VYPR

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (24,712)

page 1200 of 1,236
  • CVE-2008-4450Oct 6, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in adodb.php in XAMPP for Windows 1.6.8 allows remote attackers to inject arbitrary web script or HTML via the (1) dbserver, (2) host, (3) user, (4) password, (5) database, and (6) table parameters. NOTE: the provenance of this…

  • CVE-2008-4446Oct 6, 2008
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in Nucleus EUC-JP 3.31 SP1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2008-4408Oct 3, 2008
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0, and possibly other versions before 1.13.2 allows remote attackers to inject arbitrary web script or HTML via the useskin parameter to an unspecified component.

  • CVE-2008-2236Oct 3, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in blosxom.cgi in Blosxom before 2.1.2 allows remote attackers to inject arbitrary web script or HTML via the flav parameter (flavour variable). NOTE: some of these details are obtained from third party information.

  • CVE-2008-2831Oct 2, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the delegated spam management feature in the Spam Quarantine Management (SQM) component in MailMarshal SMTP 6.0.3.8 through 6.3.0.0 allow user-assisted remote authenticated users to inject arbitrary web script or HTML via…

  • CVE-2008-4365Sep 30, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in search.php in Siteman 1.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…

  • CVE-2008-4337Sep 30, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in Bitweaver 2.0.2 allows remote attackers to inject arbitrary web script or HTML via the URL parameter to (1) edit.php and (2) list.php in articles/; (3) list_blogs.php and (4) rankings.php in blogs/; (5) calendar/index.php; (6)…

  • CVE-2008-4326Sep 30, 2008
    risk 0.00cvss epss 0.02

    The PMA_escapeJsString function in libraries/js_escape.lib.php in phpMyAdmin before 2.11.9.2, when Internet Explorer is used, allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via a NUL byte inside a "</script" sequence.

  • CVE-2008-4196Sep 27, 2008
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in Opera before 9.52 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2008-4119Sep 27, 2008
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in CA Service Desk 11.2 and CMDB 11.0 through 11.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving "multiple web forms."

  • CVE-2008-4066Sep 24, 2008
    risk 0.00cvss epss 0.02

    Mozilla Firefox 2.0.0.14, and other versions before 2.0.0.17, allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via HTML-escaped low surrogate characters that are ignored by the HTML parser, as demonstrated by a…

  • CVE-2008-4065Sep 24, 2008
    risk 0.00cvss epss 0.04

    Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allow remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via byte order mark (BOM) characters that are removed from…

  • CVE-2008-4152Sep 24, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the Talk module 5.x before 5.x-1.3 and 6.x before 6.x-1.5, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via a node title.

  • CVE-2008-4149Sep 24, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the Greg Holsclaw Link to Us module 5.x before 5.x-1.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the "Link page header" field.

  • CVE-2008-4147Sep 24, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the Mailsave module 5.x before 5.x-3.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an attached file that has a modified Content-Type.

  • CVE-2008-4184Sep 23, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in index.php in webCMS Portal Edition allows remote attackers to inject arbitrary web script or HTML via the patron parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…

  • CVE-2008-4182Sep 23, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in imp/test.php in Horde Turba Contact Manager H3 2.2.1 and other versions before 2.3.1, and possibly other Horde Project products, allows remote attackers to inject arbitrary web script or HTML via the User field in an IMAP session.

  • CVE-2008-4168Sep 22, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in verify_login.jsp in Pro2col Stingray FTS allows remote attackers to inject arbitrary web script or HTML via the form_username parameter (aka user name field).

  • CVE-2008-4130Sep 18, 2008
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in Gallery 2.x before 2.2.6 allows remote attackers to inject arbitrary web script or HTML via a crafted Flash animation, related to the ability of the animation to "interact with the embedding page."

  • CVE-2008-4118Sep 18, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in High Norm Sound Master 2nd 1.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.