CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (22,695)

page 1115 of 1,135

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2008-0578	Tripwire Tripwire Enterprise	—	0.01	Feb 5, 2008	Cross-site scripting (XSS) vulnerability in the web management login page in Tripwire Enterprise 7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2008-0181	Liferay Liferay Enterprise Portal	—	0.01	Feb 5, 2008	Cross-site scripting (XSS) vulnerability in the Admin portlet in Liferay Portal 4.3.6 allows remote authenticated users to inject arbitrary web script or HTML via the Shutdown message.
CVE-2008-0179	Liferay Liferay Enterprise Portal	—	0.02	Feb 5, 2008	Cross-site scripting (XSS) vulnerability in service/impl/UserLocalServiceImpl.java in Liferay Portal 4.3.6 allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header, which is used when composing Forgot Password e-mail messages in HTML format.
CVE-2008-0180	Liferay Liferay Enterprise Portal	—	0.01	Feb 5, 2008	Cross-site scripting (XSS) vulnerability in themes/_unstyled/templates/init.vm in Liferay Portal 4.3.6 allows remote authenticated users to inject arbitrary web script or HTML via the Greeting field in a User Profile.
CVE-2008-0558	Uniwin Ecart Professional	—	0.00	Feb 4, 2008	Cross-site scripting (XSS) vulnerability in Uniwin eCart Professional before 2.0.16 allows remote attackers to inject arbitrary web script or HTML via the rp parameter to cartView.asp and unspecified other components. NOTE: the provenance of this information is unknown; the…
CVE-2007-6695	Drake Team Drake CMS	—	0.00	Feb 1, 2008	Cross-site scripting (XSS) vulnerability in index.php in Drake CMS 0.4.9 allows remote attackers to inject arbitrary web script or HTML via the option parameter.
CVE-2008-0523	Softcart Softcart	—	0.00	Jan 31, 2008	Multiple cross-site scripting (XSS) vulnerabilities in SoftCart.exe in SoftCart 5.1.2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) License_Plate, (2) License_State, (3) Ticket_Date, and (4) Ticket_Number parameters. NOTE: the provenance of this…
CVE-2008-0505	Coppermine Coppermine Photo Gallery	—	0.01	Jan 31, 2008	Multiple cross-site scripting (XSS) vulnerabilities in docs/showdoc.php in Coppermine Photo Gallery (CPG) before 1.4.15 allow remote attackers to inject arbitrary web script or HTML via the (1) h and (2) t parameters.
CVE-2008-0522	Hal Networks Perl Cgi Cart	—	0.01	Jan 31, 2008	Cross-site scripting (XSS) vulnerability in multiple Hal Networks shopping-cart products allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2008-0494	Endian Firewall	—	0.00	Jan 30, 2008	Cross-site scripting (XSS) vulnerability in vpnum/userslist.php in Endian Firewall 2.1.2 allows remote attackers to inject arbitrary web script or HTML via the psearch parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third…
CVE-2008-0409	Hfs HTTP File Server	—	0.01	Jan 29, 2008	Cross-site scripting (XSS) vulnerability in HTTP File Server (HFS) before 2.2c allows remote attackers to inject arbitrary web script or HTML via the userinfo subcomponent of a URL.
CVE-2008-0462	Drupal Drupal	—	0.00	Jan 25, 2008	Cross-site scripting (XSS) vulnerability in the Archive 5.x before 5.x-1.8 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2008-0463	Drupal Workflow	—	0.00	Jan 25, 2008	Cross-site scripting (XSS) vulnerability in the Workflow 4.7.x before 4.7.x-1.2 and 5.x before 5.x-1.2 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving node properties.
CVE-2008-0444	Elog Elog	—	0.01	Jan 25, 2008	Cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG) before 2.7.0 allows remote attackers to inject arbitrary web script or HTML via subtext parameter to unspecified components.
CVE-2008-0426	Pacercms Pacercms	—	0.00	Jan 23, 2008	Multiple cross-site scripting (XSS) vulnerabilities in submit.php in PacerCMS before 0.6.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) headline, or (3) text field in a message.
CVE-2008-0404	Mantisbt Mantis	—	0.01	Jan 23, 2008	Cross-site scripting (XSS) vulnerability in Mantis before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to the "Most active bugs" summary.
CVE-2008-0370	CPanel Cpanel	—	0.00	Jan 22, 2008	Cross-site scripting (XSS) vulnerability in dohtaccess.html in cPanel before 11.17 build 19417 allows remote attackers to inject arbitrary web script or HTML via the rurl parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-0381	Mahara (software) Mahara	—	0.00	Jan 22, 2008	Unspecified vulnerability in Mahara before 0.9.1 has unknown impact and remote attack vectors, probably related to cross-site scripting (XSS) in uploaded files.
CVE-2008-0354	IBM Lotus Sametime	—	0.01	Jan 18, 2008	Cross-site scripting (XSS) vulnerability in the chat client in IBM Lotus Sametime 7.5 and 7.5.1 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted message, which triggers code execution after a mouseover event initiated by the victim.
CVE-2008-0362	Clever Copy Clever Copy	—	0.00	Jan 18, 2008	Cross-site scripting (XSS) vulnerability in gallery.php in Clever Copy 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the album parameter.

CVE-2008-0578Feb 5, 2008
Tripwire
Tripwire Enterprise
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the web management login page in Tripwire Enterprise 7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2008-0181Feb 5, 2008
Liferay
Liferay Enterprise Portal
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Admin portlet in Liferay Portal 4.3.6 allows remote authenticated users to inject arbitrary web script or HTML via the Shutdown message.
CVE-2008-0179Feb 5, 2008
Liferay
Liferay Enterprise Portal
risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in service/impl/UserLocalServiceImpl.java in Liferay Portal 4.3.6 allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header, which is used when composing Forgot Password e-mail messages in HTML format.
CVE-2008-0180Feb 5, 2008
Liferay
Liferay Enterprise Portal
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in themes/_unstyled/templates/init.vm in Liferay Portal 4.3.6 allows remote authenticated users to inject arbitrary web script or HTML via the Greeting field in a User Profile.
CVE-2008-0558Feb 4, 2008
Uniwin
Ecart Professional
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Uniwin eCart Professional before 2.0.16 allows remote attackers to inject arbitrary web script or HTML via the rp parameter to cartView.asp and unspecified other components. NOTE: the provenance of this information is unknown; the…
CVE-2007-6695Feb 1, 2008
Drake Team
Drake CMS
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in index.php in Drake CMS 0.4.9 allows remote attackers to inject arbitrary web script or HTML via the option parameter.
CVE-2008-0523Jan 31, 2008
Softcart
Softcart
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in SoftCart.exe in SoftCart 5.1.2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) License_Plate, (2) License_State, (3) Ticket_Date, and (4) Ticket_Number parameters. NOTE: the provenance of this…
CVE-2008-0505Jan 31, 2008
Coppermine
Coppermine Photo Gallery
risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in docs/showdoc.php in Coppermine Photo Gallery (CPG) before 1.4.15 allow remote attackers to inject arbitrary web script or HTML via the (1) h and (2) t parameters.
CVE-2008-0522Jan 31, 2008
Hal Networks
Perl Cgi Cart
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in multiple Hal Networks shopping-cart products allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2008-0494Jan 30, 2008
Endian
Firewall
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in vpnum/userslist.php in Endian Firewall 2.1.2 allows remote attackers to inject arbitrary web script or HTML via the psearch parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third…
CVE-2008-0409Jan 29, 2008
Hfs
HTTP File Server
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in HTTP File Server (HFS) before 2.2c allows remote attackers to inject arbitrary web script or HTML via the userinfo subcomponent of a URL.
CVE-2008-0462Jan 25, 2008
Drupal
Drupal
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Archive 5.x before 5.x-1.8 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2008-0463Jan 25, 2008
Drupal
Workflow
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Workflow 4.7.x before 4.7.x-1.2 and 5.x before 5.x-1.2 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving node properties.
CVE-2008-0444Jan 25, 2008
Elog
Elog
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG) before 2.7.0 allows remote attackers to inject arbitrary web script or HTML via subtext parameter to unspecified components.
CVE-2008-0426Jan 23, 2008
Pacercms
Pacercms
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in submit.php in PacerCMS before 0.6.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) headline, or (3) text field in a message.
CVE-2008-0404Jan 23, 2008
Mantisbt
Mantis
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Mantis before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to the "Most active bugs" summary.
CVE-2008-0370Jan 22, 2008
CPanel
Cpanel
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in dohtaccess.html in cPanel before 11.17 build 19417 allows remote attackers to inject arbitrary web script or HTML via the rurl parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-0381Jan 22, 2008
Mahara (software)
Mahara
risk 0.00cvss —epss 0.00
Unspecified vulnerability in Mahara before 0.9.1 has unknown impact and remote attack vectors, probably related to cross-site scripting (XSS) in uploaded files.
CVE-2008-0354Jan 18, 2008
IBM
Lotus Sametime
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the chat client in IBM Lotus Sametime 7.5 and 7.5.1 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted message, which triggers code execution after a mouseover event initiated by the victim.
CVE-2008-0362Jan 18, 2008
Clever Copy
Clever Copy
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in gallery.php in Clever Copy 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the album parameter.