CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (22,700)

page 1046 of 1,135

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2011-2470	Reallysimplechat Really Simple Chat	—	0.00	Jun 29, 2011	Cross-site scripting (XSS) vulnerability in chat/base/admin/login.php in A Really Simple Chat (ARSC) 3.3-rc2 allows remote attackers to inject arbitrary web script or HTML via the arsc_message parameter.
CVE-2011-2180	Reallysimplechat Really Simple Chat	—	0.00	Jun 29, 2011	Cross-site scripting (XSS) vulnerability in dereferer.php in A Really Simple Chat (ARSC) 3.3-rc2 allows remote attackers to inject arbitrary web script or HTML via the arsc_link parameter.
CVE-2011-1335	Cybozu Office	—	0.01	Jun 29, 2011	Cross-site scripting (XSS) vulnerability in Cybozu Office 6, 7, and 8 before 8.1.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to the "address book and user list functions."
CVE-2011-1334	Cybozu Garoon	—	0.01	Jun 29, 2011	Cross-site scripting (XSS) vulnerability in Cybozu Office 6, Cybozu Garoon 2.0.0 through 2.1.3, Cybozu Dezie before 6.1, Cybozu MailWise before 3.1, and Cybozu Collaborex before 1.5 allows remote attackers to inject arbitrary web script or HTML via vectors related to…
CVE-2011-1333	Cybozu Garoon	—	0.01	Jun 29, 2011	Cross-site scripting (XSS) vulnerability in Cybozu Office 6 and Cybozu Garoon 2.0.0 through 2.1.3 allows remote attackers to inject arbitrary web script or HTML via vectors related to "downloading graphic files from the bulletin board system."
CVE-2011-1332	Cybozu Garoon	—	0.00	Jun 29, 2011	Cross-site scripting (XSS) vulnerability in Cybozu Garoon 2.0.0 through 2.1.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2008-6570.
CVE-2011-1330	Kbs Weblygo	—	0.00	Jun 22, 2011	Cross-site scripting (XSS) vulnerability in WeblyGo 5.0 Pro/LE, 5.02 Pro/LE, 5.03 Pro/LE, 5.04 Pro/LE, and 5.10 Pro/LE allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-1481	Warpspeed PHP Nuke	—	0.00	Jun 21, 2011	Multiple cross-site scripting (XSS) vulnerabilities in Francisco Burzi PHP-Nuke 8.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) sender_name or (2) sender_email parameter in a Feedback action to modules.php.
CVE-2011-1129	Simple Machines Smf	—	0.00	Jun 21, 2011	Cross-site scripting (XSS) vulnerability in the EditNews function in ManageNews.php in Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, might allow remote authenticated users to inject arbitrary web script or HTML via a save_items action.
CVE-2011-1264	Microsoft Windows Server 2003	—	0.02	Jun 16, 2011	Cross-site scripting (XSS) vulnerability in Active Directory Certificate Services Web Enrollment in Microsoft Windows Server 2003 SP2 and Server 2008 Gold, SP2, R2, and R2 SP1 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka…
CVE-2011-2477	Icinga Icinga	—	0.00	Jun 14, 2011	Multiple cross-site scripting (XSS) vulnerabilities in config.c in config.cgi in Icinga before 1.4.1, when escape_html_tags is disabled, allow remote attackers to inject arbitrary web script or HTML via a JavaScript expression, as demonstrated by the onload attribute of a BODY…
CVE-2011-2476	Coppermine Coppermine Photo Gallery	—	0.00	Jun 14, 2011	Cross-site scripting (XSS) vulnerability in Coppermine Photo Gallery (CPG) before 1.5.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-4667.
CVE-2011-1862	Microfocus Service Manager	—	0.01	Jun 14, 2011	Cross-site scripting (XSS) vulnerability in HP Service Manager 7.02, 7.11, 9.20, and 9.21 and Service Center 6.2.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2010-4667	Coppermine Coppermine Photo Gallery	—	0.00	Jun 14, 2011	Cross-site scripting (XSS) vulnerability in Coppermine Photo Gallery (CPG) before 1.4.27 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-2342	Google Chrome	—	0.00	Jun 9, 2011	The DOM implementation in Google Chrome before 12.0.742.91 allows remote attackers to bypass the Same Origin Policy via unspecified vectors.
CVE-2011-1819	Google Chrome	—	0.00	Jun 9, 2011	Google Chrome before 12.0.742.91 allows remote attackers to perform unspecified injection into a chrome:// page via vectors related to extensions.
CVE-2011-1815	Google Chrome	—	0.00	Jun 9, 2011	Google Chrome before 12.0.742.91 allows remote attackers to inject script into a tab page via vectors related to extensions.
CVE-2011-2107	Adobe Inc. Acrobat Reader	—	0.01	Jun 9, 2011	Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 10.3.181.22 on Windows, Mac OS X, Linux, and Solaris, and 10.3.185.22 and earlier on Android, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a "universal…
CVE-2011-1953	Post Revolution Post Revolution	—	0.00	Jun 6, 2011	Multiple cross-site scripting (XSS) vulnerabilities in common.php in Post Revolution before 0.8.0c-2 allow remote attackers to inject arbitrary web script or HTML via an attribute of a (1) P, a (2) STRONG, a (3) A, a (4) EM, a (5) I, a (6) IMG, a (7) LI, an (8) OL, a (9) VIDEO,…
CVE-2011-1949	Plone (software) Plone	—	0.00	Jun 6, 2011	Cross-site scripting (XSS) vulnerability in the safe_html filter in Products.PortalTransforms in Plone 2.1 through 4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-2422.

CVE-2011-2470Jun 29, 2011
Reallysimplechat
Really Simple Chat
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in chat/base/admin/login.php in A Really Simple Chat (ARSC) 3.3-rc2 allows remote attackers to inject arbitrary web script or HTML via the arsc_message parameter.
CVE-2011-2180Jun 29, 2011
Reallysimplechat
Really Simple Chat
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in dereferer.php in A Really Simple Chat (ARSC) 3.3-rc2 allows remote attackers to inject arbitrary web script or HTML via the arsc_link parameter.
CVE-2011-1335Jun 29, 2011
Cybozu
Office
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Cybozu Office 6, 7, and 8 before 8.1.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to the "address book and user list functions."
CVE-2011-1334Jun 29, 2011
Cybozu
Garoon
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Cybozu Office 6, Cybozu Garoon 2.0.0 through 2.1.3, Cybozu Dezie before 6.1, Cybozu MailWise before 3.1, and Cybozu Collaborex before 1.5 allows remote attackers to inject arbitrary web script or HTML via vectors related to…
CVE-2011-1333Jun 29, 2011
Cybozu
Garoon
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Cybozu Office 6 and Cybozu Garoon 2.0.0 through 2.1.3 allows remote attackers to inject arbitrary web script or HTML via vectors related to "downloading graphic files from the bulletin board system."
CVE-2011-1332Jun 29, 2011
Cybozu
Garoon
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Cybozu Garoon 2.0.0 through 2.1.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2008-6570.
CVE-2011-1330Jun 22, 2011
Kbs
Weblygo
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in WeblyGo 5.0 Pro/LE, 5.02 Pro/LE, 5.03 Pro/LE, 5.04 Pro/LE, and 5.10 Pro/LE allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-1481Jun 21, 2011
Warpspeed
PHP Nuke
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Francisco Burzi PHP-Nuke 8.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) sender_name or (2) sender_email parameter in a Feedback action to modules.php.
CVE-2011-1129Jun 21, 2011
Simple Machines
Smf
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the EditNews function in ManageNews.php in Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, might allow remote authenticated users to inject arbitrary web script or HTML via a save_items action.
CVE-2011-1264Jun 16, 2011
Microsoft
Windows Server 2003
risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Active Directory Certificate Services Web Enrollment in Microsoft Windows Server 2003 SP2 and Server 2008 Gold, SP2, R2, and R2 SP1 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka…
CVE-2011-2477Jun 14, 2011
Icinga
Icinga
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in config.c in config.cgi in Icinga before 1.4.1, when escape_html_tags is disabled, allow remote attackers to inject arbitrary web script or HTML via a JavaScript expression, as demonstrated by the onload attribute of a BODY…
CVE-2011-2476Jun 14, 2011
Coppermine
Coppermine Photo Gallery
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Coppermine Photo Gallery (CPG) before 1.5.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-4667.
CVE-2011-1862Jun 14, 2011
Microfocus
Service Manager
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in HP Service Manager 7.02, 7.11, 9.20, and 9.21 and Service Center 6.2.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2010-4667Jun 14, 2011
Coppermine
Coppermine Photo Gallery
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Coppermine Photo Gallery (CPG) before 1.4.27 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-2342Jun 9, 2011
Google
Chrome
risk 0.00cvss —epss 0.00
The DOM implementation in Google Chrome before 12.0.742.91 allows remote attackers to bypass the Same Origin Policy via unspecified vectors.
CVE-2011-1819Jun 9, 2011
Google
Chrome
risk 0.00cvss —epss 0.00
Google Chrome before 12.0.742.91 allows remote attackers to perform unspecified injection into a chrome:// page via vectors related to extensions.
CVE-2011-1815Jun 9, 2011
Google
Chrome
risk 0.00cvss —epss 0.00
Google Chrome before 12.0.742.91 allows remote attackers to inject script into a tab page via vectors related to extensions.
CVE-2011-2107Jun 9, 2011
Adobe Inc.
Acrobat Reader
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 10.3.181.22 on Windows, Mac OS X, Linux, and Solaris, and 10.3.185.22 and earlier on Android, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a "universal…
CVE-2011-1953Jun 6, 2011
Post Revolution
Post Revolution
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in common.php in Post Revolution before 0.8.0c-2 allow remote attackers to inject arbitrary web script or HTML via an attribute of a (1) P, a (2) STRONG, a (3) A, a (4) EM, a (5) I, a (6) IMG, a (7) LI, an (8) OL, a (9) VIDEO,…
CVE-2011-1949Jun 6, 2011
Plone (software)
Plone
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the safe_html filter in Products.PortalTransforms in Plone 2.1 through 4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-2422.