CVE-2011-4155	Microfocus Network Node Manager I	—	0.02	Nov 16, 2011	Cross-site scripting (XSS) vulnerability in HP Network Node Manager i (NNMi) 9.0x and 9.1x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2011-4156.
CVE-2011-2771	Mahara (software) Mahara	—	0.00	Nov 15, 2011	Multiple cross-site scripting (XSS) vulnerabilities in Mahara before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) URI attributes and (2) the External Feed component, as demonstrated by the guid element in an RSS feed.
CVE-2011-4436	Dell Kace K2000 Systems Deployment Appliance	—	0.01	Nov 12, 2011	Multiple cross-site scripting (XSS) vulnerabilities in the administrative web interface on the Dell KACE K2000 System Deployment Appliance allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-3985	Plume Cms Plume CMS	—	0.00	Nov 9, 2011	Cross-site scripting (XSS) vulnerability in Plume before 1.2.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-3999	Ibc.co.jp Iwate Portal Bar	—	0.00	Nov 9, 2011	Cross-site scripting (XSS) vulnerability in the RSS/Atom feed-reader implementation in Iwate Portal Bar allows remote attackers to inject arbitrary web script or HTML via a crafted feed.
CVE-2011-3998	Apple Inc. Webobjects	—	0.00	Nov 9, 2011	Cross-site scripting (XSS) vulnerability in Apple WebObjects 5.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-3648	Mozilla Corporation Firefox	—	0.00	Nov 9, 2011	Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding.
CVE-2011-4277	Courseforum Projectforum	—	0.01	Nov 3, 2011	Cross-site scripting (XSS) vulnerability in CourseForum ProjectForum 7.0.1.3038 allows remote attackers to inject arbitrary web script or HTML via a crafted name of an object within a more object on a wiki page.
CVE-2011-3986	Pligg Pligg CMS	—	0.00	Nov 3, 2011	Cross-site scripting (XSS) vulnerability in Pligg before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-4274	Ark Web A Form Pc	—	0.00	Nov 3, 2011	Cross-site scripting (XSS) vulnerability in the A-Form PC and PC/Mobile before 3.1 plug-ins for Movable Type allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2011-2676.
CVE-2010-5031	Filenice Filenice	—	0.00	Nov 2, 2011	Cross-site scripting (XSS) vulnerability in index.php in fileNice 1.1 allows remote attackers to inject arbitrary web script or HTML via the sstring parameter (aka the Search Box). NOTE: some of these details are obtained from third party information.
CVE-2010-5030	Codefabrik Ecomat CMS	—	0.01	Nov 2, 2011	Cross-site scripting (XSS) vulnerability in index.php in Ecomat CMS 5.0 allows remote attackers to inject arbitrary web script or HTML via the lang parameter in a web action.
CVE-2010-5005	Rayzz Photoz	—	0.00	Nov 2, 2011	Cross-site scripting (XSS) vulnerability in members/profileCommentsResponse.php in Rayzz Photoz allows remote attackers to inject arbitrary web script or HTML via the profileCommentTextArea parameter. NOTE: the provenance of this information is unknown; the details are obtained…
CVE-2011-3320	Ge Intelligent Platforms Proficy Historian	—	0.00	Nov 2, 2011	Cross-site scripting (XSS) vulnerability in the Web Administrator component in GE Intelligent Platforms Proficy Historian 4.x and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

CVE-2011-4332Nov 23, 2011
Joomla
Joomla!
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.6.3 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2010-5054Nov 23, 2011
Jamwiki
Jamwiki
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Special:Login in JAMWiki before 0.8.4 allows remote attackers to inject arbitrary web script or HTML via the message parameter.
CVE-2010-5050Nov 23, 2011
Zohocorp
Manageengine Admanager Plus
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in jsp/admin/tools/remote_share.jsp in ManageEngine ADManager Plus 4.4.0 allows remote attackers to inject arbitrary web script or HTML via the computerName parameter. NOTE: the provenance of this information is unknown; the details are…
CVE-2011-4465Nov 19, 2011
IBM
Lotus Mobile Connect
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in IBM Lotus Mobile Connect (LMC) 6.1.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to a hidden redirect URL.
CVE-2011-2770Nov 17, 2011
Earl Hood
Man2html
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in man2html.cgi.c in man2html 1.6, and possibly other version, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to error messages.
CVE-2011-4156Nov 16, 2011
Microfocus
Network Node Manager I
risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in HP Network Node Manager i (NNMi) 9.0x and 9.1x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2011-4155.
CVE-2011-4155Nov 16, 2011
Microfocus
Network Node Manager I
risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in HP Network Node Manager i (NNMi) 9.0x and 9.1x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2011-4156.
CVE-2011-2771Nov 15, 2011
Mahara (software)
Mahara
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Mahara before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) URI attributes and (2) the External Feed component, as demonstrated by the guid element in an RSS feed.
CVE-2011-4436Nov 12, 2011
Dell
Kace K2000 Systems Deployment Appliance
risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the administrative web interface on the Dell KACE K2000 System Deployment Appliance allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-3985Nov 9, 2011
Plume Cms
Plume CMS
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Plume before 1.2.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-3999Nov 9, 2011
Ibc.co.jp
Iwate Portal Bar
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the RSS/Atom feed-reader implementation in Iwate Portal Bar allows remote attackers to inject arbitrary web script or HTML via a crafted feed.
CVE-2011-3998Nov 9, 2011
Apple Inc.
Webobjects
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Apple WebObjects 5.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-3648Nov 9, 2011
Mozilla Corporation
Firefox
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding.
CVE-2011-4277Nov 3, 2011
Courseforum
Projectforum
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in CourseForum ProjectForum 7.0.1.3038 allows remote attackers to inject arbitrary web script or HTML via a crafted name of an object within a more object on a wiki page.
CVE-2011-3986Nov 3, 2011
Pligg
Pligg CMS
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Pligg before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-4274Nov 3, 2011
Ark Web
A Form Pc
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the A-Form PC and PC/Mobile before 3.1 plug-ins for Movable Type allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2011-2676.
CVE-2010-5031Nov 2, 2011
Filenice
Filenice
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in index.php in fileNice 1.1 allows remote attackers to inject arbitrary web script or HTML via the sstring parameter (aka the Search Box). NOTE: some of these details are obtained from third party information.
CVE-2010-5030Nov 2, 2011
Codefabrik
Ecomat CMS
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in Ecomat CMS 5.0 allows remote attackers to inject arbitrary web script or HTML via the lang parameter in a web action.
CVE-2010-5005Nov 2, 2011
Rayzz
Photoz
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in members/profileCommentsResponse.php in Rayzz Photoz allows remote attackers to inject arbitrary web script or HTML via the profileCommentTextArea parameter. NOTE: the provenance of this information is unknown; the details are obtained…
CVE-2011-3320Nov 2, 2011
Ge
Intelligent Platforms Proficy Historian
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Web Administrator component in GE Intelligent Platforms Proficy Historian 4.x and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.