CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (22,944)

page 1147 of 1,148

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2003-1539	Onedotoh Simple File Manager	—	0.00	Dec 31, 2003	Cross-site scripting (XSS) vulnerability in ONEdotOH Simple File Manager (SFM) before 0.21 allows remote attackers to inject arbitrary web script or HTML via (1) file names and (2) directory names.
CVE-2003-1543	Bajie Java HTTP Server	—	0.00	Dec 31, 2003	Cross-site scripting (XSS) vulnerability in Bajie Http Web Server 0.95zxe, 0.95zxc, and possibly others, allows remote attackers to inject arbitrary web script or HTML via the query string, which is reflected in an error message.
CVE-2003-1384	Py Software Py Livredor	—	0.01	Dec 31, 2003	Cross-site scripting (XSS) vulnerability in index.php in PY-Livredor 1.0 allows remote attackers to insert arbitrary web script or HTML via the (1) titre, (2) Votre pseudo, (3) Votre e-mail, or (4) Votre message fields.
CVE-2003-1370	Nuked Klan Nuked Klan	—	0.00	Dec 31, 2003	Multiple cross-site scripting (XSS) vulnerabilities in Nuked-Klan 1.2b allow remote attackers to inject arbitrary HTML or web script via (1) the Author field in the Guestbook module, (2) the Titre or Pseudo fields in the Forum module, or (3) "La Tribune Libre" in the Shoutbox…
CVE-2003-1353	Lanifex Outreach Project Tool	—	0.00	Dec 31, 2003	Multiple cross-site scripting (XSS) vulnerabilities in Outreach Project Tool (OPT) 0.946b allow remote attackers to inject arbitrary web script or HTML, as demonstrated using the news field.
CVE-2003-1334	Kai Blankenhorn Bitfolge Simple And Nice Index File	—	0.00	Dec 31, 2003	Cross-site scripting (XSS) vulnerability in Kai Blankenhorn Bitfolge simple and nice index file (aka snif) before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2002-2364	PHP Ticket PHP Ticket	—	0.00	Dec 31, 2002	Cross-site scripting (XSS) vulnerability in PHP Ticket 0.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a help ticket.
CVE-2002-2347	Oracle Corporation Application Server	—	0.00	Dec 31, 2002	Cross-site scripting (XSS) vulnerability in Oracle Java Server Page (OJSP) demo files (1) hellouser.jsp, (2) welcomeuser.jsp and (3) usebean.jsp in Oracle 9i Application Server 9.0.2, 1.0.2.2, 1.0.2.1s and 1.0.2 allows remote attackers to inject arbitrary web script or HTML via…
CVE-2002-2340	Phorum Phorum	—	0.00	Dec 31, 2002	Cross-site scripting (XSS) vulnerability in read.php in Phorum 3.3.2a allows remote attackers to inject arbitrary web script or HTML via (1) the t parameter or (2) the body of an email response.
CVE-2002-2418	Acfp Project Acfreeproxy	—	0.00	Dec 31, 2002	Cross-site scripting (XSS) vulnerability in acFreeProxy (aka acFP) 1.33 beta 7 allows remote attackers to inject arbitrary web script or HTML via the URL, which is inserted into an error page.
CVE-2002-2330	Uninet Statsplus	—	0.00	Dec 31, 2002	Cross-site scripting (XSS) vulnerability in stat.pl in StatsPlus 1.25 allows remote attackers to inject arbitrary web script or HTML via (1) HTTP_USER_AGENT or (2) HTTP_REFERER, which is written to stats.html and executed in client browsers.
CVE-2002-2386	XOOPS Xoops	—	0.00	Dec 31, 2002	Cross-site scripting (XSS) vulnerability in the Quizz module for XOOPS 1.0, when allowing on-line question development, allows remote attackers to inject arbitrary web script or HTML via a javascript: URL in the SRC attribute of an IMG tag.
CVE-2002-2378	An An Httpd	—	0.00	Dec 31, 2002	Cross-site scripting (XSS) vulnerability in AN HTTP 1.41d allows remote attackers to inject arbitrary web script or HTML via a colon (:) in the query string, which is inserted into the resulting error page.
CVE-2002-2350	Phpoutsourcing Zorum	—	0.00	Dec 31, 2002	Cross-site scripting (XSS) vulnerability in z_user_show.php in dbtreelistproperty_method.php in Zorum 2.4 allows remote attackers to inject arbitrary web script or HTML via the class parameter.
CVE-2002-2278	Portail Web PHP Portailphp	—	0.00	Dec 31, 2002	Cross-site scripting (XSS) vulnerability in mod_search/index.php in PortailPHP 0.99 allows remote attackers to inject arbitrary web script or HTML via the (1) $App_Theme, (2) $Rub_Search, (3) $Rub_News, (4) $Rub_File, (5) $Rub_Liens, or (6) $Rub_Faq variables.
CVE-2002-2273	Webster Webster HTTP Server	—	0.00	Dec 31, 2002	Cross-site scripting (XSS) vulnerability in Webster HTTP Server allows remote attackers to inject arbitrary web script or HTML via the URL.
CVE-2002-2260	Mozilla Corporation Bugzilla	—	0.00	Dec 31, 2002	Cross-site scripting (XSS) vulnerability in the quips feature in Mozilla Bugzilla 2.10 through 2.17 allows remote attackers to inject arbitrary web script or HTML via the "show all quips" page.
CVE-2002-2255	PhpBB phpBB	—	0.04	Dec 31, 2002	Cross-site scripting (XSS) vulnerability in search.php in phpBB 2.0.3 and possibly earlier versions allows remote attackers to inject arbitrary web script or HTML via the search_username parameter in searchuser mode.
CVE-2002-2377	ZAP addentry.cgi	—	0.00	Dec 31, 2002	Cross-site scripting (XSS) vulnerability in addentry.cgi in ZAP 1.0.3 allows remote attackers to inject arbitrary SSi directives, web script, and HTML via the entry field.
CVE-2002-2231	Ikonboard.com Ikonboard	—	0.00	Dec 31, 2002	Cross-site scripting (XSS) vulnerability in Ikonboard 3.1.1 allows remote attackers to inject arbitrary web script or HTML via (1) a javascript: URL in a photo URL or (2) an X-Forwarded-For: header.

CVE-2003-1539Dec 31, 2003
Onedotoh
Simple File Manager
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in ONEdotOH Simple File Manager (SFM) before 0.21 allows remote attackers to inject arbitrary web script or HTML via (1) file names and (2) directory names.
CVE-2003-1543Dec 31, 2003
Bajie
Java HTTP Server
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Bajie Http Web Server 0.95zxe, 0.95zxc, and possibly others, allows remote attackers to inject arbitrary web script or HTML via the query string, which is reflected in an error message.
CVE-2003-1384Dec 31, 2003
Py Software
Py Livredor
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in PY-Livredor 1.0 allows remote attackers to insert arbitrary web script or HTML via the (1) titre, (2) Votre pseudo, (3) Votre e-mail, or (4) Votre message fields.
CVE-2003-1370Dec 31, 2003
Nuked Klan
Nuked Klan
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Nuked-Klan 1.2b allow remote attackers to inject arbitrary HTML or web script via (1) the Author field in the Guestbook module, (2) the Titre or Pseudo fields in the Forum module, or (3) "La Tribune Libre" in the Shoutbox…
CVE-2003-1353Dec 31, 2003
Lanifex
Outreach Project Tool
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Outreach Project Tool (OPT) 0.946b allow remote attackers to inject arbitrary web script or HTML, as demonstrated using the news field.
CVE-2003-1334Dec 31, 2003
Kai Blankenhorn Bitfolge
Simple And Nice Index File
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Kai Blankenhorn Bitfolge simple and nice index file (aka snif) before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2002-2364Dec 31, 2002
PHP Ticket
PHP Ticket
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in PHP Ticket 0.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a help ticket.
CVE-2002-2347Dec 31, 2002
Oracle Corporation
Application Server
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Oracle Java Server Page (OJSP) demo files (1) hellouser.jsp, (2) welcomeuser.jsp and (3) usebean.jsp in Oracle 9i Application Server 9.0.2, 1.0.2.2, 1.0.2.1s and 1.0.2 allows remote attackers to inject arbitrary web script or HTML via…
CVE-2002-2340Dec 31, 2002
Phorum
Phorum
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in read.php in Phorum 3.3.2a allows remote attackers to inject arbitrary web script or HTML via (1) the t parameter or (2) the body of an email response.
CVE-2002-2418Dec 31, 2002
Acfp Project
Acfreeproxy
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in acFreeProxy (aka acFP) 1.33 beta 7 allows remote attackers to inject arbitrary web script or HTML via the URL, which is inserted into an error page.
CVE-2002-2330Dec 31, 2002
Uninet
Statsplus
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in stat.pl in StatsPlus 1.25 allows remote attackers to inject arbitrary web script or HTML via (1) HTTP_USER_AGENT or (2) HTTP_REFERER, which is written to stats.html and executed in client browsers.
CVE-2002-2386Dec 31, 2002
XOOPS
Xoops
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Quizz module for XOOPS 1.0, when allowing on-line question development, allows remote attackers to inject arbitrary web script or HTML via a javascript: URL in the SRC attribute of an IMG tag.
CVE-2002-2378Dec 31, 2002
An
An Httpd
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in AN HTTP 1.41d allows remote attackers to inject arbitrary web script or HTML via a colon (:) in the query string, which is inserted into the resulting error page.
CVE-2002-2350Dec 31, 2002
Phpoutsourcing
Zorum
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in z_user_show.php in dbtreelistproperty_method.php in Zorum 2.4 allows remote attackers to inject arbitrary web script or HTML via the class parameter.
CVE-2002-2278Dec 31, 2002
Portail Web PHP
Portailphp
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in mod_search/index.php in PortailPHP 0.99 allows remote attackers to inject arbitrary web script or HTML via the (1) $App_Theme, (2) $Rub_Search, (3) $Rub_News, (4) $Rub_File, (5) $Rub_Liens, or (6) $Rub_Faq variables.
CVE-2002-2273Dec 31, 2002
Webster
Webster HTTP Server
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Webster HTTP Server allows remote attackers to inject arbitrary web script or HTML via the URL.
CVE-2002-2260Dec 31, 2002
Mozilla Corporation
Bugzilla
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the quips feature in Mozilla Bugzilla 2.10 through 2.17 allows remote attackers to inject arbitrary web script or HTML via the "show all quips" page.
CVE-2002-2255Dec 31, 2002
PhpBB
phpBB
risk 0.00cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in search.php in phpBB 2.0.3 and possibly earlier versions allows remote attackers to inject arbitrary web script or HTML via the search_username parameter in searchuser mode.
CVE-2002-2377Dec 31, 2002
ZAP
addentry.cgi
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in addentry.cgi in ZAP 1.0.3 allows remote attackers to inject arbitrary SSi directives, web script, and HTML via the entry field.
CVE-2002-2231Dec 31, 2002
Ikonboard.com
Ikonboard
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Ikonboard 3.1.1 allows remote attackers to inject arbitrary web script or HTML via (1) a javascript: URL in a photo URL or (2) an X-Forwarded-For: header.