CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (22,695)

page 1088 of 1,135

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2008-6746	Horde (software) Turba H3	—	0.00	Apr 23, 2009	Cross-site scripting (XSS) vulnerability in the contact display view in Turba Contact Manager H3 before 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the contact name.
CVE-2009-1366	Dnnsoftware Dotnetnuke	—	0.00	Apr 22, 2009	Cross-site scripting (XSS) vulnerability in Website\admin\Sales\paypalipn.aspx in DotNetNuke (DNN) before 4.9.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "name/value pairs" and "paypal IPN functionality."
CVE-2009-1310	Mozilla Corporation Firefox	—	0.01	Apr 22, 2009	Cross-site scripting (XSS) vulnerability in the MozSearch plugin implementation in Mozilla Firefox before 3.0.9 allows user-assisted remote attackers to inject arbitrary web script or HTML via a javascript: URI in the SearchForm element.
CVE-2009-1308	Mozilla Corporation Firefox	—	0.01	Apr 22, 2009	Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey allows remote attackers to inject arbitrary web script or HTML via vectors involving XBL JavaScript bindings and remote stylesheets, as exploited in the wild by a March 2009 eBay…
CVE-2008-6733	Dnnsoftware Dotnetnuke	—	0.00	Apr 21, 2009	Cross-site scripting (XSS) vulnerability in the error handling page in DotNetNuke 4.6.2 through 4.8.3 allows remote attackers to inject arbitrary web script or HTML via the querystring parameter.
CVE-2008-6732	Dnnsoftware Dotnetnuke	—	0.00	Apr 21, 2009	Cross-site scripting (XSS) vulnerability in the Language skin object in DotNetNuke before 4.8.4 allows remote attackers to inject arbitrary web script or HTML via "newly generated paths."
CVE-2006-7238	Mark Girling Myshoutpro	—	0.00	Apr 21, 2009	Cross-site scripting (XSS) vulnerability in MyShoutPro before 1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-1344	Drupal Localization Client	—	0.00	Apr 20, 2009	Cross-site scripting (XSS) vulnerability in the Localization client module 5.x before 5.x-1.2 and 6.x before 6.x-1.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via input to the translation functionality.
CVE-2009-1343	Drupal Print	—	0.00	Apr 20, 2009	Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.5 and 6.x before 6.x-1.5, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via content titles.
CVE-2009-1342	Drupal Cck Comment Reference	—	0.00	Apr 20, 2009	Cross-site scripting (XSS) vulnerability in the CCK comment reference module 6.x before 6.x-1.2, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via certain comment titles associated with a node edit form.
CVE-2009-1333	Microfocus Deskjet 6840	—	0.01	Apr 17, 2009	Cross-site scripting (XSS) vulnerability in refresh_rate.htm in the web interface on the HP Deskjet 6840 printer with firmware XF1M131A allows remote attackers to inject arbitrary web script or HTML via the POST request body.
CVE-2009-0038	Apache Geronimo	—	0.24	Apr 17, 2009	Multiple cross-site scripting (XSS) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) ip, (3) username, or (4) description parameter to…
CVE-2009-1320	Zazzle Store Builder	—	0.00	Apr 17, 2009	Multiple cross-site scripting (XSS) vulnerabilities in include/zstore.php in Zazzle Store Builder 1.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) gridPage and (2) gridSort parameters. NOTE: some of these details are obtained from third party…
CVE-2008-6724	Patrick Matthai Pnopaste	—	0.00	Apr 17, 2009	Cross-site scripting (XSS) vulnerability in index.pl in Perl Nopaste 1.0 allows remote attackers to inject arbitrary web script or HTML via the language parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-6699	TYPO3 Typo3	—	0.00	Apr 10, 2009	Cross-site scripting (XSS) vulnerability in Resource Library (tjs_reslib) 0.1.0 and earlier extension for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
CVE-2008-6698	Michael Fritz Worldcup	—	0.00	Apr 10, 2009	Cross-site scripting (XSS) vulnerability in TARGET-E WorldCup Bets (worldcup) 2.0.0 and earlier extension for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
CVE-2008-6688	TYPO3 Jobcontrol	—	0.00	Apr 10, 2009	Cross-site scripting (XSS) vulnerability in JobControl (dmmjobcontrol) 1.15.0 and earlier extension for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
CVE-2008-6687	David Cadu Dcdgooglemap	—	0.00	Apr 10, 2009	Cross-site scripting (XSS) vulnerability in DCD GoogleMap (dcdgooglemap) 1.1.0 and earlier extension for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
CVE-2009-1279	Joomla Joomla!	—	0.00	Apr 9, 2009	Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.5 through 1.5.9 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to the (1) com_admin component, (2) com_search component when "Gather Search Statistics" is enabled, and (3) the…
CVE-2008-6682	Apache Struts	—	0.01	Apr 9, 2009	Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double quote) characters in the href attribute…

CVE-2008-6746Apr 23, 2009
Horde (software)
Turba H3
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the contact display view in Turba Contact Manager H3 before 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the contact name.
CVE-2009-1366Apr 22, 2009
Dnnsoftware
Dotnetnuke
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Website\admin\Sales\paypalipn.aspx in DotNetNuke (DNN) before 4.9.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "name/value pairs" and "paypal IPN functionality."
CVE-2009-1310Apr 22, 2009
Mozilla Corporation
Firefox
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the MozSearch plugin implementation in Mozilla Firefox before 3.0.9 allows user-assisted remote attackers to inject arbitrary web script or HTML via a javascript: URI in the SearchForm element.
CVE-2009-1308Apr 22, 2009
Mozilla Corporation
Firefox
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey allows remote attackers to inject arbitrary web script or HTML via vectors involving XBL JavaScript bindings and remote stylesheets, as exploited in the wild by a March 2009 eBay…
CVE-2008-6733Apr 21, 2009
Dnnsoftware
Dotnetnuke
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the error handling page in DotNetNuke 4.6.2 through 4.8.3 allows remote attackers to inject arbitrary web script or HTML via the querystring parameter.
CVE-2008-6732Apr 21, 2009
Dnnsoftware
Dotnetnuke
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Language skin object in DotNetNuke before 4.8.4 allows remote attackers to inject arbitrary web script or HTML via "newly generated paths."
CVE-2006-7238Apr 21, 2009
Mark Girling
Myshoutpro
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in MyShoutPro before 1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-1344Apr 20, 2009
Drupal
Localization Client
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Localization client module 5.x before 5.x-1.2 and 6.x before 6.x-1.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via input to the translation functionality.
CVE-2009-1343Apr 20, 2009
Drupal
Print
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.5 and 6.x before 6.x-1.5, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via content titles.
CVE-2009-1342Apr 20, 2009
Drupal
Cck Comment Reference
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the CCK comment reference module 6.x before 6.x-1.2, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via certain comment titles associated with a node edit form.
CVE-2009-1333Apr 17, 2009
Microfocus
Deskjet 6840
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in refresh_rate.htm in the web interface on the HP Deskjet 6840 printer with firmware XF1M131A allows remote attackers to inject arbitrary web script or HTML via the POST request body.
CVE-2009-0038Apr 17, 2009
Apache
Geronimo
risk 0.00cvss —epss 0.24
Multiple cross-site scripting (XSS) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) ip, (3) username, or (4) description parameter to…
CVE-2009-1320Apr 17, 2009
Zazzle
Store Builder
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in include/zstore.php in Zazzle Store Builder 1.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) gridPage and (2) gridSort parameters. NOTE: some of these details are obtained from third party…
CVE-2008-6724Apr 17, 2009
Patrick Matthai
Pnopaste
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in index.pl in Perl Nopaste 1.0 allows remote attackers to inject arbitrary web script or HTML via the language parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-6699Apr 10, 2009
TYPO3
Typo3
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Resource Library (tjs_reslib) 0.1.0 and earlier extension for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
CVE-2008-6698Apr 10, 2009
Michael Fritz
Worldcup
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in TARGET-E WorldCup Bets (worldcup) 2.0.0 and earlier extension for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
CVE-2008-6688Apr 10, 2009
TYPO3
Jobcontrol
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in JobControl (dmmjobcontrol) 1.15.0 and earlier extension for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
CVE-2008-6687Apr 10, 2009
David Cadu
Dcdgooglemap
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in DCD GoogleMap (dcdgooglemap) 1.1.0 and earlier extension for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
CVE-2009-1279Apr 9, 2009
Joomla
Joomla!
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.5 through 1.5.9 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to the (1) com_admin component, (2) com_search component when "Gather Search Statistics" is enabled, and (3) the…
CVE-2008-6682Apr 9, 2009
Apache
Struts
risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double quote) characters in the href attribute…