CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (22,697)

page 1072 of 1,135

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2010-0327	TYPO3 Kj Imagelightbox2	—	0.00	Jan 15, 2010	Cross-site scripting (XSS) vulnerability in the KJ: Imagelightbox (kj_imagelightbox2) extension 2.0.0 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2008-2490.
CVE-2010-0326	Francois Suter Devlog	—	0.00	Jan 15, 2010	Cross-site scripting (XSS) vulnerability in the Developer log (devlog) extension 2.9.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2010-0320	Glitter Central Script Glitter Central Script	—	0.00	Jan 15, 2010	Cross-site scripting (XSS) vulnerability in submitlink.php in Glitter Central Script allows remote attackers to inject arbitrary web script or HTML via the catid parameter.
CVE-2009-4608	Canon Its Accessguardian	—	0.01	Jan 13, 2010	Cross-site scripting (XSS) vulnerability in Canon IT Solutions Inc. ACCESSGUARDIAN 3.0.14 and earlier, and 3.5.6 and earlier, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to authentication.
CVE-2009-4602	Drupal Randomizer	—	0.00	Jan 12, 2010	Cross-site scripting (XSS) vulnerability in the Randomizer module 5.x through 5.x-1.0 and 6.x through 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-3742	Liferay Portal	—	0.01	Jan 7, 2010	Cross-site scripting (XSS) vulnerability in Liferay Portal before 5.3.0 allows remote attackers to inject arbitrary web script or HTML via the p_p_id parameter.
CVE-2009-4590	Secureideas Basic Analysis And Security Engine	—	0.00	Jan 7, 2010	Cross-site scripting (XSS) vulnerability in base_local_rules.php in Basic Analysis and Security Engine (BASE) before 1.4.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-4589	MediaWiki Mediawiki	—	0.00	Jan 7, 2010	Cross-site scripting (XSS) vulnerability in the Special:Block implementation in the getContribsLink function in SpecialBlockip.php in MediaWiki 1.14.0 and 1.15.0 allows remote attackers to inject arbitrary web script or HTML via the ip parameter.
CVE-2009-4586	Wowd Wowd	—	0.00	Jan 7, 2010	Multiple cross-site scripting (XSS) vulnerabilities in index.html in Wowd client before 1.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) sortby, (2) tags, or (3) ctx parameter in a search action.
CVE-2009-4580	Hastablog Hasta Blog	—	0.00	Jan 6, 2010	Multiple cross-site scripting (XSS) vulnerabilities in Hasta Blog 2.3 allow remote attackers to inject arbitrary web script or HTML via the id parameter to (1) yorumyaz.php and (2) blog.php.
CVE-2009-4579	Joomla Com Artistavenue	—	0.00	Jan 6, 2010	Cross-site scripting (XSS) vulnerability in the Artist avenue (com_artistavenue) component for Joomla! and Mambo allows remote attackers to inject arbitrary web script or HTML via the Itemid parameter to index.php.
CVE-2009-4573	Joomlabear Mod Joomulus	—	0.00	Jan 6, 2010	Multiple cross-site scripting (XSS) vulnerabilities in the Joomulus (mod_joomulus) module 2.0 for Joomla! allow remote attackers to inject arbitrary web script or HTML via the tagcloud parameter in a tags action to (1) tagcloud_ell.swf, (2) tagcloud_eng.swf, (3)…
CVE-2009-4570	Phpshop Phpshop	—	0.00	Jan 5, 2010	Cross-site scripting (XSS) vulnerability in PhpShop 0.8.1 allows remote attackers to inject arbitrary web script or HTML via the order_id parameter in an order/order_print action to the default URI.
CVE-2009-4568	Webmin Webmin	—	0.00	Jan 5, 2010	Cross-site scripting (XSS) vulnerability in Webmin before 1.500 and Usermin before 1.430 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-4559	Nanwich Submitted By	—	0.00	Jan 4, 2010	Cross-site scripting (XSS) vulnerability in the Submitted By module 6.x before 6.x-1.3 for Drupal allows remote authenticated users, with "administer content types" privileges, to inject arbitrary web script or HTML via an input string for "submitted by" text.
CVE-2009-4557	Unleashedmind Img Assist	—	0.00	Jan 4, 2010	Cross-site scripting (XSS) vulnerability in the Image Assist module 5.x-1.x before 5.x-1.8, 5.x-2.x before 2.0-alpha4, 6.x-1.x before 6.x-1.1, 6.x-2.x before 2.0-alpha4, and 6.x-3.x-dev before 2009-07-15, a module for Drupal, allows remote authenticated users, with image-node…
CVE-2009-4539	Sqlitemanager Sqlitemanager	—	0.00	Jan 4, 2010	Cross-site scripting (XSS) vulnerability in main.php in SQLiteManager 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the redirect parameter.
CVE-2009-4532	Nathan Haug Webform	—	0.00	Dec 31, 2009	Cross-site scripting (XSS) vulnerability in the Webform module 5.x before 5.x-2.8 and 6.x before 6.x-2.8, a module for Drupal, allows remote authenticated users, with webform creation privileges, to inject arbitrary web script or HTML via a field label.
CVE-2009-4525	Drupal Print	—	0.00	Dec 31, 2009	Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.9 and 6.x before 6.x-1.9, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via crafted data in a list of links.
CVE-2009-4524	Nancy Wichmann Realname	—	0.00	Dec 31, 2009	Cross-site scripting (XSS) vulnerability in the RealName module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via a realname (aka real name) element.

CVE-2010-0327Jan 15, 2010
TYPO3
Kj Imagelightbox2
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the KJ: Imagelightbox (kj_imagelightbox2) extension 2.0.0 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2008-2490.
CVE-2010-0326Jan 15, 2010
Francois Suter
Devlog
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Developer log (devlog) extension 2.9.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2010-0320Jan 15, 2010
Glitter Central Script
Glitter Central Script
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in submitlink.php in Glitter Central Script allows remote attackers to inject arbitrary web script or HTML via the catid parameter.
CVE-2009-4608Jan 13, 2010
Canon Its
Accessguardian
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Canon IT Solutions Inc. ACCESSGUARDIAN 3.0.14 and earlier, and 3.5.6 and earlier, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to authentication.
CVE-2009-4602Jan 12, 2010
Drupal
Randomizer
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Randomizer module 5.x through 5.x-1.0 and 6.x through 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-3742Jan 7, 2010
Liferay
Portal
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Liferay Portal before 5.3.0 allows remote attackers to inject arbitrary web script or HTML via the p_p_id parameter.
CVE-2009-4590Jan 7, 2010
Secureideas
Basic Analysis And Security Engine
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in base_local_rules.php in Basic Analysis and Security Engine (BASE) before 1.4.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-4589Jan 7, 2010
MediaWiki
Mediawiki
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Special:Block implementation in the getContribsLink function in SpecialBlockip.php in MediaWiki 1.14.0 and 1.15.0 allows remote attackers to inject arbitrary web script or HTML via the ip parameter.
CVE-2009-4586Jan 7, 2010
Wowd
Wowd
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in index.html in Wowd client before 1.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) sortby, (2) tags, or (3) ctx parameter in a search action.
CVE-2009-4580Jan 6, 2010
Hastablog
Hasta Blog
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Hasta Blog 2.3 allow remote attackers to inject arbitrary web script or HTML via the id parameter to (1) yorumyaz.php and (2) blog.php.
CVE-2009-4579Jan 6, 2010
Joomla
Com Artistavenue
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Artist avenue (com_artistavenue) component for Joomla! and Mambo allows remote attackers to inject arbitrary web script or HTML via the Itemid parameter to index.php.
CVE-2009-4573Jan 6, 2010
Joomlabear
Mod Joomulus
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in the Joomulus (mod_joomulus) module 2.0 for Joomla! allow remote attackers to inject arbitrary web script or HTML via the tagcloud parameter in a tags action to (1) tagcloud_ell.swf, (2) tagcloud_eng.swf, (3)…
CVE-2009-4570Jan 5, 2010
Phpshop
Phpshop
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in PhpShop 0.8.1 allows remote attackers to inject arbitrary web script or HTML via the order_id parameter in an order/order_print action to the default URI.
CVE-2009-4568Jan 5, 2010
Webmin
Webmin
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Webmin before 1.500 and Usermin before 1.430 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-4559Jan 4, 2010
Nanwich
Submitted By
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Submitted By module 6.x before 6.x-1.3 for Drupal allows remote authenticated users, with "administer content types" privileges, to inject arbitrary web script or HTML via an input string for "submitted by" text.
CVE-2009-4557Jan 4, 2010
Unleashedmind
Img Assist
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Image Assist module 5.x-1.x before 5.x-1.8, 5.x-2.x before 2.0-alpha4, 6.x-1.x before 6.x-1.1, 6.x-2.x before 2.0-alpha4, and 6.x-3.x-dev before 2009-07-15, a module for Drupal, allows remote authenticated users, with image-node…
CVE-2009-4539Jan 4, 2010
Sqlitemanager
Sqlitemanager
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in main.php in SQLiteManager 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the redirect parameter.
CVE-2009-4532Dec 31, 2009
Nathan Haug
Webform
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Webform module 5.x before 5.x-2.8 and 6.x before 6.x-2.8, a module for Drupal, allows remote authenticated users, with webform creation privileges, to inject arbitrary web script or HTML via a field label.
CVE-2009-4525Dec 31, 2009
Drupal
Print
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.9 and 6.x before 6.x-1.9, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via crafted data in a list of links.
CVE-2009-4524Dec 31, 2009
Nancy Wichmann
Realname
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the RealName module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via a realname (aka real name) element.