CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (24,712)
page 1218 of 1,236| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2007-6611 | 0.00 | — | 0.02 | Jan 3, 2008 | Cross-site scripting (XSS) vulnerability in view.php in Mantis before 1.1.0 allows remote attackers to inject arbitrary web script or HTML via a filename, related to bug_report.php. | |||
| CVE-2007-6589 | 0.00 | — | 0.01 | Dec 28, 2007 | The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 does not update the origin domain when retrieving the inner URL parameter yields an HTTP redirect, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a jar: URI, a… | |||
| CVE-2007-6588 | 0.00 | — | 0.01 | Dec 28, 2007 | Cross-site scripting (XSS) vulnerability in PHCDownload 1.10 allows remote attackers to inject arbitrary web script or HTML via the username field in an unspecified component. NOTE: the provenance of this information is unknown; the details are obtained solely from third party… | |||
| CVE-2007-6572 | 0.00 | — | 0.02 | Dec 28, 2007 | Cross-site scripting (XSS) vulnerability in Sun Java System Web Server 6.1 before SP8 and 7.0 before Update 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka BugID 6566204. | |||
| CVE-2007-6571 | 0.00 | — | 0.02 | Dec 28, 2007 | Cross-site scripting (XSS) vulnerability in Sun Java System Web Proxy Server 3.6 before SP11 on Windows allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka BugID 6611356. | |||
| CVE-2007-6570 | 0.00 | — | 0.02 | Dec 28, 2007 | Cross-site scripting (XSS) vulnerability in the View URL Database functionality in Sun Java System Web Proxy Server 4.x before 4.0.6 and 3.x before 3.6 SP11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka BugID 6566309. | |||
| CVE-2007-6569 | 0.00 | — | 0.02 | Dec 28, 2007 | Cross-site scripting (XSS) vulnerability in the View Error Log functionality in Sun Java System Web Proxy Server 4.x before 4.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka BugID 6566246. | |||
| CVE-2007-6541 | 0.00 | — | 0.01 | Dec 27, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in neuron news 1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the topic parameter in a viewtopic action, or the (2) newsyear or (3) newsmonth parameter in a newsarchive action to the default URI in… | |||
| CVE-2007-6526 | 0.00 | — | 0.02 | Dec 27, 2007 | Cross-site scripting (XSS) vulnerability in tiki-special_chars.php in TikiWiki before 1.9.9 allows remote attackers to inject arbitrary web script or HTML via the area_name parameter. | |||
| CVE-2007-6522 | 0.00 | — | 0.02 | Dec 24, 2007 | The rich text editing functionality in Opera before 9.25 allows remote attackers to conduct cross-domain scripting attacks by using designMode to modify contents of pages in other domains. | |||
| CVE-2007-6520 | 0.00 | — | 0.02 | Dec 24, 2007 | Opera before 9.25 allows remote attackers to conduct cross-domain scripting attacks via unknown vectors related to plug-ins. | |||
| CVE-2007-6486 | 0.00 | — | 0.01 | Dec 20, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in shout.php (aka the shoutbox) in LineShout 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) username (nickname) or (2) message parameter. NOTE: some of these details are obtained from third party… | |||
| CVE-2007-6477 | 0.00 | — | 0.01 | Dec 20, 2007 | Cross-site scripting (XSS) vulnerability in the on-line help feature in Citrix Web Interface 2.0 and earlier, and NFuse, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2007-6463 | 0.00 | — | 0.01 | Dec 20, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in the admin panel in PHP Real Estate Classifieds allow remote attackers to inject arbitrary web script or HTML via unspecified "text areas/boxes." | |||
| CVE-2007-6465 | 0.00 | — | 0.01 | Dec 20, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in ganglia-web in Ganglia before 3.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) c and (2) h parameters to (a) web/host_gmetrics.php; the (3) G, (4) me, (5) x, (6) n, (7) v, (8) l, (9) vl, and… | |||
| CVE-2007-6461 | 0.00 | — | 0.01 | Dec 20, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in index.php in Flyspray 0.9.9 through 0.9.9.3 allow remote attackers to inject arbitrary web script or HTML via (1) the query string in an index action, related to the savesearch JavaScript function; and (2) the details… | |||
| CVE-2007-6460 | 0.00 | — | 0.01 | Dec 20, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in Anon Proxy Server before 0.101 allow remote attackers to inject arbitrary web script or HTML via the URI, which is later displayed by (1) log.php or (2) logerror.php, a different vulnerability than CVE-2007-6459. | |||
| CVE-2007-6452 | 0.00 | — | 0.01 | Dec 20, 2007 | Unspecified vulnerability in the benchmark reporting system in Google Web Toolkit (GWT) before 1.4.61 has unknown impact and attack vectors, possibly related to cross-site scripting (XSS). | |||
| CVE-2007-5854 | 0.00 | — | 0.01 | Dec 19, 2007 | Launch Services in Apple Mac OS X 10.4.11 and 10.5.1 does not treat HTML files as unsafe content, which allows attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via a crafted HTML file. | |||
| CVE-2007-5858 | 0.00 | — | 0.03 | Dec 19, 2007 | WebKit in Safari in Apple Mac OS X 10.4.11 and 10.5.1, iPhone 1.0 through 1.1.2, and iPod touch 1.1 through 1.1.2 allows remote attackers to "navigate the subframes of any other page," which can be leveraged to conduct cross-site scripting (XSS) attacks and obtain sensitive… |
- CVE-2007-6611Jan 3, 2008risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in view.php in Mantis before 1.1.0 allows remote attackers to inject arbitrary web script or HTML via a filename, related to bug_report.php.
- CVE-2007-6589Dec 28, 2007risk 0.00cvss —epss 0.01
The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 does not update the origin domain when retrieving the inner URL parameter yields an HTTP redirect, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a jar: URI, a…
- CVE-2007-6588Dec 28, 2007risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in PHCDownload 1.10 allows remote attackers to inject arbitrary web script or HTML via the username field in an unspecified component. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…
- CVE-2007-6572Dec 28, 2007risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Sun Java System Web Server 6.1 before SP8 and 7.0 before Update 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka BugID 6566204.
- CVE-2007-6571Dec 28, 2007risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Sun Java System Web Proxy Server 3.6 before SP11 on Windows allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka BugID 6611356.
- CVE-2007-6570Dec 28, 2007risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the View URL Database functionality in Sun Java System Web Proxy Server 4.x before 4.0.6 and 3.x before 3.6 SP11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka BugID 6566309.
- CVE-2007-6569Dec 28, 2007risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the View Error Log functionality in Sun Java System Web Proxy Server 4.x before 4.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka BugID 6566246.
- CVE-2007-6541Dec 27, 2007risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in neuron news 1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the topic parameter in a viewtopic action, or the (2) newsyear or (3) newsmonth parameter in a newsarchive action to the default URI in…
- CVE-2007-6526Dec 27, 2007risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in tiki-special_chars.php in TikiWiki before 1.9.9 allows remote attackers to inject arbitrary web script or HTML via the area_name parameter.
- CVE-2007-6522Dec 24, 2007risk 0.00cvss —epss 0.02
The rich text editing functionality in Opera before 9.25 allows remote attackers to conduct cross-domain scripting attacks by using designMode to modify contents of pages in other domains.
- CVE-2007-6520Dec 24, 2007risk 0.00cvss —epss 0.02
Opera before 9.25 allows remote attackers to conduct cross-domain scripting attacks via unknown vectors related to plug-ins.
- CVE-2007-6486Dec 20, 2007risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in shout.php (aka the shoutbox) in LineShout 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) username (nickname) or (2) message parameter. NOTE: some of these details are obtained from third party…
- CVE-2007-6477Dec 20, 2007risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the on-line help feature in Citrix Web Interface 2.0 and earlier, and NFuse, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2007-6463Dec 20, 2007risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the admin panel in PHP Real Estate Classifieds allow remote attackers to inject arbitrary web script or HTML via unspecified "text areas/boxes."
- CVE-2007-6465Dec 20, 2007risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in ganglia-web in Ganglia before 3.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) c and (2) h parameters to (a) web/host_gmetrics.php; the (3) G, (4) me, (5) x, (6) n, (7) v, (8) l, (9) vl, and…
- CVE-2007-6461Dec 20, 2007risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in index.php in Flyspray 0.9.9 through 0.9.9.3 allow remote attackers to inject arbitrary web script or HTML via (1) the query string in an index action, related to the savesearch JavaScript function; and (2) the details…
- CVE-2007-6460Dec 20, 2007risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Anon Proxy Server before 0.101 allow remote attackers to inject arbitrary web script or HTML via the URI, which is later displayed by (1) log.php or (2) logerror.php, a different vulnerability than CVE-2007-6459.
- CVE-2007-6452Dec 20, 2007risk 0.00cvss —epss 0.01
Unspecified vulnerability in the benchmark reporting system in Google Web Toolkit (GWT) before 1.4.61 has unknown impact and attack vectors, possibly related to cross-site scripting (XSS).
- CVE-2007-5854Dec 19, 2007risk 0.00cvss —epss 0.01
Launch Services in Apple Mac OS X 10.4.11 and 10.5.1 does not treat HTML files as unsafe content, which allows attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via a crafted HTML file.
- CVE-2007-5858Dec 19, 2007risk 0.00cvss —epss 0.03
WebKit in Safari in Apple Mac OS X 10.4.11 and 10.5.1, iPhone 1.0 through 1.1.2, and iPod touch 1.1 through 1.1.2 allows remote attackers to "navigate the subframes of any other page," which can be leveraged to conduct cross-site scripting (XSS) attacks and obtain sensitive…