CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (22,695)
page 1089 of 1,135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2008-6681 | 0.00 | — | 0.00 | Apr 9, 2009 | Cross-site scripting (XSS) vulnerability in dijit.Editor in Dojo before 1.1 allows remote attackers to inject arbitrary web script or HTML via XML entities in a TEXTAREA element. | |||
| CVE-2008-2025 | 0.00 | — | 0.03 | Apr 9, 2009 | Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to… | |||
| CVE-2007-6726 | 0.00 | — | 0.02 | Apr 9, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Dojo 0.4.1 and 0.4.2, as used in Apache Struts and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving (1) xip_client.html and (2) xip_server.html in src/io/. | |||
| CVE-2008-6666 | 0.00 | — | 0.00 | Apr 8, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Kronos webTA allow remote attackers to inject arbitrary web script or HTML via the description field to (1) servlet/com.threeis.webta.H710selProject and (2) servlet/com.threeis.webta.H720editProjectInfo. NOTE: BID:29610… | |||
| CVE-2009-1261 | 0.00 | — | 0.00 | Apr 7, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Web Help Desk 9.1.22 (evaluation version) allow remote attackers to inject arbitrary web script or HTML via the (1) Report Name, (2) Asset No., and (3) Full Name fields in a Models action. NOTE: the provenance of this… | |||
| CVE-2008-6654 | 0.00 | — | 0.00 | Apr 7, 2009 | Cross-site scripting (XSS) vulnerability in search_results.php in InfoBiz Server allows remote attackers to inject arbitrary web script or HTML via the keywords parameter. | |||
| CVE-2008-6646 | 0.00 | — | 0.00 | Apr 7, 2009 | Cross-site scripting (XSS) vulnerability in index.php in CoronaMatrix phpAddressBook 2.0 allows remote attackers to inject arbitrary web script or HTML via the username parameter. | |||
| CVE-2008-6645 | 0.00 | — | 0.00 | Apr 7, 2009 | Cross-site scripting (XSS) vulnerability in Opencosmo VisualSentinel 0.7 allows remote attackers to inject arbitrary web script or HTML via the User-Agent header ($_SERVER ['HTTP_USER_AGENT']), which is not properly handled when displaying log files. | |||
| CVE-2009-1249 | 0.00 | — | 0.00 | Apr 6, 2009 | Cross-site scripting (XSS) vulnerability in Feed element mapper 5.x before 5.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the content title in admin/content/node-type/nodetype/map. | |||
| CVE-2008-6600 | 0.00 | — | 0.00 | Apr 3, 2009 | Cross-site scripting (XSS) vulnerability in the search feature in XMLPortal 3.0 allows remote attackers to inject arbitrary web script or HTML via the query parameter. | |||
| CVE-2008-6589 | 0.00 | — | 0.01 | Apr 3, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in LightNEasy "no database" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) index.php and (2) LightNEasy.php. | |||
| CVE-2008-6571 | 0.00 | — | 0.00 | Mar 31, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in LinPHA before 1.3.4 might allow remote attackers to inject arbitrary web script or HTML via (1) new_images.php, (2) login.php, and unspecified vectors. | |||
| CVE-2008-6570 | 0.00 | — | 0.01 | Mar 31, 2009 | Cross-site scripting (XSS) vulnerability in the RSS reader in Cybozu Garoon 2.0.0 through 2.1.3 allows remote attackers to inject arbitrary web script or HTML via a crafted RSS feed. | |||
| CVE-2008-6567 | 0.00 | — | 0.00 | Mar 31, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Gallarific Free Edition allow remote attackers to inject arbitrary web script or HTML via (1) the e-mail address, (2) a comment, which is not properly handled during moderation, and (3) the tag parameter to gallery/tags.php. | |||
| CVE-2009-1175 | 0.00 | — | 0.00 | Mar 31, 2009 | Cross-site scripting (XSS) vulnerability in apps/web/vs_diag.cgi in the DAAP extension in Banshee 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the server parameter, which is not properly handled in an error message. | |||
| CVE-2008-6533 | 0.00 | — | 0.00 | Mar 26, 2009 | Drupal 5.x before 5.13 and 6.x before 6.7 does not delete all related content when an input format is deleted, which prevents the content from being properly filtered and allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. | |||
| CVE-2009-1150 | 0.00 | — | 0.01 | Mar 26, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in the export page (display_export.lib.php) in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allow remote attackers to inject arbitrary web script or HTML via the pma_db_filename_template cookie. | |||
| CVE-2009-1069 | 0.00 | — | 0.00 | Mar 26, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in the node edit form feature in Drupal Content Construction Kit (CCK) 6.x before 6.x-2.2, a module for Drupal, allow remote attackers to inject arbitrary web script or HTML via the (1) titles of candidate referenced nodes in… | |||
| CVE-2009-1091 | 0.00 | — | 0.00 | Mar 25, 2009 | Cross-site scripting (XSS) vulnerability in upload.php in Rapidleech rev.36 and earlier allows remote attackers to inject arbitrary web script or HTML via the uploaded parameter. | |||
| CVE-2009-1081 | 0.00 | — | 0.00 | Mar 25, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System Identity Manager (IdM) 7.0 through 8.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug IDs 19595 and 19661. |
- CVE-2008-6681Apr 9, 2009risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in dijit.Editor in Dojo before 1.1 allows remote attackers to inject arbitrary web script or HTML via XML entities in a TEXTAREA element.
- CVE-2008-2025Apr 9, 2009risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to…
- CVE-2007-6726Apr 9, 2009risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Dojo 0.4.1 and 0.4.2, as used in Apache Struts and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving (1) xip_client.html and (2) xip_server.html in src/io/.
- CVE-2008-6666Apr 8, 2009risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Kronos webTA allow remote attackers to inject arbitrary web script or HTML via the description field to (1) servlet/com.threeis.webta.H710selProject and (2) servlet/com.threeis.webta.H720editProjectInfo. NOTE: BID:29610…
- CVE-2009-1261Apr 7, 2009risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Web Help Desk 9.1.22 (evaluation version) allow remote attackers to inject arbitrary web script or HTML via the (1) Report Name, (2) Asset No., and (3) Full Name fields in a Models action. NOTE: the provenance of this…
- CVE-2008-6654Apr 7, 2009risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in search_results.php in InfoBiz Server allows remote attackers to inject arbitrary web script or HTML via the keywords parameter.
- CVE-2008-6646Apr 7, 2009risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in index.php in CoronaMatrix phpAddressBook 2.0 allows remote attackers to inject arbitrary web script or HTML via the username parameter.
- CVE-2008-6645Apr 7, 2009risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Opencosmo VisualSentinel 0.7 allows remote attackers to inject arbitrary web script or HTML via the User-Agent header ($_SERVER ['HTTP_USER_AGENT']), which is not properly handled when displaying log files.
- CVE-2009-1249Apr 6, 2009risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Feed element mapper 5.x before 5.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the content title in admin/content/node-type/nodetype/map.
- CVE-2008-6600Apr 3, 2009risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the search feature in XMLPortal 3.0 allows remote attackers to inject arbitrary web script or HTML via the query parameter.
- CVE-2008-6589Apr 3, 2009risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in LightNEasy "no database" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) index.php and (2) LightNEasy.php.
- CVE-2008-6571Mar 31, 2009risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in LinPHA before 1.3.4 might allow remote attackers to inject arbitrary web script or HTML via (1) new_images.php, (2) login.php, and unspecified vectors.
- CVE-2008-6570Mar 31, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the RSS reader in Cybozu Garoon 2.0.0 through 2.1.3 allows remote attackers to inject arbitrary web script or HTML via a crafted RSS feed.
- CVE-2008-6567Mar 31, 2009risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Gallarific Free Edition allow remote attackers to inject arbitrary web script or HTML via (1) the e-mail address, (2) a comment, which is not properly handled during moderation, and (3) the tag parameter to gallery/tags.php.
- CVE-2009-1175Mar 31, 2009risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in apps/web/vs_diag.cgi in the DAAP extension in Banshee 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the server parameter, which is not properly handled in an error message.
- CVE-2008-6533Mar 26, 2009risk 0.00cvss —epss 0.00
Drupal 5.x before 5.13 and 6.x before 6.7 does not delete all related content when an input format is deleted, which prevents the content from being properly filtered and allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
- CVE-2009-1150Mar 26, 2009risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the export page (display_export.lib.php) in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allow remote attackers to inject arbitrary web script or HTML via the pma_db_filename_template cookie.
- CVE-2009-1069Mar 26, 2009risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in the node edit form feature in Drupal Content Construction Kit (CCK) 6.x before 6.x-2.2, a module for Drupal, allow remote attackers to inject arbitrary web script or HTML via the (1) titles of candidate referenced nodes in…
- CVE-2009-1091Mar 25, 2009risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in upload.php in Rapidleech rev.36 and earlier allows remote attackers to inject arbitrary web script or HTML via the uploaded parameter.
- CVE-2009-1081Mar 25, 2009risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System Identity Manager (IdM) 7.0 through 8.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug IDs 19595 and 19661.