CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (24,712)
page 1216 of 1,236| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2008-0494 | 0.00 | — | 0.01 | Jan 30, 2008 | Cross-site scripting (XSS) vulnerability in vpnum/userslist.php in Endian Firewall 2.1.2 allows remote attackers to inject arbitrary web script or HTML via the psearch parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third… | |||
| CVE-2008-0409 | 0.00 | — | 0.01 | Jan 29, 2008 | Cross-site scripting (XSS) vulnerability in HTTP File Server (HFS) before 2.2c allows remote attackers to inject arbitrary web script or HTML via the userinfo subcomponent of a URL. | |||
| CVE-2008-0463 | 0.00 | — | 0.01 | Jan 25, 2008 | Cross-site scripting (XSS) vulnerability in the Workflow 4.7.x before 4.7.x-1.2 and 5.x before 5.x-1.2 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving node properties. | |||
| CVE-2008-0462 | 0.00 | — | 0.01 | Jan 25, 2008 | Cross-site scripting (XSS) vulnerability in the Archive 5.x before 5.x-1.8 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2008-0444 | 0.00 | — | 0.01 | Jan 25, 2008 | Cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG) before 2.7.0 allows remote attackers to inject arbitrary web script or HTML via subtext parameter to unspecified components. | |||
| CVE-2008-0426 | 0.00 | — | 0.01 | Jan 23, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in submit.php in PacerCMS before 0.6.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) headline, or (3) text field in a message. | |||
| CVE-2008-0404 | 0.00 | — | 0.02 | Jan 23, 2008 | Cross-site scripting (XSS) vulnerability in Mantis before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to the "Most active bugs" summary. | |||
| CVE-2008-0370 | 0.00 | — | 0.01 | Jan 22, 2008 | Cross-site scripting (XSS) vulnerability in dohtaccess.html in cPanel before 11.17 build 19417 allows remote attackers to inject arbitrary web script or HTML via the rurl parameter. NOTE: some of these details are obtained from third party information. | |||
| CVE-2008-0381 | 0.00 | — | 0.01 | Jan 22, 2008 | Unspecified vulnerability in Mahara before 0.9.1 has unknown impact and remote attack vectors, probably related to cross-site scripting (XSS) in uploaded files. | |||
| CVE-2008-0362 | 0.00 | — | 0.01 | Jan 18, 2008 | Cross-site scripting (XSS) vulnerability in gallery.php in Clever Copy 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the album parameter. | |||
| CVE-2008-0354 | 0.00 | — | 0.03 | Jan 18, 2008 | Cross-site scripting (XSS) vulnerability in the chat client in IBM Lotus Sametime 7.5 and 7.5.1 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted message, which triggers code execution after a mouseover event initiated by the victim. | |||
| CVE-2008-0335 | 0.00 | — | 0.01 | Jan 17, 2008 | Cross-site scripting (XSS) vulnerability in BugTracker.NET before 2.7.2 allows remote attackers to inject arbitrary web script or HTML via an arbitrary custom text field. | |||
| CVE-2007-6687 | 0.00 | — | 0.02 | Jan 17, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in Menalto Gallery before 2.2.4 allow remote attackers to inject arbitrary web script or HTML via crafted filenames to the (1) Core or (2) add-item modules; or via (3) HTTP PROPPATCH in the WebDAV module. | |||
| CVE-2008-0292 | 0.00 | — | 0.01 | Jan 16, 2008 | Cross-site scripting (XSS) vulnerability in photo_album.pl in Dansie Photo Album 1.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party… | |||
| CVE-2008-0284 | 0.00 | — | 0.01 | Jan 15, 2008 | Cross-site scripting (XSS) vulnerability in Simple Machines Forum (SMF) 1.1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via (1) Itemid or (2) topic arguments. | |||
| CVE-2008-0273 | 0.00 | — | 0.02 | Jan 15, 2008 | Interpretation conflict in Drupal 4.7.x before 4.7.11 and 5.x before 5.6, when Internet Explorer 6 is used, allows remote attackers to conduct cross-site scripting (XSS) attacks via invalid UTF-8 byte sequences, which are not processed as UTF-8 by Drupal's HTML filtering, but… | |||
| CVE-2008-0257 | 0.00 | — | 0.01 | Jan 15, 2008 | Cross-site scripting (XSS) vulnerability in search.pl in Dansie Search Engine 2.7 allows remote attackers to inject arbitrary web script or HTML via the keywords parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party… | |||
| CVE-2008-0276 | 0.00 | — | 0.01 | Jan 15, 2008 | Cross-site scripting (XSS) vulnerability in the Devel module before 5.x-0.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via a site variable, related to lack of escaping of the variable table. | |||
| CVE-2008-0274 | 0.00 | — | 0.02 | Jan 15, 2008 | Cross-site scripting (XSS) vulnerability in Drupal 4.7.x and 5.x, when certain .htaccess protections are disabled, allows remote attackers to inject arbitrary web script or HTML via crafted links involving theme .tpl.php files. | |||
| CVE-2008-0123 | 0.00 | — | 0.04 | Jan 12, 2008 | Cross-site scripting (XSS) vulnerability in install.php for Moodle 1.8.3, and possibly other versions before 1.8.4, allows remote attackers to inject arbitrary web script or HTML via the dbname parameter. NOTE: this issue only exists until the installation is complete. |
- CVE-2008-0494Jan 30, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in vpnum/userslist.php in Endian Firewall 2.1.2 allows remote attackers to inject arbitrary web script or HTML via the psearch parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third…
- CVE-2008-0409Jan 29, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in HTTP File Server (HFS) before 2.2c allows remote attackers to inject arbitrary web script or HTML via the userinfo subcomponent of a URL.
- CVE-2008-0463Jan 25, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Workflow 4.7.x before 4.7.x-1.2 and 5.x before 5.x-1.2 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving node properties.
- CVE-2008-0462Jan 25, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Archive 5.x before 5.x-1.8 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2008-0444Jan 25, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG) before 2.7.0 allows remote attackers to inject arbitrary web script or HTML via subtext parameter to unspecified components.
- CVE-2008-0426Jan 23, 2008risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in submit.php in PacerCMS before 0.6.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) headline, or (3) text field in a message.
- CVE-2008-0404Jan 23, 2008risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Mantis before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to the "Most active bugs" summary.
- CVE-2008-0370Jan 22, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in dohtaccess.html in cPanel before 11.17 build 19417 allows remote attackers to inject arbitrary web script or HTML via the rurl parameter. NOTE: some of these details are obtained from third party information.
- CVE-2008-0381Jan 22, 2008risk 0.00cvss —epss 0.01
Unspecified vulnerability in Mahara before 0.9.1 has unknown impact and remote attack vectors, probably related to cross-site scripting (XSS) in uploaded files.
- CVE-2008-0362Jan 18, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in gallery.php in Clever Copy 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the album parameter.
- CVE-2008-0354Jan 18, 2008risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in the chat client in IBM Lotus Sametime 7.5 and 7.5.1 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted message, which triggers code execution after a mouseover event initiated by the victim.
- CVE-2008-0335Jan 17, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in BugTracker.NET before 2.7.2 allows remote attackers to inject arbitrary web script or HTML via an arbitrary custom text field.
- CVE-2007-6687Jan 17, 2008risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Menalto Gallery before 2.2.4 allow remote attackers to inject arbitrary web script or HTML via crafted filenames to the (1) Core or (2) add-item modules; or via (3) HTTP PROPPATCH in the WebDAV module.
- CVE-2008-0292Jan 16, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in photo_album.pl in Dansie Photo Album 1.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…
- CVE-2008-0284Jan 15, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Simple Machines Forum (SMF) 1.1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via (1) Itemid or (2) topic arguments.
- CVE-2008-0273Jan 15, 2008risk 0.00cvss —epss 0.02
Interpretation conflict in Drupal 4.7.x before 4.7.11 and 5.x before 5.6, when Internet Explorer 6 is used, allows remote attackers to conduct cross-site scripting (XSS) attacks via invalid UTF-8 byte sequences, which are not processed as UTF-8 by Drupal's HTML filtering, but…
- CVE-2008-0257Jan 15, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in search.pl in Dansie Search Engine 2.7 allows remote attackers to inject arbitrary web script or HTML via the keywords parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…
- CVE-2008-0276Jan 15, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Devel module before 5.x-0.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via a site variable, related to lack of escaping of the variable table.
- CVE-2008-0274Jan 15, 2008risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Drupal 4.7.x and 5.x, when certain .htaccess protections are disabled, allows remote attackers to inject arbitrary web script or HTML via crafted links involving theme .tpl.php files.
- CVE-2008-0123Jan 12, 2008risk 0.00cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in install.php for Moodle 1.8.3, and possibly other versions before 1.8.4, allows remote attackers to inject arbitrary web script or HTML via the dbname parameter. NOTE: this issue only exists until the installation is complete.