CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (22,695)
page 1110 of 1,135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2008-1502 | 0.00 | — | 0.01 | Mar 25, 2008 | The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other products, allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing… | |||
| CVE-2008-1487 | 0.00 | — | 0.00 | Mar 24, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in LinPHA before 1.3.3 allow remote attackers to inject arbitrary web script or HTML via (1) ftp/index.php, (2) viewer.php, (3) functions/other.php, (4) include/left_menu.class.php, and (5) plugins/stats/stats_view.php. | |||
| CVE-2008-1485 | 0.00 | — | 0.00 | Mar 24, 2008 | Cross-site scripting (XSS) vulnerability in PunBB 1.2.16 and earlier allows remote attackers to inject arbitrary web script or HTML via the get_host parameter to moderate.php. | |||
| CVE-2008-1474 | 0.00 | — | 0.01 | Mar 24, 2008 | Multiple unspecified vulnerabilities in Roundup before 1.4.4 have unknown impact and attack vectors, some of which may be related to cross-site scripting (XSS). | |||
| CVE-2008-1476 | 0.00 | — | 0.01 | Mar 24, 2008 | Cross-site scripting (XSS) vulnerability in Serendipity (S9Y) before 1.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to received trackbacks. | |||
| CVE-2008-1477 | 0.00 | — | 0.00 | Mar 24, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in busca.php in eForum 0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) busca and (2) link parameters. | |||
| CVE-2008-1468 | 0.00 | — | 0.01 | Mar 24, 2008 | Cross-site scripting (XSS) vulnerability in namazu.cgi in Namazu before 2.0.18 allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded input, related to failure to set the charset, a different vector than CVE-2004-1318 and CVE-2001-1350. NOTE: some of… | |||
| CVE-2008-1428 | 0.00 | — | 0.00 | Mar 20, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart 5.x before 5.x-1.0-beta7 module for Drupal allow remote attackers to inject arbitrary web script or HTML via a text attribute value for a product. | |||
| CVE-2008-1432 | 0.00 | — | 0.00 | Mar 20, 2008 | Cross-site scripting (XSS) vulnerability in SolutionSearch.do in ManageEngine SupportCenter Plus 7.0.0 allows remote attackers to inject arbitrary web script or HTML via the searchText parameter, a related issue to CVE-2008-1299. NOTE: the provenance of this information is… | |||
| CVE-2008-1399 | 0.00 | — | 0.00 | Mar 20, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in index.php in Clansphere 2008 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party… | |||
| CVE-2008-1004 | 0.00 | — | 0.01 | Mar 19, 2008 | Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to the Web Inspector. | |||
| CVE-2008-1011 | 0.00 | — | 0.02 | Mar 19, 2008 | Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via a frame that calls a method instance in another frame. | |||
| CVE-2008-1009 | 0.00 | — | 0.01 | Mar 19, 2008 | Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary JavaScript by modifying the history object. | |||
| CVE-2008-1008 | 0.00 | — | 0.01 | Mar 19, 2008 | Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via the document.domain property. | |||
| CVE-2008-1007 | 0.00 | — | 0.01 | Mar 19, 2008 | WebCore, as used in Apple Safari before 3.1, does not enforce the frame navigation policy for Java applets, which allows remote attackers to conduct cross-site scripting (XSS) attacks. | |||
| CVE-2008-1001 | 0.00 | — | 0.00 | Mar 19, 2008 | Cross-site scripting (XSS) vulnerability in Apple Safari before 3.1, when running on Windows XP or Vista, allows remote attackers to inject arbitrary web script or HTML via a crafted URL that is not properly handled in the error page. | |||
| CVE-2008-1002 | 0.00 | — | 0.02 | Mar 19, 2008 | Cross-site scripting (XSS) vulnerability in Apple Safari before 3.1 allows remote attackers to inject arbitrary web script or HTML via a crafted javascript: URL. | |||
| CVE-2008-1003 | 0.00 | — | 0.01 | Mar 19, 2008 | Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to sites that set the document.domain property or have the same document.domain. | |||
| CVE-2008-1006 | 0.00 | — | 0.01 | Mar 19, 2008 | Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML by using the window.open function to change the security context of a web page. | |||
| CVE-2008-1359 | 0.00 | — | 0.00 | Mar 17, 2008 | Cross-site scripting (XSS) vulnerability in Invision Power Board (IPB or IP.Board) 2.3.4 before 2008-03-13 allows remote attackers to inject arbitrary web script or HTML via nested BBCodes, a different vector than CVE-2008-0913. |
- CVE-2008-1502Mar 25, 2008risk 0.00cvss —epss 0.01
The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other products, allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing…
- CVE-2008-1487Mar 24, 2008risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in LinPHA before 1.3.3 allow remote attackers to inject arbitrary web script or HTML via (1) ftp/index.php, (2) viewer.php, (3) functions/other.php, (4) include/left_menu.class.php, and (5) plugins/stats/stats_view.php.
- CVE-2008-1485Mar 24, 2008risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in PunBB 1.2.16 and earlier allows remote attackers to inject arbitrary web script or HTML via the get_host parameter to moderate.php.
- CVE-2008-1474Mar 24, 2008risk 0.00cvss —epss 0.01
Multiple unspecified vulnerabilities in Roundup before 1.4.4 have unknown impact and attack vectors, some of which may be related to cross-site scripting (XSS).
- CVE-2008-1476Mar 24, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Serendipity (S9Y) before 1.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to received trackbacks.
- CVE-2008-1477Mar 24, 2008risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in busca.php in eForum 0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) busca and (2) link parameters.
- CVE-2008-1468Mar 24, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in namazu.cgi in Namazu before 2.0.18 allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded input, related to failure to set the charset, a different vector than CVE-2004-1318 and CVE-2001-1350. NOTE: some of…
- CVE-2008-1428Mar 20, 2008risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart 5.x before 5.x-1.0-beta7 module for Drupal allow remote attackers to inject arbitrary web script or HTML via a text attribute value for a product.
- CVE-2008-1432Mar 20, 2008risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in SolutionSearch.do in ManageEngine SupportCenter Plus 7.0.0 allows remote attackers to inject arbitrary web script or HTML via the searchText parameter, a related issue to CVE-2008-1299. NOTE: the provenance of this information is…
- CVE-2008-1399Mar 20, 2008risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in index.php in Clansphere 2008 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…
- CVE-2008-1004Mar 19, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to the Web Inspector.
- CVE-2008-1011Mar 19, 2008risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via a frame that calls a method instance in another frame.
- CVE-2008-1009Mar 19, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary JavaScript by modifying the history object.
- CVE-2008-1008Mar 19, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via the document.domain property.
- CVE-2008-1007Mar 19, 2008risk 0.00cvss —epss 0.01
WebCore, as used in Apple Safari before 3.1, does not enforce the frame navigation policy for Java applets, which allows remote attackers to conduct cross-site scripting (XSS) attacks.
- CVE-2008-1001Mar 19, 2008risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Apple Safari before 3.1, when running on Windows XP or Vista, allows remote attackers to inject arbitrary web script or HTML via a crafted URL that is not properly handled in the error page.
- CVE-2008-1002Mar 19, 2008risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Apple Safari before 3.1 allows remote attackers to inject arbitrary web script or HTML via a crafted javascript: URL.
- CVE-2008-1003Mar 19, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to sites that set the document.domain property or have the same document.domain.
- CVE-2008-1006Mar 19, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML by using the window.open function to change the security context of a web page.
- CVE-2008-1359Mar 17, 2008risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Invision Power Board (IPB or IP.Board) 2.3.4 before 2008-03-13 allows remote attackers to inject arbitrary web script or HTML via nested BBCodes, a different vector than CVE-2008-0913.