CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (22,695)

page 1124 of 1,135

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2007-4945	Jasmine Technologies Lettergrade	—	0.00	Sep 18, 2007	Multiple cross-site scripting (XSS) vulnerabilities in LetterGrade allow remote attackers to inject arbitrary web script or HTML via (1) a student's email address, (2) the year parameter to genbrws/Student/cal_month.php3, and other unspecified vectors related to the calendar. …
CVE-2007-4929	Axis 207w Network Camera	—	0.00	Sep 18, 2007	Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 207W camera allow remote attackers to inject arbitrary web script or HTML via the camNo parameter to incl/image_incl.shtml, and other unspecified vectors.
CVE-2007-4912	Invision Power Services Invision Power Board	—	0.00	Sep 17, 2007	Cross-site scripting (XSS) vulnerability in ips_kernel/class_ajax.php in Invision Power Board (IPB or IP.Board) 2.3.1 up to 20070912 allows remote attackers to inject arbitrary web script or HTML into user profile fields via unspecified vectors related to character sets other…
CVE-2007-4900	Rsa Envision	—	0.01	Sep 14, 2007	Cross-site scripting (XSS) vulnerability in the logon page in RSA EnVision 3.3.6 Build 0115 allows remote attackers to inject arbitrary web script or HTML via the username field.
CVE-2007-4882	Techexcel Inc. Customerwise	—	0.00	Sep 14, 2007	Multiple cross-site scripting (XSS) vulnerabilities in TechExcel CustomerWise (formerly TechExcel CRM) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2007-4883	MediaWiki Mediawiki	—	0.00	Sep 14, 2007	Cross-site scripting (XSS) vulnerability in the BotQuery extension in MediaWiki 1.7.x and earlier before SVN 20070910 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a similar issue to CVE-2007-4828.
CVE-2007-4831	Torrenttrader Torrenttrader	—	0.00	Sep 12, 2007	Multiple cross-site scripting (XSS) vulnerabilities in account_settings.php in TorrentTrader 1.07 allow remote attackers to inject arbitrary web script or HTML via the (1) avatar and (2) title parameters.
CVE-2007-4828	MediaWiki Mediawiki	—	0.01	Sep 12, 2007	Cross-site scripting (XSS) vulnerability in the API pretty-printing mode in MediaWiki 1.8.0 through 1.8.4, 1.9.0 through 1.9.3, 1.10.0 through 1.10.1, and the 1.11 development versions before 1.11.0 allows remote attackers to inject arbitrary web script or HTML via unspecified…
CVE-2007-4830	Directadmin Directadmin	—	0.00	Sep 12, 2007	Cross-site scripting (XSS) vulnerability in CMD_BANDWIDTH_BREAKDOWN in DirectAdmin 1.30.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the user parameter.
CVE-2007-4836	Phpmyquote Phpmyquote	—	0.01	Sep 12, 2007	Cross-site scripting (XSS) vulnerability in index.php in phpMyQuote 0.20 allows remote attackers to inject arbitrary web script or HTML via the id parameter in an edit action.
CVE-2007-4811	Netjuke Netjuke	—	0.00	Sep 11, 2007	Multiple cross-site scripting (XSS) vulnerabilities in Netjuke 1.0-rc2 allow remote attackers to inject arbitrary web script or HTML via (1) the val parameter to alphabet.php in an alpha.albums action, or the PATH_INFO to (2) random.php or (3) admin/hidden.php.
CVE-2007-4813	Domino Blogsphere Domino Blogsphere	—	0.00	Sep 11, 2007	Cross-site scripting (XSS) vulnerability in Domino Blogsphere 3.01 Beta 7 allows remote attackers to inject arbitrary web script or HTML via the name field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2007-4779	Joomla Joomla!	—	0.00	Sep 10, 2007	Cross-site scripting (XSS) vulnerability in Joomla! 1.5 before RC2 (aka Endeleo) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, probably related to the archive section.
CVE-2007-4512	Sophos Anti Virus	—	0.01	Sep 10, 2007	Cross-site scripting (XSS) vulnerability in Sophos Anti-Virus for Windows 6.x before 6.5.8 and 7.x before 7.0.1 allows remote attackers to inject arbitrary web script or HTML via an archive with a file that matches a virus signature and has a crafted filename that is not…
CVE-2007-4760	Hitachi Ucosminexus Application Server Enterprise	—	0.00	Sep 8, 2007	The javadoc tool in Cosminexus Developer's Kit for Java in Cosminexus 7 and 7.5 can generate HTML documents that contain cross-site scripting (XSS) vulnerabilities, which allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this is…
CVE-2007-4745	Mambo (software) Site Server	—	0.00	Sep 6, 2007	Multiple cross-site scripting (XSS) vulnerabilities in the AkoBook 3.42 and earlier component (com_akobook) for Mambo allow remote attackers to inject arbitrary web script or HTML via Javascript events in the (1) gbmail and (2) gbpage parameters in the sign function.
CVE-2007-4741	Claroline Claroline	—	0.00	Sep 6, 2007	Cross-site scripting (XSS) vulnerability in admin/adminusers.php in Claroline before 1.8.6 allows remote authenticated administrators to inject arbitrary web script or HTML via the sort parameter. NOTE: the provenance of this information is unknown; the details are obtained…
CVE-2007-4713	Roi Revolution Urchin	—	0.01	Sep 5, 2007	Multiple cross-site scripting (XSS) vulnerabilities in urchin.cgi in Urchin 5.6.00r2 allow remote attackers to inject arbitrary web script or HTML via the (1) dtc, (2) vid, (3) n, (4) dt, (5) ed, and (6) bd parameters.
CVE-2007-4633	Cisco Systems, Inc. Unified Communications Manager	—	0.01	Aug 31, 2007	Multiple cross-site scripting (XSS) vulnerabilities in Cisco CallManager and Unified Communications Manager (CUCM) before 3.3(5)sr2b, 4.1 before 4.1(3)sr5, 4.2 before 4.2(3)sr2, and 4.3 before 4.3(1)sr1 allow remote attackers to inject arbitrary web script or HTML via the lang…
CVE-2007-4595	The Seasar Foundation Mayaa	—	0.01	Aug 29, 2007	Cross-site scripting (XSS) vulnerability in Mayaa before 1.1.12 allows remote attackers to inject arbitrary web script or HTML in certain circumstances involving (1) lack of charset specification within a META element or (2) a META element that specifies an unrecognized charset,…

CVE-2007-4945Sep 18, 2007
Jasmine Technologies
Lettergrade
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in LetterGrade allow remote attackers to inject arbitrary web script or HTML via (1) a student's email address, (2) the year parameter to genbrws/Student/cal_month.php3, and other unspecified vectors related to the calendar. …
CVE-2007-4929Sep 18, 2007
Axis
207w Network Camera
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 207W camera allow remote attackers to inject arbitrary web script or HTML via the camNo parameter to incl/image_incl.shtml, and other unspecified vectors.
CVE-2007-4912Sep 17, 2007
Invision Power Services
Invision Power Board
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in ips_kernel/class_ajax.php in Invision Power Board (IPB or IP.Board) 2.3.1 up to 20070912 allows remote attackers to inject arbitrary web script or HTML into user profile fields via unspecified vectors related to character sets other…
CVE-2007-4900Sep 14, 2007
Rsa
Envision
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the logon page in RSA EnVision 3.3.6 Build 0115 allows remote attackers to inject arbitrary web script or HTML via the username field.
CVE-2007-4882Sep 14, 2007
Techexcel Inc.
Customerwise
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in TechExcel CustomerWise (formerly TechExcel CRM) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2007-4883Sep 14, 2007
MediaWiki
Mediawiki
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the BotQuery extension in MediaWiki 1.7.x and earlier before SVN 20070910 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a similar issue to CVE-2007-4828.
CVE-2007-4831Sep 12, 2007
Torrenttrader
Torrenttrader
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in account_settings.php in TorrentTrader 1.07 allow remote attackers to inject arbitrary web script or HTML via the (1) avatar and (2) title parameters.
CVE-2007-4828Sep 12, 2007
MediaWiki
Mediawiki
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the API pretty-printing mode in MediaWiki 1.8.0 through 1.8.4, 1.9.0 through 1.9.3, 1.10.0 through 1.10.1, and the 1.11 development versions before 1.11.0 allows remote attackers to inject arbitrary web script or HTML via unspecified…
CVE-2007-4830Sep 12, 2007
Directadmin
Directadmin
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in CMD_BANDWIDTH_BREAKDOWN in DirectAdmin 1.30.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the user parameter.
CVE-2007-4836Sep 12, 2007
Phpmyquote
Phpmyquote
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in phpMyQuote 0.20 allows remote attackers to inject arbitrary web script or HTML via the id parameter in an edit action.
CVE-2007-4811Sep 11, 2007
Netjuke
Netjuke
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Netjuke 1.0-rc2 allow remote attackers to inject arbitrary web script or HTML via (1) the val parameter to alphabet.php in an alpha.albums action, or the PATH_INFO to (2) random.php or (3) admin/hidden.php.
CVE-2007-4813Sep 11, 2007
Domino Blogsphere
Domino Blogsphere
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Domino Blogsphere 3.01 Beta 7 allows remote attackers to inject arbitrary web script or HTML via the name field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2007-4779Sep 10, 2007
Joomla
Joomla!
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Joomla! 1.5 before RC2 (aka Endeleo) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, probably related to the archive section.
CVE-2007-4512Sep 10, 2007
Sophos
Anti Virus
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Sophos Anti-Virus for Windows 6.x before 6.5.8 and 7.x before 7.0.1 allows remote attackers to inject arbitrary web script or HTML via an archive with a file that matches a virus signature and has a crafted filename that is not…
CVE-2007-4760Sep 8, 2007
Hitachi
Ucosminexus Application Server Enterprise
risk 0.00cvss —epss 0.00
The javadoc tool in Cosminexus Developer's Kit for Java in Cosminexus 7 and 7.5 can generate HTML documents that contain cross-site scripting (XSS) vulnerabilities, which allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this is…
CVE-2007-4745Sep 6, 2007
Mambo (software)
Site Server
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in the AkoBook 3.42 and earlier component (com_akobook) for Mambo allow remote attackers to inject arbitrary web script or HTML via Javascript events in the (1) gbmail and (2) gbpage parameters in the sign function.
CVE-2007-4741Sep 6, 2007
Claroline
Claroline
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in admin/adminusers.php in Claroline before 1.8.6 allows remote authenticated administrators to inject arbitrary web script or HTML via the sort parameter. NOTE: the provenance of this information is unknown; the details are obtained…
CVE-2007-4713Sep 5, 2007
Roi Revolution
Urchin
risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in urchin.cgi in Urchin 5.6.00r2 allow remote attackers to inject arbitrary web script or HTML via the (1) dtc, (2) vid, (3) n, (4) dt, (5) ed, and (6) bd parameters.
CVE-2007-4633Aug 31, 2007
Cisco Systems, Inc.
Unified Communications Manager
risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Cisco CallManager and Unified Communications Manager (CUCM) before 3.3(5)sr2b, 4.1 before 4.1(3)sr5, 4.2 before 4.2(3)sr2, and 4.3 before 4.3(1)sr1 allow remote attackers to inject arbitrary web script or HTML via the lang…
CVE-2007-4595Aug 29, 2007
The Seasar Foundation
Mayaa
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Mayaa before 1.1.12 allows remote attackers to inject arbitrary web script or HTML in certain circumstances involving (1) lack of charset specification within a META element or (2) a META element that specifies an unrecognized charset,…