CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (24,712)
page 1189 of 1,236| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2008-6687 | 0.00 | — | 0.01 | Apr 10, 2009 | Cross-site scripting (XSS) vulnerability in DCD GoogleMap (dcdgooglemap) 1.1.0 and earlier extension for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. | |||
| CVE-2009-1279 | 0.00 | — | 0.01 | Apr 9, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.5 through 1.5.9 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to the (1) com_admin component, (2) com_search component when "Gather Search Statistics" is enabled, and (3) the… | |||
| CVE-2008-6682 | 0.00 | — | 0.06 | Apr 9, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double quote) characters in the href attribute… | |||
| CVE-2008-6681 | 0.00 | — | 0.01 | Apr 9, 2009 | Cross-site scripting (XSS) vulnerability in dijit.Editor in Dojo before 1.1 allows remote attackers to inject arbitrary web script or HTML via XML entities in a TEXTAREA element. | |||
| CVE-2007-6726 | 0.00 | — | 0.03 | Apr 9, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Dojo 0.4.1 and 0.4.2, as used in Apache Struts and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving (1) xip_client.html and (2) xip_server.html in src/io/. | |||
| CVE-2008-6666 | 0.00 | — | 0.01 | Apr 8, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Kronos webTA allow remote attackers to inject arbitrary web script or HTML via the description field to (1) servlet/com.threeis.webta.H710selProject and (2) servlet/com.threeis.webta.H720editProjectInfo. NOTE: BID:29610… | |||
| CVE-2009-1261 | 0.00 | — | 0.01 | Apr 7, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Web Help Desk 9.1.22 (evaluation version) allow remote attackers to inject arbitrary web script or HTML via the (1) Report Name, (2) Asset No., and (3) Full Name fields in a Models action. NOTE: the provenance of this… | |||
| CVE-2008-6654 | 0.00 | — | 0.01 | Apr 7, 2009 | Cross-site scripting (XSS) vulnerability in search_results.php in InfoBiz Server allows remote attackers to inject arbitrary web script or HTML via the keywords parameter. | |||
| CVE-2008-6646 | 0.00 | — | 0.01 | Apr 7, 2009 | Cross-site scripting (XSS) vulnerability in index.php in CoronaMatrix phpAddressBook 2.0 allows remote attackers to inject arbitrary web script or HTML via the username parameter. | |||
| CVE-2008-6645 | 0.00 | — | 0.01 | Apr 7, 2009 | Cross-site scripting (XSS) vulnerability in Opencosmo VisualSentinel 0.7 allows remote attackers to inject arbitrary web script or HTML via the User-Agent header ($_SERVER ['HTTP_USER_AGENT']), which is not properly handled when displaying log files. | |||
| CVE-2009-1249 | 0.00 | — | 0.01 | Apr 6, 2009 | Cross-site scripting (XSS) vulnerability in Feed element mapper 5.x before 5.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the content title in admin/content/node-type/nodetype/map. | |||
| CVE-2008-6600 | 0.00 | — | 0.01 | Apr 3, 2009 | Cross-site scripting (XSS) vulnerability in the search feature in XMLPortal 3.0 allows remote attackers to inject arbitrary web script or HTML via the query parameter. | |||
| CVE-2008-6589 | 0.00 | — | 0.01 | Apr 3, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in LightNEasy "no database" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) index.php and (2) LightNEasy.php. | |||
| CVE-2008-6571 | 0.00 | — | 0.01 | Mar 31, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in LinPHA before 1.3.4 might allow remote attackers to inject arbitrary web script or HTML via (1) new_images.php, (2) login.php, and unspecified vectors. | |||
| CVE-2008-6570 | 0.00 | — | 0.01 | Mar 31, 2009 | Cross-site scripting (XSS) vulnerability in the RSS reader in Cybozu Garoon 2.0.0 through 2.1.3 allows remote attackers to inject arbitrary web script or HTML via a crafted RSS feed. | |||
| CVE-2008-6567 | 0.00 | — | 0.01 | Mar 31, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Gallarific Free Edition allow remote attackers to inject arbitrary web script or HTML via (1) the e-mail address, (2) a comment, which is not properly handled during moderation, and (3) the tag parameter to gallery/tags.php. | |||
| CVE-2009-1175 | 0.00 | — | 0.01 | Mar 31, 2009 | Cross-site scripting (XSS) vulnerability in apps/web/vs_diag.cgi in the DAAP extension in Banshee 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the server parameter, which is not properly handled in an error message. | |||
| CVE-2008-6533 | 0.00 | — | 0.02 | Mar 26, 2009 | Drupal 5.x before 5.13 and 6.x before 6.7 does not delete all related content when an input format is deleted, which prevents the content from being properly filtered and allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. | |||
| CVE-2009-1150 | 0.00 | — | 0.02 | Mar 26, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in the export page (display_export.lib.php) in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allow remote attackers to inject arbitrary web script or HTML via the pma_db_filename_template cookie. | |||
| CVE-2009-1069 | 0.00 | — | 0.01 | Mar 26, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in the node edit form feature in Drupal Content Construction Kit (CCK) 6.x before 6.x-2.2, a module for Drupal, allow remote attackers to inject arbitrary web script or HTML via the (1) titles of candidate referenced nodes in… |
- CVE-2008-6687Apr 10, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in DCD GoogleMap (dcdgooglemap) 1.1.0 and earlier extension for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
- CVE-2009-1279Apr 9, 2009risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.5 through 1.5.9 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to the (1) com_admin component, (2) com_search component when "Gather Search Statistics" is enabled, and (3) the…
- CVE-2008-6682Apr 9, 2009risk 0.00cvss —epss 0.06
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double quote) characters in the href attribute…
- CVE-2008-6681Apr 9, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in dijit.Editor in Dojo before 1.1 allows remote attackers to inject arbitrary web script or HTML via XML entities in a TEXTAREA element.
- CVE-2007-6726Apr 9, 2009risk 0.00cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in Dojo 0.4.1 and 0.4.2, as used in Apache Struts and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving (1) xip_client.html and (2) xip_server.html in src/io/.
- CVE-2008-6666Apr 8, 2009risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Kronos webTA allow remote attackers to inject arbitrary web script or HTML via the description field to (1) servlet/com.threeis.webta.H710selProject and (2) servlet/com.threeis.webta.H720editProjectInfo. NOTE: BID:29610…
- CVE-2009-1261Apr 7, 2009risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Web Help Desk 9.1.22 (evaluation version) allow remote attackers to inject arbitrary web script or HTML via the (1) Report Name, (2) Asset No., and (3) Full Name fields in a Models action. NOTE: the provenance of this…
- CVE-2008-6654Apr 7, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in search_results.php in InfoBiz Server allows remote attackers to inject arbitrary web script or HTML via the keywords parameter.
- CVE-2008-6646Apr 7, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in CoronaMatrix phpAddressBook 2.0 allows remote attackers to inject arbitrary web script or HTML via the username parameter.
- CVE-2008-6645Apr 7, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Opencosmo VisualSentinel 0.7 allows remote attackers to inject arbitrary web script or HTML via the User-Agent header ($_SERVER ['HTTP_USER_AGENT']), which is not properly handled when displaying log files.
- CVE-2009-1249Apr 6, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Feed element mapper 5.x before 5.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the content title in admin/content/node-type/nodetype/map.
- CVE-2008-6600Apr 3, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the search feature in XMLPortal 3.0 allows remote attackers to inject arbitrary web script or HTML via the query parameter.
- CVE-2008-6589Apr 3, 2009risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in LightNEasy "no database" (aka flat) version 1.2.2, and possibly SQLite version 1.2.2, allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) index.php and (2) LightNEasy.php.
- CVE-2008-6571Mar 31, 2009risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in LinPHA before 1.3.4 might allow remote attackers to inject arbitrary web script or HTML via (1) new_images.php, (2) login.php, and unspecified vectors.
- CVE-2008-6570Mar 31, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the RSS reader in Cybozu Garoon 2.0.0 through 2.1.3 allows remote attackers to inject arbitrary web script or HTML via a crafted RSS feed.
- CVE-2008-6567Mar 31, 2009risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Gallarific Free Edition allow remote attackers to inject arbitrary web script or HTML via (1) the e-mail address, (2) a comment, which is not properly handled during moderation, and (3) the tag parameter to gallery/tags.php.
- CVE-2009-1175Mar 31, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in apps/web/vs_diag.cgi in the DAAP extension in Banshee 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the server parameter, which is not properly handled in an error message.
- CVE-2008-6533Mar 26, 2009risk 0.00cvss —epss 0.02
Drupal 5.x before 5.13 and 6.x before 6.7 does not delete all related content when an input format is deleted, which prevents the content from being properly filtered and allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
- CVE-2009-1150Mar 26, 2009risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the export page (display_export.lib.php) in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allow remote attackers to inject arbitrary web script or HTML via the pma_db_filename_template cookie.
- CVE-2009-1069Mar 26, 2009risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the node edit form feature in Drupal Content Construction Kit (CCK) 6.x before 6.x-2.2, a module for Drupal, allow remote attackers to inject arbitrary web script or HTML via the (1) titles of candidate referenced nodes in…