CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (22,695)

page 1082 of 1,135

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2009-1877	Adobe Inc. Coldfusion	—	0.01	Aug 18, 2009	Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 8.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2009-1875.
CVE-2009-1875	Adobe Inc. Coldfusion	—	0.01	Aug 18, 2009	Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion 8.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2009-1877.
CVE-2009-1874	Adobe Inc. Jrun	—	0.01	Aug 18, 2009	Multiple cross-site scripting (XSS) vulnerabilities in the Management Console in Adobe JRun 4.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-2851	WordPress WordPress	—	0.03	Aug 18, 2009	Cross-site scripting (XSS) vulnerability in the administrator interface in WordPress before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via a comment author URL.
CVE-2009-2785	Phpclassifiedsscript PHP Classifieds Script	—	0.01	Aug 17, 2009	Multiple cross-site scripting (XSS) vulnerabilities in PHP Open Classifieds Script allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter to buy.php and the id parameter to (2) contact.php and (3) tellafriend.php.
CVE-2009-2771	Freearcadescript Free Arcade Script	—	0.00	Aug 14, 2009	Cross-site scripting (XSS) vulnerability in Free Arcade Script 1.3 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter to the default URI under search/.
CVE-2008-6972	Drupal Content Construction Kit	—	0.00	Aug 13, 2009	Multiple cross-site scripting (XSS) vulnerabilities in Drupal Content Construction Kit (CCK) 5.x through 5.x-1.8 allow remote authenticated users with "administer content" permissions to inject arbitrary web script or HTML via the (1) "field label," (2) "help text," or (3)…
CVE-2008-6969	Pentasoft Corp. Avactis Shopping Cart	—	0.00	Aug 13, 2009	Multiple cross-site scripting (XSS) vulnerabilities in checkout.php in Avactis Shopping Cart 1.8.0 and 1.8.1 allow remote attackers to inject arbitrary web script or HTML via the (1) step_id and (2) CHECKOUT_CZ_BLOWFISH_KEY parameters.
CVE-2008-6945	Interchange Development Group Interchange	—	0.01	Aug 12, 2009	Multiple cross-site scripting (XSS) vulnerabilities in Interchange 5.7 before 5.7.1, 5.6 before 5.6.1, and 5.4 before 5.4.3 allow remote attackers to inject arbitrary web script or HTML via (1) the mv_order_item CGI variable parameter in Core, (2) the country-select widget, or…
CVE-2009-2739	Freenas Freenas	—	0.00	Aug 11, 2009	Cross-site scripting (XSS) vulnerability in FreeNAS before 0.69.2 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
CVE-2009-2738	Plain Black Webgui	—	0.00	Aug 11, 2009	Cross-site request forgery (CSRF) vulnerability in the WebGUI in FreeNAS before 0.7RC1 allows remote attackers to hijack the authentication of users for unspecified requests via unknown vectors.
CVE-2008-6925	Zenphoto Zenphoto	—	0.00	Aug 10, 2009	Cross-site scripting (XSS) vulnerability in function.php in Zenphoto 1.1.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in the "request logging" feature. NOTE: the provenance of this information is unknown; the details are obtained…
CVE-2008-6894	—	—	0.00	Aug 3, 2009	Multiple cross-site scripting (XSS) vulnerabilities in login.php in 3CX Phone System Free Edition 6.1793 and 6.0.806.0 allow remote attackers to inject arbitrary web script or HTML via the (1) fName and (2) fPassword parameters.
CVE-2008-6893	Alt N Worldclient	—	0.00	Aug 3, 2009	Cross-site scripting (XSS) vulnerability in Alt-N MDaemon WorldClient 10.0.2, when Internet Explorer 7 is used, allows remote attackers to inject arbitrary web script or HTML via a crafted img tag.
CVE-2008-6885	XOOPS Xoops	—	0.01	Jul 31, 2009	Cross-site scripting (XSS) vulnerability in pmlite.php in XOOPS 2.3.1 and 2.3.2a allows remote attackers to inject arbitrary web script or HTML via a STYLE attribute in a URL BBcode tag in a private message.
CVE-2008-6879	Apache Roller	—	0.03	Jul 30, 2009	Cross-site scripting (XSS) vulnerability in Apache Roller 2.3, 3.0, 3.1, and 4.0 allows remote attackers to inject arbitrary web script or HTML via the q parameter in a search action.
CVE-2009-2636	Kerio Technologies Kerio Mailserver	—	0.00	Jul 28, 2009	Cross-site scripting (XSS) vulnerability in the Integration page in the WebMail component in Kerio MailServer 6.6.0, 6.6.1, 6.6.2, and 6.7.0 allows remote attackers to inject arbitrary web script or HTML via an e-mail message.
CVE-2009-2615	Datachecknh Sitepal	—	0.00	Jul 27, 2009	Multiple cross-site scripting (XSS) vulnerabilities in DataCheck Solutions SitePal 1.x allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) z_admin_login.asp, (2) z_forgot.asp, and possibly unspecified other components. NOTE: the…
CVE-2009-2613	Datachecknh Linkpal	—	0.00	Jul 27, 2009	Multiple cross-site scripting (XSS) vulnerabilities in DataCheck Solutions LinkPal 1.x allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) z_loginfailed.asp, (2) z_admin_login.asp, (3) z_forgot.asp, and possibly unspecified other…
CVE-2009-2610	Scott Courtney Links Package	—	0.00	Jul 27, 2009	Cross-site scripting (XSS) vulnerability in the Links Related module in the Links Package 5.x before 5.x-1.13 and 6.x before 6.x-1.2, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via the title field.

CVE-2009-1877Aug 18, 2009
Adobe Inc.
Coldfusion
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 8.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2009-1875.
CVE-2009-1875Aug 18, 2009
Adobe Inc.
Coldfusion
risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion 8.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2009-1877.
CVE-2009-1874Aug 18, 2009
Adobe Inc.
Jrun
risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the Management Console in Adobe JRun 4.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-2851Aug 18, 2009
WordPress
WordPress
risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in the administrator interface in WordPress before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via a comment author URL.
CVE-2009-2785Aug 17, 2009
Phpclassifiedsscript
PHP Classifieds Script
risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in PHP Open Classifieds Script allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter to buy.php and the id parameter to (2) contact.php and (3) tellafriend.php.
CVE-2009-2771Aug 14, 2009
Freearcadescript
Free Arcade Script
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Free Arcade Script 1.3 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter to the default URI under search/.
CVE-2008-6972Aug 13, 2009
Drupal
Content Construction Kit
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Drupal Content Construction Kit (CCK) 5.x through 5.x-1.8 allow remote authenticated users with "administer content" permissions to inject arbitrary web script or HTML via the (1) "field label," (2) "help text," or (3)…
CVE-2008-6969Aug 13, 2009
Pentasoft Corp.
Avactis Shopping Cart
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in checkout.php in Avactis Shopping Cart 1.8.0 and 1.8.1 allow remote attackers to inject arbitrary web script or HTML via the (1) step_id and (2) CHECKOUT_CZ_BLOWFISH_KEY parameters.
CVE-2008-6945Aug 12, 2009
Interchange Development Group
Interchange
risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Interchange 5.7 before 5.7.1, 5.6 before 5.6.1, and 5.4 before 5.4.3 allow remote attackers to inject arbitrary web script or HTML via (1) the mv_order_item CGI variable parameter in Core, (2) the country-select widget, or…
CVE-2009-2739Aug 11, 2009
Freenas
Freenas
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in FreeNAS before 0.69.2 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
CVE-2009-2738Aug 11, 2009
Plain Black
Webgui
risk 0.00cvss —epss 0.00
Cross-site request forgery (CSRF) vulnerability in the WebGUI in FreeNAS before 0.7RC1 allows remote attackers to hijack the authentication of users for unspecified requests via unknown vectors.
CVE-2008-6925Aug 10, 2009
Zenphoto
Zenphoto
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in function.php in Zenphoto 1.1.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in the "request logging" feature. NOTE: the provenance of this information is unknown; the details are obtained…
CVE-2008-6894Aug 3, 2009
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in login.php in 3CX Phone System Free Edition 6.1793 and 6.0.806.0 allow remote attackers to inject arbitrary web script or HTML via the (1) fName and (2) fPassword parameters.
CVE-2008-6893Aug 3, 2009
Alt N
Worldclient
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Alt-N MDaemon WorldClient 10.0.2, when Internet Explorer 7 is used, allows remote attackers to inject arbitrary web script or HTML via a crafted img tag.
CVE-2008-6885Jul 31, 2009
XOOPS
Xoops
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in pmlite.php in XOOPS 2.3.1 and 2.3.2a allows remote attackers to inject arbitrary web script or HTML via a STYLE attribute in a URL BBcode tag in a private message.
CVE-2008-6879Jul 30, 2009
Apache
Roller
risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in Apache Roller 2.3, 3.0, 3.1, and 4.0 allows remote attackers to inject arbitrary web script or HTML via the q parameter in a search action.
CVE-2009-2636Jul 28, 2009
Kerio Technologies
Kerio Mailserver
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Integration page in the WebMail component in Kerio MailServer 6.6.0, 6.6.1, 6.6.2, and 6.7.0 allows remote attackers to inject arbitrary web script or HTML via an e-mail message.
CVE-2009-2615Jul 27, 2009
Datachecknh
Sitepal
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in DataCheck Solutions SitePal 1.x allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) z_admin_login.asp, (2) z_forgot.asp, and possibly unspecified other components. NOTE: the…
CVE-2009-2613Jul 27, 2009
Datachecknh
Linkpal
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in DataCheck Solutions LinkPal 1.x allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) z_loginfailed.asp, (2) z_admin_login.asp, (3) z_forgot.asp, and possibly unspecified other…
CVE-2009-2610Jul 27, 2009
Scott Courtney
Links Package
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Links Related module in the Links Package 5.x before 5.x-1.13 and 6.x before 6.x-1.2, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via the title field.