VYPR

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (24,712)

page 1209 of 1,236
  • CVE-2008-1386Apr 23, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the installer in Serendipity (S9Y) 1.3 allow remote attackers to inject arbitrary web script or HTML via (1) unspecified path fields or (2) the database host field. NOTE: the timing window for exploitation of this issue…

  • CVE-2008-1916Apr 23, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart 5.x before 5.x-1.0-rc1 module for Drupal allow remote attackers to inject arbitrary web script or HTML via text fields intended for the (1) address and (2) order information, which are later displayed on the…

  • CVE-2008-1892Apr 18, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in bs_auth.php in Blogator-script 0.95 and 1.01 allows remote attackers to inject arbitrary web script or HTML via the msg parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…

  • CVE-2008-1894Apr 18, 2008
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in desktoplaunch/InfoView/logon/logon.object in BusinessObjects InfoView XI R2 SP1, SP2, and SP3 Java version before FixPack 3.5 allows remote attackers to inject arbitrary web script or HTML via the cms parameter.

  • CVE-2008-1025Apr 17, 2008
    risk 0.00cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in Apple WebKit, as used in Safari before 3.1.1, allows remote attackers to inject arbitrary web script or HTML via a crafted URL with a colon in the hostname portion.

  • CVE-2008-1846Apr 16, 2008
    risk 0.00cvss epss 0.01

    The default configuration of SAP NetWeaver before 7.0 SP15 does not enable the "Always Use Secure HTML Editor" (aka Editor Security or Secure Editing) parameter, which allows remote attackers to conduct cross-site scripting (XSS) attacks by entering feedback for a file.

  • CVE-2008-1839Apr 16, 2008
    risk 0.00cvss epss 0.01

    Multgiple cross-site scripting (XSS) vulnerabilities in module/main.php in WORK system e-commerce 4.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) day, (2) month, and (3) year parameters. NOTE: the provenance of this information is unknown; the…

  • CVE-2008-1850Apr 16, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in login.php in Omnistar Interactive OSI Affiliate allow remote attackers to inject arbitrary web script or HTML via the (1) login, (2) profile, (3) profile2, and (4) ref parameters.

  • CVE-2008-1792Apr 15, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the insertion filter in the Flickr Drupal module 5.x before 5.x-1.3 and 6.x before 6.x-1.0-alpha allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2008-1794Apr 15, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the Webform Drupal module 5.x before 5.x-1.10, 5.x-2.x before 5.x-2.0-beta3, and 6.x before 6.x-1.0-beta3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2008-1793Apr 15, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in view.cgi in Smart Classified ADS Professional, Smart Photo ADS, and Smart Photo ADS Gold allow remote attackers to inject arbitrary web script or HTML via the (1) AdNum and (2) Department parameters. NOTE: the provenance of…

  • CVE-2008-1775Apr 14, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in mindex.do in ManageEngine Firewall Analyzer 4.0.3 allows remote attackers to inject arbitrary web script or HTML via the displayName parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from…

  • CVE-2008-1753Apr 11, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in system/workplace/admin/workplace/sessions.jsp in Alkacon OpenCMS 7.0.3 allows remote attackers to inject arbitrary web script or HTML via the searchfilter parameter, a different vector than CVE-2008-1510.

  • CVE-2008-1655Apr 9, 2008
    risk 0.00cvss epss 0.05

    Unspecified vulnerability in Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, makes it easier for remote attackers to conduct DNS rebinding attacks via unknown vectors.

  • CVE-2008-1716Apr 9, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in WoltLab Community Framework (WCF) 1.0.6 in WoltLab Burning Board 3.0.5 allows remote attackers to inject arbitrary web script or HTML via the (1) page and (2) form parameters, which are not properly handled when they are reflected back…

  • CVE-2008-1698Apr 8, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in gallery.php in Simple Gallery 2.2 allows remote attackers to inject arbitrary web script or HTML via the album parameter to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third…

  • CVE-2008-1634Apr 2, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in index.php in JV2 Folder Gallery 3.1 allows remote attackers to inject arbitrary web script or HTML via the image parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…

  • CVE-2008-1636Apr 2, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in index.php in JV2 Quick Gallery 1.1 allows remote attackers to inject arbitrary web script or HTML via the f parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

  • CVE-2008-1629Apr 2, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in PHPkrm before 1.5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2008-1630Apr 2, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in CuteFlow 1.5.0 and 2.10.0 allow remote attackers to inject arbitrary web script or HTML via the language parameter to (1) page/showcirculation.php; and (2) edittemplate_step2.php, (3) showfields.php, (4) showuser.php, (5)…