CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (22,695)

page 1133 of 1,135

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2005-3283	Tiki Tikiwiki CMS\/groupware	—	0.01	Oct 23, 2005	Cross-site scripting (XSS) vulnerability in TikiWiki before 1.9.1.1 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
CVE-2005-3205	Oracle Corporation Database Server	—	0.00	Oct 14, 2005	Cross-site scripting (XSS) vulnerability in iSQL*Plus (iSQLPlus) in Oracle9i Database Server Release 2 9.0.2.4 allows remote attackers to inject arbitrary web script or HTML via script in the "set markup HTML TABLE" command, which is executed when the user selects a table.
CVE-2005-3047	PhpMyAdmin Phpmyfaq	—	0.00	Sep 24, 2005	Multiple cross-site scripting (XSS) vulnerabilities in PhpMyFaq 1.5.1 allow remote attackers to inject arbitrary web script or HTML via the (1) PMF_CONF[version] parameter to footer.php or (2) PMF_LANG[metaLanguage] to header.php.
CVE-2005-2981	Orionserver Orion Application Server	—	0.00	Sep 20, 2005	Cross-site scripting (XSS) vulnerability in Orion 1.3.8 and 1.4.5 allows remote attackers to inject arbitrary web script or HTML via the URL, which is not properly quoted in the resulting 404 error page.
CVE-2005-2818	Eric Fichot Downfile	—	0.00	Sep 7, 2005	Cross-site scripting (XSS) vulnerability in DownFile 1.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter to (1) email.php,(2) index.php, (3) del.php, or (4) add_form.php.
CVE-2005-2406	Opera Opera Browser	—	0.00	Aug 1, 2005	Opera 8.01 allows remote attackers to conduct cross-site scripting (XSS) attacks or modify which files are uploaded by tricking a user into dragging an image that is a "javascript:" URI.
CVE-2005-2254	Phpauction Phpauction	—	0.00	Jul 13, 2005	Multiple cross-site scripting (XSS) vulnerabilities in PhpAuction 2.5 allow remote attackers to inject arbitrary web script or HTML via the lan parameter to (1) index.php or (2) admin/index.php, or (3) the auction_id parameter to profile.php. NOTE: there is evidence that…
CVE-2005-2022	Sun Corporation Iplanet Messaging Server	—	0.00	Jun 17, 2005	Unknown vulnerability in Webmail in iPlanet Messaging Server 5.2 Patch 1 and Sun ONE Messaging Server 6.2 allows remote attackers to execute arbitrary Javascript, possibly due to a cross-site scripting (XSS) vulnerability.
CVE-2005-1669	Opera Opera Browser	—	0.00	Jun 16, 2005	Cross-site scripting (XSS) vulnerability in Opera 8.0 Final Build 1095 allows remote attackers to inject arbitrary web script or HTML via "javascript:" URLs when a new window or frame is opened, which allows remote attackers to bypass access restrictions and perform unauthorized…
CVE-2005-1778	Warpspeed Postnuke	—	0.00	May 31, 2005	Cross-site scripting (XSS) vulnerability in readpmsg.php in PostNuke 0.750 allows remote attackers to inject arbitrary web script or HTML via the start parameter.
CVE-2005-0485	Php Arena Panews	—	0.01	Mar 30, 2005	Cross-site scripting (XSS) vulnerability in comment.php for paNews 2.0b4 for PHP Arena allows remote attackers to inject arbitrary HTML and web script via the showpost parameter.
CVE-2004-1177	GNU Mailman	—	0.02	Jan 10, 2005	Cross-site scripting (XSS) vulnerability in the driver script in mailman before 2.1.5 allows remote attackers to inject arbitrary web script or HTML via a URL, which is not properly escaped in the resulting error page.
CVE-2004-1424	Moodle Moodle	—	0.01	Dec 31, 2004	Cross-site scripting (XSS) vulnerability in view.php in Moodle 1.4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter.
CVE-2004-1863	Xmb Forum Xmb	—	0.01	Dec 31, 2004	Multiple cross-site scripting (XSS) vulnerabilities in XMB (aka extreme message board) 1.9 beta (aka Nexus beta) allow remote attackers to inject arbitrary web script or HTML via (1) the u2uheader parameter in editprofile.php, the restrict parameter in (2) member.php, (3)…
CVE-2004-2741	Horde (software) Application Framework	—	0.01	Dec 31, 2004	Cross-site scripting (XSS) vulnerability in the "help window" (help.php) in Horde Application Framework 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) module, (2) topic, or (3) module parameters.
CVE-2004-2688	Newsphp Newsphp	—	0.00	Dec 31, 2004	Cross-site scripting (XSS) vulnerability in index.php in NewsPHP allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter. NOTE: this issue might overlap vector 3 in CVE-2006-3358.
CVE-2004-2752	Warpspeed Postnuke	—	0.00	Dec 31, 2004	Cross-site scripting (XSS) vulnerability in the Downloads module in PostNuke up to 0.726, and possibly later versions, allows remote attackers to inject arbitrary HTML and web script via the ttitle parameter in a viewdownloaddetails action.
CVE-2004-2755	Symantec Web Security	—	0.01	Dec 31, 2004	Cross-site scripting (XSS) vulnerability in Symantec Web Security 2.5, 3.0.0, and 3.0.1 before build 62 allows remote attackers to inject arbitrary web script or HTML via the query string in blocked URLs that are listed in (1) error or (2) block page messages.
CVE-2004-2735	Fredric Fredricson P4db	—	0.01	Dec 31, 2004	Cross-site scripting (XSS) vulnerability in P4DB 2.01 and earlier allows remote attackers to inject arbitrary web script or HTML via (1) SET_PREFERENCES parameter in SetPreferences.cgi; (2) BRANCH parameter in branchView.cgi; (3) FSPC and (4) COMPLETE parameters in…
CVE-2004-2757	Novell Ichain	—	0.00	Dec 31, 2004	Cross-site scripting (XSS) vulnerability in the failed login page in Novell iChain before 2.2 build 2.2.113 and 2.3 First Customer Ship (FCS) allows remote attackers to inject arbitrary web script or HTML via url parameter.

CVE-2005-3283Oct 23, 2005
Tiki
Tikiwiki CMS\/groupware
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in TikiWiki before 1.9.1.1 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
CVE-2005-3205Oct 14, 2005
Oracle Corporation
Database Server
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in iSQL*Plus (iSQLPlus) in Oracle9i Database Server Release 2 9.0.2.4 allows remote attackers to inject arbitrary web script or HTML via script in the "set markup HTML TABLE" command, which is executed when the user selects a table.
CVE-2005-3047Sep 24, 2005
PhpMyAdmin
Phpmyfaq
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in PhpMyFaq 1.5.1 allow remote attackers to inject arbitrary web script or HTML via the (1) PMF_CONF[version] parameter to footer.php or (2) PMF_LANG[metaLanguage] to header.php.
CVE-2005-2981Sep 20, 2005
Orionserver
Orion Application Server
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Orion 1.3.8 and 1.4.5 allows remote attackers to inject arbitrary web script or HTML via the URL, which is not properly quoted in the resulting 404 error page.
CVE-2005-2818Sep 7, 2005
Eric Fichot
Downfile
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in DownFile 1.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter to (1) email.php,(2) index.php, (3) del.php, or (4) add_form.php.
CVE-2005-2406Aug 1, 2005
Opera
Opera Browser
risk 0.00cvss —epss 0.00
Opera 8.01 allows remote attackers to conduct cross-site scripting (XSS) attacks or modify which files are uploaded by tricking a user into dragging an image that is a "javascript:" URI.
CVE-2005-2254Jul 13, 2005
Phpauction
Phpauction
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in PhpAuction 2.5 allow remote attackers to inject arbitrary web script or HTML via the lan parameter to (1) index.php or (2) admin/index.php, or (3) the auction_id parameter to profile.php. NOTE: there is evidence that…
CVE-2005-2022Jun 17, 2005
Sun Corporation
Iplanet Messaging Server
risk 0.00cvss —epss 0.00
Unknown vulnerability in Webmail in iPlanet Messaging Server 5.2 Patch 1 and Sun ONE Messaging Server 6.2 allows remote attackers to execute arbitrary Javascript, possibly due to a cross-site scripting (XSS) vulnerability.
CVE-2005-1669Jun 16, 2005
Opera
Opera Browser
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Opera 8.0 Final Build 1095 allows remote attackers to inject arbitrary web script or HTML via "javascript:" URLs when a new window or frame is opened, which allows remote attackers to bypass access restrictions and perform unauthorized…
CVE-2005-1778May 31, 2005
Warpspeed
Postnuke
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in readpmsg.php in PostNuke 0.750 allows remote attackers to inject arbitrary web script or HTML via the start parameter.
CVE-2005-0485Mar 30, 2005
Php Arena
Panews
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in comment.php for paNews 2.0b4 for PHP Arena allows remote attackers to inject arbitrary HTML and web script via the showpost parameter.
CVE-2004-1177Jan 10, 2005
GNU
Mailman
risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the driver script in mailman before 2.1.5 allows remote attackers to inject arbitrary web script or HTML via a URL, which is not properly escaped in the resulting error page.
CVE-2004-1424Dec 31, 2004
Moodle
Moodle
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in view.php in Moodle 1.4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter.
CVE-2004-1863Dec 31, 2004
Xmb Forum
Xmb
risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in XMB (aka extreme message board) 1.9 beta (aka Nexus beta) allow remote attackers to inject arbitrary web script or HTML via (1) the u2uheader parameter in editprofile.php, the restrict parameter in (2) member.php, (3)…
CVE-2004-2741Dec 31, 2004
Horde (software)
Application Framework
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the "help window" (help.php) in Horde Application Framework 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) module, (2) topic, or (3) module parameters.
CVE-2004-2688Dec 31, 2004
Newsphp
Newsphp
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in index.php in NewsPHP allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter. NOTE: this issue might overlap vector 3 in CVE-2006-3358.
CVE-2004-2752Dec 31, 2004
Warpspeed
Postnuke
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Downloads module in PostNuke up to 0.726, and possibly later versions, allows remote attackers to inject arbitrary HTML and web script via the ttitle parameter in a viewdownloaddetails action.
CVE-2004-2755Dec 31, 2004
Symantec
Web Security
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Symantec Web Security 2.5, 3.0.0, and 3.0.1 before build 62 allows remote attackers to inject arbitrary web script or HTML via the query string in blocked URLs that are listed in (1) error or (2) block page messages.
CVE-2004-2735Dec 31, 2004
Fredric Fredricson
P4db
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in P4DB 2.01 and earlier allows remote attackers to inject arbitrary web script or HTML via (1) SET_PREFERENCES parameter in SetPreferences.cgi; (2) BRANCH parameter in branchView.cgi; (3) FSPC and (4) COMPLETE parameters in…
CVE-2004-2757Dec 31, 2004
Novell
Ichain
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the failed login page in Novell iChain before 2.2 build 2.2.113 and 2.3 First Customer Ship (FCS) allows remote attackers to inject arbitrary web script or HTML via url parameter.