CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (22,695)

page 1109 of 1,135

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2008-1792	Drupalr Flickr	—	0.00	Apr 15, 2008	Cross-site scripting (XSS) vulnerability in the insertion filter in the Flickr Drupal module 5.x before 5.x-1.3 and 6.x before 6.x-1.0-alpha allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2008-1794	Drupal Webform Module	—	0.00	Apr 15, 2008	Multiple cross-site scripting (XSS) vulnerabilities in the Webform Drupal module 5.x before 5.x-1.10, 5.x-2.x before 5.x-2.0-beta3, and 6.x before 6.x-1.0-beta3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2008-1793	Hoffice Smart Classified Ads	—	0.00	Apr 15, 2008	Multiple cross-site scripting (XSS) vulnerabilities in view.cgi in Smart Classified ADS Professional, Smart Photo ADS, and Smart Photo ADS Gold allow remote attackers to inject arbitrary web script or HTML via the (1) AdNum and (2) Department parameters. NOTE: the provenance of…
CVE-2008-1775	Manageengine Firewallanalyzer	—	0.00	Apr 14, 2008	Cross-site scripting (XSS) vulnerability in mindex.do in ManageEngine Firewall Analyzer 4.0.3 allows remote attackers to inject arbitrary web script or HTML via the displayName parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from…
CVE-2008-1753	Alkacon Opencms	—	0.00	Apr 11, 2008	Cross-site scripting (XSS) vulnerability in system/workplace/admin/workplace/sessions.jsp in Alkacon OpenCMS 7.0.3 allows remote attackers to inject arbitrary web script or HTML via the searchfilter parameter, a different vector than CVE-2008-1510.
CVE-2008-1716	Woltlab Burning Board	—	0.00	Apr 9, 2008	Cross-site scripting (XSS) vulnerability in WoltLab Community Framework (WCF) 1.0.6 in WoltLab Burning Board 3.0.5 allows remote attackers to inject arbitrary web script or HTML via the (1) page and (2) form parameters, which are not properly handled when they are reflected back…
CVE-2008-1698	Ventrian Simple Gallery	—	0.00	Apr 8, 2008	Cross-site scripting (XSS) vulnerability in gallery.php in Simple Gallery 2.2 allows remote attackers to inject arbitrary web script or HTML via the album parameter to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third…
CVE-2008-1634	WordPress Folder Gallery	—	0.00	Apr 2, 2008	Cross-site scripting (XSS) vulnerability in index.php in JV2 Folder Gallery 3.1 allows remote attackers to inject arbitrary web script or HTML via the image parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…
CVE-2008-1629	Pau Rodriguez Phpkrm	—	0.00	Apr 2, 2008	Cross-site scripting (XSS) vulnerability in PHPkrm before 1.5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2008-1636	WordPress Bee Quick Gallery	—	0.00	Apr 2, 2008	Cross-site scripting (XSS) vulnerability in index.php in JV2 Quick Gallery 1.1 allows remote attackers to inject arbitrary web script or HTML via the f parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-1630	Cuteflow Cuteflow	—	0.00	Apr 2, 2008	Multiple cross-site scripting (XSS) vulnerabilities in CuteFlow 1.5.0 and 2.10.0 allow remote attackers to inject arbitrary web script or HTML via the language parameter to (1) page/showcirculation.php; and (2) edittemplate_step2.php, (3) showfields.php, (4) showuser.php, (5)…
CVE-2008-1603	Gnb Designform	—	0.00	Apr 1, 2008	Cross-site scripting (XSS) vulnerability in GNB DesignForm before 3.9 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in the email form.
CVE-2008-1604	Perlmailer Perlmailer	—	0.00	Apr 1, 2008	Cross-site scripting (XSS) vulnerability in PerlMailer before 3.02 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2008-1566	Manageengine Applications Manager	—	0.00	Mar 31, 2008	Cross-site scripting (XSS) vulnerability in Search.do in ManageEngine Applications Manager 8.x allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third…
CVE-2008-1550	Cubecart Cubecart	—	0.00	Mar 31, 2008	Multiple cross-site scripting (XSS) vulnerabilities in index.php in CubeCart 4.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the _a parameter in a searchStr action and the (2) Submit parameter.
CVE-2008-1548	Aeries Aeries Browser Interface	—	0.00	Mar 31, 2008	Multiple cross-site scripting (XSS) vulnerabilities in Aeries Browser Interface (ABI) 3.8.3.14 in Eagle Software Aries Student Information System allow remote attackers to inject arbitrary web script or HTML via the (1) UserName parameter to loginproc.asp and the (2) usr…
CVE-2008-1538	Manageengine Eventlog Analyzer	—	0.00	Mar 28, 2008	Cross-site scripting (XSS) vulnerability in searchAction.do in ManageEngine EventLog Analyzer 5 allows remote attackers to inject arbitrary web script or HTML via the searchText parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from…
CVE-2008-1536	Picturespro Picturespro Photo Cart	—	0.00	Mar 28, 2008	Cross-site scripting (XSS) vulnerability in index.php in Pictures Pro (aka Tim Grissett) Photo Cart 4.1 allows remote attackers to inject arbitrary web script or HTML via the amessage parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-1510	Alkacon Opencms	—	0.01	Mar 25, 2008	Cross-site scripting (XSS) vulnerability in system/workplace/admin/accounts/users_list.jsp in Alkacon OpenCMS 7.0.3 allows remote attackers to inject arbitrary web script or HTML via the (1) searchfilter or (2) listSearchFilter parameter.
CVE-2008-1502	Moodle Moodle	—	0.01	Mar 25, 2008	The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other products, allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing…

CVE-2008-1792Apr 15, 2008
Drupalr
Flickr
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the insertion filter in the Flickr Drupal module 5.x before 5.x-1.3 and 6.x before 6.x-1.0-alpha allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2008-1794Apr 15, 2008
Drupal
Webform Module
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in the Webform Drupal module 5.x before 5.x-1.10, 5.x-2.x before 5.x-2.0-beta3, and 6.x before 6.x-1.0-beta3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2008-1793Apr 15, 2008
Hoffice
Smart Classified Ads
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in view.cgi in Smart Classified ADS Professional, Smart Photo ADS, and Smart Photo ADS Gold allow remote attackers to inject arbitrary web script or HTML via the (1) AdNum and (2) Department parameters. NOTE: the provenance of…
CVE-2008-1775Apr 14, 2008
Manageengine
Firewallanalyzer
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in mindex.do in ManageEngine Firewall Analyzer 4.0.3 allows remote attackers to inject arbitrary web script or HTML via the displayName parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from…
CVE-2008-1753Apr 11, 2008
Alkacon
Opencms
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in system/workplace/admin/workplace/sessions.jsp in Alkacon OpenCMS 7.0.3 allows remote attackers to inject arbitrary web script or HTML via the searchfilter parameter, a different vector than CVE-2008-1510.
CVE-2008-1716Apr 9, 2008
Woltlab
Burning Board
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in WoltLab Community Framework (WCF) 1.0.6 in WoltLab Burning Board 3.0.5 allows remote attackers to inject arbitrary web script or HTML via the (1) page and (2) form parameters, which are not properly handled when they are reflected back…
CVE-2008-1698Apr 8, 2008
Ventrian
Simple Gallery
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in gallery.php in Simple Gallery 2.2 allows remote attackers to inject arbitrary web script or HTML via the album parameter to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third…
CVE-2008-1634Apr 2, 2008
WordPress
Folder Gallery
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in index.php in JV2 Folder Gallery 3.1 allows remote attackers to inject arbitrary web script or HTML via the image parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…
CVE-2008-1629Apr 2, 2008
Pau Rodriguez
Phpkrm
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in PHPkrm before 1.5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2008-1636Apr 2, 2008
WordPress
Bee Quick Gallery
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in index.php in JV2 Quick Gallery 1.1 allows remote attackers to inject arbitrary web script or HTML via the f parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-1630Apr 2, 2008
Cuteflow
Cuteflow
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in CuteFlow 1.5.0 and 2.10.0 allow remote attackers to inject arbitrary web script or HTML via the language parameter to (1) page/showcirculation.php; and (2) edittemplate_step2.php, (3) showfields.php, (4) showuser.php, (5)…
CVE-2008-1603Apr 1, 2008
Gnb
Designform
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in GNB DesignForm before 3.9 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in the email form.
CVE-2008-1604Apr 1, 2008
Perlmailer
Perlmailer
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in PerlMailer before 3.02 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2008-1566Mar 31, 2008
Manageengine
Applications Manager
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Search.do in ManageEngine Applications Manager 8.x allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third…
CVE-2008-1550Mar 31, 2008
Cubecart
Cubecart
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in index.php in CubeCart 4.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the _a parameter in a searchStr action and the (2) Submit parameter.
CVE-2008-1548Mar 31, 2008
Aeries
Aeries Browser Interface
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Aeries Browser Interface (ABI) 3.8.3.14 in Eagle Software Aries Student Information System allow remote attackers to inject arbitrary web script or HTML via the (1) UserName parameter to loginproc.asp and the (2) usr…
CVE-2008-1538Mar 28, 2008
Manageengine
Eventlog Analyzer
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in searchAction.do in ManageEngine EventLog Analyzer 5 allows remote attackers to inject arbitrary web script or HTML via the searchText parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from…
CVE-2008-1536Mar 28, 2008
Picturespro
Picturespro Photo Cart
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in index.php in Pictures Pro (aka Tim Grissett) Photo Cart 4.1 allows remote attackers to inject arbitrary web script or HTML via the amessage parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-1510Mar 25, 2008
Alkacon
Opencms
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in system/workplace/admin/accounts/users_list.jsp in Alkacon OpenCMS 7.0.3 allows remote attackers to inject arbitrary web script or HTML via the (1) searchfilter or (2) listSearchFilter parameter.
CVE-2008-1502Mar 25, 2008
Moodle
Moodle
risk 0.00cvss —epss 0.01
The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other products, allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing…