CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (22,699)

page 1065 of 1,135

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2009-4861	Supportpro Supportdesk	—	0.00	May 11, 2010	Cross-site scripting (XSS) vulnerability in shownews.php in SupportPRO SupportDesk 3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
CVE-2009-4859	Onlinetechtools.com Owos Lite	—	0.00	May 11, 2010	Multiple cross-site scripting (XSS) vulnerabilities in Online Work Order Suite (OWOS) Lite Edition 3.10 allow remote attackers to inject arbitrary web script or HTML via the show parameter to (1) default.asp and (2) report.asp, and the (3) go parameter to login.asp.
CVE-2010-1854	Phpscripte24 Pay Per Watch \& Bid Auktions System	—	0.00	May 7, 2010	Cross-site scripting (XSS) vulnerability in auktion.php in Pay Per Watch & Bid Auktions System allows remote attackers to inject arbitrary web script or HTML via the id_auk parameter, which is not properly handled in a forced SQL error message. NOTE: the provenance of this…
CVE-2009-4853	Jumpbox Jumpbox	—	0.00	May 7, 2010	Multiple cross-site scripting (XSS) vulnerabilities in JumpBox before 1.1.2 for Foswiki Wiki System allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-4852	Semanticscuttle Semanticscuttle	—	0.00	May 7, 2010	Multiple cross-site scripting (XSS) vulnerabilities in SemanticScuttle before 0.94.1 allow remote attackers to inject arbitrary web script or HTML via the sort parameter to index.php, and other unspecified vectors, a different issue than CVE-2008-6113. NOTE: some of these…
CVE-2009-4848	Toutvirtual Virtualiq	—	0.00	May 7, 2010	Multiple cross-site scripting (XSS) vulnerabilities in ToutVirtual VirtualIQ Pro 3.2 build 7882 and 3.5 build 8691 allow remote attackers to inject arbitrary web script or HTML via the (1) userId parameter to tvserver/server/user/setPermissions.jsp, (2) deptName parameter to…
CVE-2009-4842	Toutvirtual Virtualiq	—	0.00	May 7, 2010	Multiple cross-site scripting (XSS) vulnerabilities in ToutVirtual VirtualIQ Pro 3.5 build 8691 allow remote attackers to inject arbitrary web script or HTML via the (1) addNewDept, (2) deptId, or (3) deptDesc parameter to tvserver/server/user/addDepartment.jsp; or the (4)…
CVE-2009-4839	Secureideas Basic Analysis And Security Engine	—	0.00	May 6, 2010	Multiple cross-site scripting (XSS) vulnerabilities in Basic Analysis and Security Engine (BASE), possibly 1.4.4 and earlier, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) admin/base_roleadmin.php, (2) admin/base_useradmin.php,…
CVE-2009-4837	Secureideas Basic Analysis And Security Engine	—	0.00	May 6, 2010	Multiple cross-site scripting (XSS) vulnerabilities in Basic Analysis and Security Engine (BASE) before 1.4.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) sig[1] parameter to base/base_qry_main.php, or the time[0][1] parameter to (2)…
CVE-2010-1709	G5 Scripts Auto Img Gallery	—	0.00	May 4, 2010	Multiple cross-site scripting (XSS) vulnerabilities in upload.cgi in G5-Scripts Auto-Img-Gallery 1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) user and (2) pass parameters.
CVE-2010-1707	Piwigo Piwigo	—	0.00	May 4, 2010	Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters.
CVE-2010-0594	Cisco Systems, Inc. Router And Security Device Manager	—	0.00	May 4, 2010	Cross-site scripting (XSS) vulnerability in Cisco Router and Security Device Manager (SDM) allows remote attackers to inject arbitrary web script or HTML via unknown vectors, aka Bug ID CSCtb38467.
CVE-2010-1655	Powereasy Siteweaver	—	0.00	May 3, 2010	Cross-site scripting (XSS) vulnerability in User/User_ChkLogin.asp in PowerEasy 2006 and PowerEasy SiteWeaver 6.8 allows remote attackers to inject arbitrary web script or HTML via the ComeUrl parameter.
CVE-2010-1619	Moodle Moodle	—	0.00	Apr 29, 2010	Cross-site scripting (XSS) vulnerability in the fix_non_standard_entities function in the KSES HTML text cleaning library (weblib.php), as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via crafted HTML…
CVE-2010-1618	Moodle Moodle	—	0.00	Apr 29, 2010	Cross-site scripting (XSS) vulnerability in the phpCAS client library before 1.1.0, as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled in an error message.
CVE-2010-1614	Moodle Moodle	—	0.00	Apr 29, 2010	Multiple cross-site scripting (XSS) vulnerabilities in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the Login-As feature or (2) when the global search feature is enabled, unspecified…
CVE-2010-1609	SAP Netweaver	—	0.00	Apr 29, 2010	Cross-site scripting (XSS) vulnerability in SAP NetWeaver 2004 before SP21 and 2004s before SP13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2010-1594	Ocsinventory Ng Ocsinventory Ng	—	0.00	Apr 28, 2010	Multiple cross-site scripting (XSS) vulnerabilities in ocsreports/index.php in OCS Inventory NG 1.02.1 allow remote attackers to inject arbitrary web script or HTML via (1) the query string, (2) the BASE parameter, or (3) the ega_1 parameter. NOTE: some of these details are…
CVE-2010-1593	Silverstripe Silverstripe	—	0.01	Apr 28, 2010	Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe before 2.3.5 allow remote attackers to inject arbitrary web script or HTML via (1) the CommenterURL parameter to PostCommentForm, and in the Forum module before 0.2.5 in SilverStripe before 2.3.5 allow remote…
CVE-2010-1590	Vpasp Vp Asp Shopping Cart	—	0.00	Apr 28, 2010	Cross-site scripting (XSS) vulnerability in shopsessionsubs.asp in Rocksalt International VP-ASP Shopping Cart 6.50 and earlier might allow remote attackers to inject arbitrary web script or HTML via the client's DNS hostname (aka the REMOTE_HOST variable), related to the…

CVE-2009-4861May 11, 2010
Supportpro
Supportdesk
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in shownews.php in SupportPRO SupportDesk 3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
CVE-2009-4859May 11, 2010
Onlinetechtools.com
Owos Lite
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Online Work Order Suite (OWOS) Lite Edition 3.10 allow remote attackers to inject arbitrary web script or HTML via the show parameter to (1) default.asp and (2) report.asp, and the (3) go parameter to login.asp.
CVE-2010-1854May 7, 2010
Phpscripte24
Pay Per Watch \& Bid Auktions System
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in auktion.php in Pay Per Watch & Bid Auktions System allows remote attackers to inject arbitrary web script or HTML via the id_auk parameter, which is not properly handled in a forced SQL error message. NOTE: the provenance of this…
CVE-2009-4853May 7, 2010
Jumpbox
Jumpbox
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in JumpBox before 1.1.2 for Foswiki Wiki System allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-4852May 7, 2010
Semanticscuttle
Semanticscuttle
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in SemanticScuttle before 0.94.1 allow remote attackers to inject arbitrary web script or HTML via the sort parameter to index.php, and other unspecified vectors, a different issue than CVE-2008-6113. NOTE: some of these…
CVE-2009-4848May 7, 2010
Toutvirtual
Virtualiq
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in ToutVirtual VirtualIQ Pro 3.2 build 7882 and 3.5 build 8691 allow remote attackers to inject arbitrary web script or HTML via the (1) userId parameter to tvserver/server/user/setPermissions.jsp, (2) deptName parameter to…
CVE-2009-4842May 7, 2010
Toutvirtual
Virtualiq
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in ToutVirtual VirtualIQ Pro 3.5 build 8691 allow remote attackers to inject arbitrary web script or HTML via the (1) addNewDept, (2) deptId, or (3) deptDesc parameter to tvserver/server/user/addDepartment.jsp; or the (4)…
CVE-2009-4839May 6, 2010
Secureideas
Basic Analysis And Security Engine
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Basic Analysis and Security Engine (BASE), possibly 1.4.4 and earlier, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) admin/base_roleadmin.php, (2) admin/base_useradmin.php,…
CVE-2009-4837May 6, 2010
Secureideas
Basic Analysis And Security Engine
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Basic Analysis and Security Engine (BASE) before 1.4.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) sig[1] parameter to base/base_qry_main.php, or the time[0][1] parameter to (2)…
CVE-2010-1709May 4, 2010
G5 Scripts
Auto Img Gallery
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in upload.cgi in G5-Scripts Auto-Img-Gallery 1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) user and (2) pass parameters.
CVE-2010-1707May 4, 2010
Piwigo
Piwigo
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters.
CVE-2010-0594May 4, 2010
Cisco Systems, Inc.
Router And Security Device Manager
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Cisco Router and Security Device Manager (SDM) allows remote attackers to inject arbitrary web script or HTML via unknown vectors, aka Bug ID CSCtb38467.
CVE-2010-1655May 3, 2010
Powereasy
Siteweaver
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in User/User_ChkLogin.asp in PowerEasy 2006 and PowerEasy SiteWeaver 6.8 allows remote attackers to inject arbitrary web script or HTML via the ComeUrl parameter.
CVE-2010-1619Apr 29, 2010
Moodle
Moodle
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the fix_non_standard_entities function in the KSES HTML text cleaning library (weblib.php), as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via crafted HTML…
CVE-2010-1618Apr 29, 2010
Moodle
Moodle
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the phpCAS client library before 1.1.0, as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled in an error message.
CVE-2010-1614Apr 29, 2010
Moodle
Moodle
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the Login-As feature or (2) when the global search feature is enabled, unspecified…
CVE-2010-1609Apr 29, 2010
SAP
Netweaver
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in SAP NetWeaver 2004 before SP21 and 2004s before SP13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2010-1594Apr 28, 2010
Ocsinventory Ng
Ocsinventory Ng
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in ocsreports/index.php in OCS Inventory NG 1.02.1 allow remote attackers to inject arbitrary web script or HTML via (1) the query string, (2) the BASE parameter, or (3) the ega_1 parameter. NOTE: some of these details are…
CVE-2010-1593Apr 28, 2010
Silverstripe
Silverstripe
risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe before 2.3.5 allow remote attackers to inject arbitrary web script or HTML via (1) the CommenterURL parameter to PostCommentForm, and in the Forum module before 0.2.5 in SilverStripe before 2.3.5 allow remote…
CVE-2010-1590Apr 28, 2010
Vpasp
Vp Asp Shopping Cart
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in shopsessionsubs.asp in Rocksalt International VP-ASP Shopping Cart 6.50 and earlier might allow remote attackers to inject arbitrary web script or HTML via the client's DNS hostname (aka the REMOTE_HOST variable), related to the…