CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (24,712)
page 1198 of 1,236| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2008-4928 | 0.00 | — | 0.01 | Nov 4, 2008 | Cross-site scripting (XSS) vulnerability in the redirect function in functions.php in MyBB (aka MyBulletinBoard) 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter in a removesubscriptions action to moderation.php, related to use of the… | |||
| CVE-2008-4903 | 0.00 | — | 0.01 | Nov 4, 2008 | Cross-site scripting (XSS) vulnerability in the leave comment (feedback) feature in Typo 5.1.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) comment[author] (Name) and (2) comment[url] (Website) parameters. | |||
| CVE-2008-4898 | 0.00 | — | 0.01 | Nov 4, 2008 | Cross-site scripting (XSS) vulnerability in planetluc RateMe 1.3.3 allows remote attackers to inject arbitrary web script or HTML via the rate parameter in a submit rate action. | |||
| CVE-2008-4892 | 0.00 | — | 0.01 | Nov 4, 2008 | Cross-site scripting (XSS) vulnerability in gallery.inc.php in Planetluc MyGallery 1.7.2 and earlier, and possibly other versions before 1.8.1, allows remote attackers to inject arbitrary web script or HTML via the mghash parameter. NOTE: some of these details are obtained from… | |||
| CVE-2008-4891 | 0.00 | — | 0.01 | Nov 4, 2008 | Cross-site scripting (XSS) vulnerability in signme.inc.php in Planetluc SignMe 1.5 before 1.55 allows remote attackers to inject arbitrary web script or HTML via the hash parameter. NOTE: some of these details are obtained from third party information. | |||
| CVE-2008-4909 | 0.00 | — | 0.01 | Nov 4, 2008 | Cross-site request forgery (CSRF) vulnerability in CompactCMS 1.1 and earlier allows remote attackers to perform unauthorized actions as legitimate users via unspecified vectors. | |||
| CVE-2008-4872 | 0.00 | — | 0.01 | Nov 1, 2008 | Cross-site scripting (XSS) vulnerability in bidhistory.php in iTechBids Gold 5.0 allows remote attackers to inject arbitrary web script or HTML via the item_id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party… | |||
| CVE-2008-4871 | 0.00 | — | 0.01 | Nov 1, 2008 | Cross-site scripting (XSS) vulnerability in My Little Forum 1.75 and 2.0 Beta 23 allows remote attackers to inject arbitrary web script or HTML via BBcode IMG tags. | |||
| CVE-2008-4805 | 0.00 | — | 0.01 | Oct 31, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in IBM Lotus Connections 2.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via (1) the community title, (2) API input, and vectors related to the (3) Homepage, (4) Blogs, (5) Profiles, (6) Dogear,… | |||
| CVE-2008-4802 | 0.00 | — | 0.01 | Oct 31, 2008 | Cross-site scripting (XSS) vulnerability in complete.php in Simple PHP Scripts blog 0.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party… | |||
| CVE-2008-4763 | 0.00 | — | 0.01 | Oct 28, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in sample.php in WiKID wClient-PHP 3.0-2 and earlier allow remote attackers to inject arbitrary web script or HTML via the PHP_SELF variable. | |||
| CVE-2008-4745 | 0.00 | — | 0.01 | Oct 27, 2008 | Cross-site scripting (XSS) vulnerability in emailFriend.asp in Uniwin eCart Professional 2.0.17 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2008-4733 | 0.00 | — | 0.02 | Oct 24, 2008 | Cross-site scripting (XSS) vulnerability in wpcommentremix.php in WP Comment Remix plugin before 1.4.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the (1) replytotext, (2) quotetext, (3) originallypostedby, (4) sep, (5) maxtags, (6) tagsep,… | |||
| CVE-2008-4730 | 0.00 | — | 0.01 | Oct 24, 2008 | Cross-site scripting (XSS) vulnerability in MyID.php in phpMyID 0.9 allows remote attackers to inject arbitrary web script or HTML via the openid_trust_root parameter and an inconsistent openid_return_to parameter, which is not properly handled in an error message. | |||
| CVE-2008-4724 | 0.00 | — | 0.01 | Oct 23, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome 0.2.149.30 allow remote attackers to inject arbitrary web script or HTML via an ftp:// URL for an HTML document within a (1) JPG, (2) PDF, or (3) TXT file. NOTE: the provenance of this information is unknown;… | |||
| CVE-2008-4723 | 0.00 | — | 0.01 | Oct 23, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox 3.0.1 through 3.0.3 allow remote attackers to inject arbitrary web script or HTML via an ftp:// URL for an HTML document within a (1) JPG, (2) PDF, or (3) TXT file. NOTE: the provenance of this information… | |||
| CVE-2008-4697 | 0.00 | — | 0.02 | Oct 23, 2008 | The Fast Forward feature in Opera before 9.61, when a page is located in a frame, executes a javascript: URL in the context of the outermost page instead of the page that contains this URL, which allows remote attackers to conduct cross-site scripting (XSS) attacks. | |||
| CVE-2008-4710 | 0.00 | — | 0.01 | Oct 23, 2008 | Cross-site scripting (XSS) vulnerability in the stock quotes page in Stock 6.x before 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2008-4671 | 0.00 | — | 0.04 | Oct 22, 2008 | Cross-site scripting (XSS) vulnerability in wp-admin/wp-blogs.php in Wordpress MU (WPMU) before 2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) s and (2) ip_address parameters. | |||
| CVE-2008-4663 | 0.00 | — | 0.01 | Oct 22, 2008 | Cross-site scripting (XSS) vulnerability in analysis.cgi 1.44, as used in K's CGI Access Log Kaiseki (1) jcode.pl and (2) Jcode.pm, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
- CVE-2008-4928Nov 4, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the redirect function in functions.php in MyBB (aka MyBulletinBoard) 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter in a removesubscriptions action to moderation.php, related to use of the…
- CVE-2008-4903Nov 4, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the leave comment (feedback) feature in Typo 5.1.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) comment[author] (Name) and (2) comment[url] (Website) parameters.
- CVE-2008-4898Nov 4, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in planetluc RateMe 1.3.3 allows remote attackers to inject arbitrary web script or HTML via the rate parameter in a submit rate action.
- CVE-2008-4892Nov 4, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in gallery.inc.php in Planetluc MyGallery 1.7.2 and earlier, and possibly other versions before 1.8.1, allows remote attackers to inject arbitrary web script or HTML via the mghash parameter. NOTE: some of these details are obtained from…
- CVE-2008-4891Nov 4, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in signme.inc.php in Planetluc SignMe 1.5 before 1.55 allows remote attackers to inject arbitrary web script or HTML via the hash parameter. NOTE: some of these details are obtained from third party information.
- CVE-2008-4909Nov 4, 2008risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in CompactCMS 1.1 and earlier allows remote attackers to perform unauthorized actions as legitimate users via unspecified vectors.
- CVE-2008-4872Nov 1, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in bidhistory.php in iTechBids Gold 5.0 allows remote attackers to inject arbitrary web script or HTML via the item_id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…
- CVE-2008-4871Nov 1, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in My Little Forum 1.75 and 2.0 Beta 23 allows remote attackers to inject arbitrary web script or HTML via BBcode IMG tags.
- CVE-2008-4805Oct 31, 2008risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in IBM Lotus Connections 2.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via (1) the community title, (2) API input, and vectors related to the (3) Homepage, (4) Blogs, (5) Profiles, (6) Dogear,…
- CVE-2008-4802Oct 31, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in complete.php in Simple PHP Scripts blog 0.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…
- CVE-2008-4763Oct 28, 2008risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in sample.php in WiKID wClient-PHP 3.0-2 and earlier allow remote attackers to inject arbitrary web script or HTML via the PHP_SELF variable.
- CVE-2008-4745Oct 27, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in emailFriend.asp in Uniwin eCart Professional 2.0.17 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2008-4733Oct 24, 2008risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in wpcommentremix.php in WP Comment Remix plugin before 1.4.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the (1) replytotext, (2) quotetext, (3) originallypostedby, (4) sep, (5) maxtags, (6) tagsep,…
- CVE-2008-4730Oct 24, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in MyID.php in phpMyID 0.9 allows remote attackers to inject arbitrary web script or HTML via the openid_trust_root parameter and an inconsistent openid_return_to parameter, which is not properly handled in an error message.
- CVE-2008-4724Oct 23, 2008risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome 0.2.149.30 allow remote attackers to inject arbitrary web script or HTML via an ftp:// URL for an HTML document within a (1) JPG, (2) PDF, or (3) TXT file. NOTE: the provenance of this information is unknown;…
- CVE-2008-4723Oct 23, 2008risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox 3.0.1 through 3.0.3 allow remote attackers to inject arbitrary web script or HTML via an ftp:// URL for an HTML document within a (1) JPG, (2) PDF, or (3) TXT file. NOTE: the provenance of this information…
- CVE-2008-4697Oct 23, 2008risk 0.00cvss —epss 0.02
The Fast Forward feature in Opera before 9.61, when a page is located in a frame, executes a javascript: URL in the context of the outermost page instead of the page that contains this URL, which allows remote attackers to conduct cross-site scripting (XSS) attacks.
- CVE-2008-4710Oct 23, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the stock quotes page in Stock 6.x before 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2008-4671Oct 22, 2008risk 0.00cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in wp-admin/wp-blogs.php in Wordpress MU (WPMU) before 2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) s and (2) ip_address parameters.
- CVE-2008-4663Oct 22, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in analysis.cgi 1.44, as used in K's CGI Access Log Kaiseki (1) jcode.pl and (2) Jcode.pm, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.