CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (22,700)

page 1045 of 1,135

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2011-2400	Microfocus Sitescope	—	0.01	Jul 29, 2011	Cross-site scripting (XSS) vulnerability in HP SiteScope 9.x, 10.x, and 11.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-2958	Ecava Integraxor	—	0.01	Jul 28, 2011	Multiple cross-site scripting (XSS) vulnerabilities in Ecava IntegraXor before 3.60 (Build 4080) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-1339	Google Search Appliance	—	0.00	Jul 28, 2011	Cross-site scripting (XSS) vulnerability in Google Search Appliance before 5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-2710	Joomla Joomla!	—	0.00	Jul 27, 2011	Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.7.0 allow remote attackers to inject arbitrary web script or HTML via (1) the URI to includes/application.php, reachable through index.php; and, when Internet Explorer or Konqueror is used, (2) allow remote…
CVE-2011-2509	Joomla Joomla!	—	0.00	Jul 27, 2011	Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to the com_contact component, as demonstrated by the Itemid parameter to index.php; (2) the query string to the…
CVE-2011-0242	Apple Inc. Safari	—	0.00	Jul 21, 2011	Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving a URL that contains a username.
CVE-2010-1420	Apple Inc. Safari	—	0.00	Jul 21, 2011	Cross-site scripting (XSS) vulnerability in CFNetwork in Apple Safari before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via a crafted text/plain file.
CVE-2011-0770	Microfocus Windows Event Log Smartconnector	—	0.01	Jul 19, 2011	Cross-site scripting (XSS) vulnerability in Windows Event Log SmartConnector in HP ArcSight Connector Appliance before 6.1 allows remote attackers to inject arbitrary web script or HTML via the Windows XP variable in a file.
CVE-2011-2754	IBM Websphere Portal	—	0.00	Jul 17, 2011	Cross-site scripting (XSS) vulnerability in the PageBuilder2 (aka Page Builder) theme in IBM WebSphere Portal 7.x before 7.0.0.1 CF006, as used in IBM Web Content Manager (WCM) and other products, allows remote attackers to inject arbitrary web script or HTML via unspecified…
CVE-2011-2510	Dokuwiki Dokuwiki	—	0.01	Jul 14, 2011	Cross-site scripting (XSS) vulnerability in the RSS embedding feature in DokuWiki before 2011-05-25a Rincewind allows remote attackers to inject arbitrary web script or HTML via a link.
CVE-2011-2023	SquirrelMail Squirrelmail	—	0.00	Jul 14, 2011	Cross-site scripting (XSS) vulnerability in functions/mime.php in SquirrelMail before 1.4.22 allows remote attackers to inject arbitrary web script or HTML via a crafted STYLE element in an e-mail message.
CVE-2010-4555	SquirrelMail Squirrelmail	—	0.01	Jul 14, 2011	Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.21 and earlier allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) drop-down selection lists, (2) the > (greater than) character in the SquirrelSpell spellchecking plugin,…
CVE-2010-4813	Category Tokens Project Category Tokens	—	0.00	Jul 8, 2011	Cross-site scripting (XSS) vulnerability in the Category Tokens module 6.x before 6.x-1.1 for Drupal allows remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML by editing or creating vocabulary names, which are not properly…
CVE-2010-4811	6kbbs 6kbbs	—	0.00	Jul 8, 2011	Multiple cross-site scripting (XSS) vulnerabilities in ajaxmember.php in 6kbbs 8.0 build 20100901 allow remote attackers to inject arbitrary web script or HTML via the (1) user[msn], (2) user[email], and (3) user[phone] parameters in a modifyDetails action.
CVE-2011-2679	IBM Rational Doors Web Access	—	0.00	Jul 7, 2011	Cross-site scripting (XSS) vulnerability in IBM Rational DOORS Web Access 1.4.x before 1.4.0.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-2609	Opera Opera Browser	—	0.01	Jul 1, 2011	Opera before 11.50 does not properly restrict data: URIs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site.
CVE-2011-2607	IBM Rational Team Concert	—	0.00	Jun 30, 2011	Cross-site scripting (XSS) vulnerability in IBM Rational Team Concert (RTC) 3.0 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Work Item 165513.
CVE-2011-2606	IBM Rational Team Concert	—	0.00	Jun 30, 2011	Cross-site scripting (XSS) vulnerability in the Web UI in IBM Rational Team Concert (RTC) 3.0 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Work Item 165511.
CVE-2011-2369	Mozilla Corporation Firefox	—	0.00	Jun 30, 2011	Cross-site scripting (XSS) vulnerability in Mozilla Firefox 4.x through 4.0.1 allows remote attackers to inject arbitrary web script or HTML via an SVG element containing an HTML-encoded entity.
CVE-2011-2197	Rubyonrails Rails	—	0.00	Jun 30, 2011	The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an…

CVE-2011-2400Jul 29, 2011
Microfocus
Sitescope
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in HP SiteScope 9.x, 10.x, and 11.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-2958Jul 28, 2011
Ecava
Integraxor
risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Ecava IntegraXor before 3.60 (Build 4080) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-1339Jul 28, 2011
Google
Search Appliance
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Google Search Appliance before 5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-2710Jul 27, 2011
Joomla
Joomla!
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.7.0 allow remote attackers to inject arbitrary web script or HTML via (1) the URI to includes/application.php, reachable through index.php; and, when Internet Explorer or Konqueror is used, (2) allow remote…
CVE-2011-2509Jul 27, 2011
Joomla
Joomla!
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to the com_contact component, as demonstrated by the Itemid parameter to index.php; (2) the query string to the…
CVE-2011-0242Jul 21, 2011
Apple Inc.
Safari
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving a URL that contains a username.
CVE-2010-1420Jul 21, 2011
Apple Inc.
Safari
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in CFNetwork in Apple Safari before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via a crafted text/plain file.
CVE-2011-0770Jul 19, 2011
Microfocus
Windows Event Log Smartconnector
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Windows Event Log SmartConnector in HP ArcSight Connector Appliance before 6.1 allows remote attackers to inject arbitrary web script or HTML via the Windows XP variable in a file.
CVE-2011-2754Jul 17, 2011
IBM
Websphere Portal
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the PageBuilder2 (aka Page Builder) theme in IBM WebSphere Portal 7.x before 7.0.0.1 CF006, as used in IBM Web Content Manager (WCM) and other products, allows remote attackers to inject arbitrary web script or HTML via unspecified…
CVE-2011-2510Jul 14, 2011
Dokuwiki
Dokuwiki
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the RSS embedding feature in DokuWiki before 2011-05-25a Rincewind allows remote attackers to inject arbitrary web script or HTML via a link.
CVE-2011-2023Jul 14, 2011
SquirrelMail
Squirrelmail
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in functions/mime.php in SquirrelMail before 1.4.22 allows remote attackers to inject arbitrary web script or HTML via a crafted STYLE element in an e-mail message.
CVE-2010-4555Jul 14, 2011
SquirrelMail
Squirrelmail
risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.21 and earlier allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) drop-down selection lists, (2) the > (greater than) character in the SquirrelSpell spellchecking plugin,…
CVE-2010-4813Jul 8, 2011
Category Tokens Project
Category Tokens
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Category Tokens module 6.x before 6.x-1.1 for Drupal allows remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML by editing or creating vocabulary names, which are not properly…
CVE-2010-4811Jul 8, 2011
6kbbs
6kbbs
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in ajaxmember.php in 6kbbs 8.0 build 20100901 allow remote attackers to inject arbitrary web script or HTML via the (1) user[msn], (2) user[email], and (3) user[phone] parameters in a modifyDetails action.
CVE-2011-2679Jul 7, 2011
IBM
Rational Doors Web Access
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in IBM Rational DOORS Web Access 1.4.x before 1.4.0.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-2609Jul 1, 2011
Opera
Opera Browser
risk 0.00cvss —epss 0.01
Opera before 11.50 does not properly restrict data: URIs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site.
CVE-2011-2607Jun 30, 2011
IBM
Rational Team Concert
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in IBM Rational Team Concert (RTC) 3.0 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Work Item 165513.
CVE-2011-2606Jun 30, 2011
IBM
Rational Team Concert
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Rational Team Concert (RTC) 3.0 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Work Item 165511.
CVE-2011-2369Jun 30, 2011
Mozilla Corporation
Firefox
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Mozilla Firefox 4.x through 4.0.1 allows remote attackers to inject arbitrary web script or HTML via an SVG element containing an HTML-encoded entity.
CVE-2011-2197Jun 30, 2011
Rubyonrails
Rails
risk 0.00cvss —epss 0.00
The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an…