CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (22,695)
page 1121 of 1,135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2007-5683 | 0.00 | — | 0.00 | Oct 26, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in TikiWiki 1.9.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the username parameter to the password reminder page (tiki-remind_password.php), (2) IMG tags in wiki pages, and (3) the… | |||
| CVE-2007-5673 | 0.00 | — | 0.00 | Oct 24, 2007 | Cross-site scripting (XSS) vulnerability in cgi-bin/webif.exe in ifnet WebIf allows remote attackers to inject arbitrary web script or HTML via the cmd parameter. | |||
| CVE-2007-5624 | 0.00 | — | 0.00 | Oct 23, 2007 | Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts. | |||
| CVE-2007-5629 | 0.00 | — | 0.01 | Oct 23, 2007 | Cross-site scripting (XSS) vulnerability in admin/logon.asp in ShoppingTree CandyPress Store 4.1 allows remote attackers to inject arbitrary web script or HTML via the msg parameter, a different vector than CVE-2007-2804. NOTE: the provenance of this information is unknown; the… | |||
| CVE-2007-5472 | 0.00 | — | 0.01 | Oct 22, 2007 | Cross-site scripting (XSS) vulnerability in the Server component in CA Host-Based Intrusion Prevention System (HIPS) before 8.0.0.93 allows remote attackers to inject arbitrary web script or HTML via requests that are written to logs for later display in the log viewer. | |||
| CVE-2007-5621 | 0.00 | — | 0.00 | Oct 22, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, Node Relativity, Pathauto, PayPal Node, and Ubercart modules; allow remote… | |||
| CVE-2007-5596 | 0.00 | — | 0.01 | Oct 19, 2007 | The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files. | |||
| CVE-2007-5598 | 0.00 | — | 0.01 | Oct 19, 2007 | Cross-site scripting (XSS) vulnerability in Weblinks for Drupal 4.7.x before 4.7.x-1.0 and 5.x before 5.x-1.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2007-5588 | 0.00 | — | 0.00 | Oct 19, 2007 | Cross-site scripting (XSS) vulnerability in mnoGoSearch before 3.2.43 allows remote attackers to inject arbitrary web script or HTML via the t parameter in search.cgi, as reachable from search.htm-dist. | |||
| CVE-2007-5577 | 0.00 | — | 0.00 | Oct 18, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.0.13 (aka Sunglow) allow remote attackers to inject arbitrary web script or HTML via the (1) Title or (2) Section Name form fields in the Section Manager component, or (3) multiple unspecified fields in New… | |||
| CVE-2007-5547 | 0.00 | — | 0.00 | Oct 18, 2007 | Cross-site scripting (XSS) vulnerability in Cisco IOS allows remote attackers to inject arbitrary web script or HTML, and execute IOS commands, via unspecified vectors, aka PSIRT-2022590358. NOTE: as of 20071016, the only disclosure is a vague pre-advisory with no actionable… | |||
| CVE-2007-5564 | 0.00 | — | 0.00 | Oct 18, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in NSSboard (formerly Simple PHP Forum) 6.1 allow remote attackers to inject arbitrary web script or HTML via (1) HTML tags when BBcode is disabled; or the (2) user, (3) email, or (4) Real Name fields in a profile. | |||
| CVE-2007-5477 | 0.00 | — | 0.01 | Oct 16, 2007 | Cross-site scripting (XSS) vulnerability in auth.w in djeyl.net WebMod 0.48 Half-Life Dedicated Server plugin allows remote attackers to inject arbitrary web script or HTML via the redir parameter. | |||
| CVE-2007-5479 | 0.00 | — | 0.00 | Oct 16, 2007 | Cross-site scripting (XSS) vulnerability in Search.asp in Xcomputer allows remote attackers to inject arbitrary web script or HTML via the EXPS parameter. | |||
| CVE-2007-5459 | 0.00 | — | 0.01 | Oct 14, 2007 | Cross-site scripting (XSS) vulnerability in the sidebar HTML page in the MouseoverDictionary before 0.6.2 extension for Mozilla Firefox allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2007-5443 | 0.00 | — | 0.00 | Oct 14, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple 1.1.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) the anchor tag and (2) listtags. | |||
| CVE-2007-5433 | 0.00 | — | 0.01 | Oct 12, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in index.cgi in Site-Up 2.64 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) search or (2) search mask field. | |||
| CVE-2007-5434 | 0.00 | — | 0.00 | Oct 12, 2007 | Cross-site scripting (XSS) vulnerability in PRO-search 0.17.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the q parameter to the default URI. | |||
| CVE-2007-5415 | 0.00 | — | 0.00 | Oct 12, 2007 | Cross-site scripting (XSS) vulnerability in Mozilla Firefox 2.0, when UTF-7 document content is rendered directly in UTF-7, allows remote attackers to inject arbitrary web script or HTML via a gopher URI that uses '/' (slash) characters to delimit a literal string within an XSS… | |||
| CVE-2007-5414 | 0.00 | — | 0.00 | Oct 12, 2007 | Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0, when UTF-7 document content is rendered directly in UTF-7, allows remote attackers to inject arbitrary web script or HTML via a gopher URI that uses single quote characters to delimit a literal string within… |
- CVE-2007-5683Oct 26, 2007risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in TikiWiki 1.9.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the username parameter to the password reminder page (tiki-remind_password.php), (2) IMG tags in wiki pages, and (3) the…
- CVE-2007-5673Oct 24, 2007risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in cgi-bin/webif.exe in ifnet WebIf allows remote attackers to inject arbitrary web script or HTML via the cmd parameter.
- CVE-2007-5624Oct 23, 2007risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts.
- CVE-2007-5629Oct 23, 2007risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in admin/logon.asp in ShoppingTree CandyPress Store 4.1 allows remote attackers to inject arbitrary web script or HTML via the msg parameter, a different vector than CVE-2007-2804. NOTE: the provenance of this information is unknown; the…
- CVE-2007-5472Oct 22, 2007risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Server component in CA Host-Based Intrusion Prevention System (HIPS) before 8.0.0.93 allows remote attackers to inject arbitrary web script or HTML via requests that are written to logs for later display in the log viewer.
- CVE-2007-5621Oct 22, 2007risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, Node Relativity, Pathauto, PayPal Node, and Ubercart modules; allow remote…
- CVE-2007-5596Oct 19, 2007risk 0.00cvss —epss 0.01
The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files.
- CVE-2007-5598Oct 19, 2007risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Weblinks for Drupal 4.7.x before 4.7.x-1.0 and 5.x before 5.x-1.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2007-5588Oct 19, 2007risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in mnoGoSearch before 3.2.43 allows remote attackers to inject arbitrary web script or HTML via the t parameter in search.cgi, as reachable from search.htm-dist.
- CVE-2007-5577Oct 18, 2007risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.0.13 (aka Sunglow) allow remote attackers to inject arbitrary web script or HTML via the (1) Title or (2) Section Name form fields in the Section Manager component, or (3) multiple unspecified fields in New…
- CVE-2007-5547Oct 18, 2007risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Cisco IOS allows remote attackers to inject arbitrary web script or HTML, and execute IOS commands, via unspecified vectors, aka PSIRT-2022590358. NOTE: as of 20071016, the only disclosure is a vague pre-advisory with no actionable…
- CVE-2007-5564Oct 18, 2007risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in NSSboard (formerly Simple PHP Forum) 6.1 allow remote attackers to inject arbitrary web script or HTML via (1) HTML tags when BBcode is disabled; or the (2) user, (3) email, or (4) Real Name fields in a profile.
- CVE-2007-5477Oct 16, 2007risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in auth.w in djeyl.net WebMod 0.48 Half-Life Dedicated Server plugin allows remote attackers to inject arbitrary web script or HTML via the redir parameter.
- CVE-2007-5479Oct 16, 2007risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Search.asp in Xcomputer allows remote attackers to inject arbitrary web script or HTML via the EXPS parameter.
- CVE-2007-5459Oct 14, 2007risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the sidebar HTML page in the MouseoverDictionary before 0.6.2 extension for Mozilla Firefox allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2007-5443Oct 14, 2007risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple 1.1.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) the anchor tag and (2) listtags.
- CVE-2007-5433Oct 12, 2007risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in index.cgi in Site-Up 2.64 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) search or (2) search mask field.
- CVE-2007-5434Oct 12, 2007risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in PRO-search 0.17.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the q parameter to the default URI.
- CVE-2007-5415Oct 12, 2007risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Mozilla Firefox 2.0, when UTF-7 document content is rendered directly in UTF-7, allows remote attackers to inject arbitrary web script or HTML via a gopher URI that uses '/' (slash) characters to delimit a literal string within an XSS…
- CVE-2007-5414Oct 12, 2007risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0, when UTF-7 document content is rendered directly in UTF-7, allows remote attackers to inject arbitrary web script or HTML via a gopher URI that uses single quote characters to delimit a literal string within…