CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (22,700)

page 580 of 1,135

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2017-12844	IceWarp Mail Server	Med	0.31	4.8	0.00	Aug 23, 2017	Cross-site scripting (XSS) vulnerability in the admin panel in IceWarp Mail Server 10.4.4 allows remote authenticated domain administrators to inject arbitrary web script or HTML via a crafted user name.
CVE-2017-12572	Splunk Splunk	Med	0.31	4.8	0.00	Aug 5, 2017	Persistent Cross Site Scripting (XSS) exists in Splunk Enterprise 6.5.x before 6.5.2, 6.4.x before 6.4.6, and 6.3.x before 6.3.9 and Splunk Light before 6.5.2, with exploitation requiring administrative access, aka SPL-134104.
CVE-2017-8000	EMC Corporation Rsa Authentication Manager	Med	0.31	4.8	0.00	Jul 17, 2017	In EMC RSA Authentication Manager 8.2 SP1 and earlier, a malicious RSA Security Console Administrator could craft a token profile and store the profile name in the RSA Authentication Manager database. The profile name could include a crafted script (with an XSS payload) that…
CVE-2017-2146	Cybozu Garoon	Med	0.31	4.8	0.00	Jul 7, 2017	Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.4 allows remote attackers to inject arbitrary web script or HTML via application menu.
CVE-2017-9836	Piwigo Piwigo	Med	0.31	4.8	0.00	Jun 24, 2017	Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the virtual_name parameter to /admin.php (i.e., creating a virtual album).
CVE-2016-8751	Apache Ranger	Med	0.31	4.8	0.00	Jun 14, 2017	Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.
CVE-2016-7810	Corega Cg Wlr300nm	Med	0.31	4.8	0.00	Jun 9, 2017	Cross-site scripting vulnerability in Corega CG-WLR300NX firmware Ver. 1.20 and earlier allows attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors.
CVE-2017-9452	Piwigo Piwigo	Med	0.31	4.8	0.00	Jun 6, 2017	Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter.
CVE-2017-9366	Epesi Epesi	Med	0.31	4.8	0.00	Jun 2, 2017	Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in modules/Base/Dashboard/Dashboard_0.php, which allows remote attackers to inject arbitrary web script or HTML via a crafted tab_name parameter.
CVE-2017-3128	Fortinet Fortios	Med	0.31	4.8	0.00	May 23, 2017	A stored XSS (Cross-Site-Scripting) vulnerability in Fortinet FortiOS allows attackers to execute unauthorized code or commands via the policy global-label parameter.
CVE-2017-9071	Modx Revolution	Med	0.31	4.7	0.00	May 18, 2017	In MODX Revolution before 2.5.7, an attacker might be able to trigger XSS by injecting a payload into the HTTP Host header of a request. This is exploitable only in conjunction with other issues such as Cache Poisoning.
CVE-2016-4858	Splunk Splunk	Med	0.31	4.8	0.00	May 12, 2017	Cross-site scripting vulnerability in Splunk Enterprise 6.4.x prior to 6.4.2, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.10, Splunk Enterprise 6.1.x prior to 6.1.11, Splunk Enterprise 6.0.x prior to 6.0.12, Splunk Enterprise 5.0.x prior to…
CVE-2016-4856	Splunk Splunk Enterprise	Med	0.31	4.8	0.00	May 12, 2017	Cross-site scripting vulnerability in Splunk Enterprise 6.3.x prior to 6.3.5 and Splunk Light 6.3.x prior to 6.3.5 allows attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors.
CVE-2016-6037	IBM Rational Team Concert	Med	0.31	4.8	0.00	May 10, 2017	IBM Rational Team Concert (RTC) is vulnerable to HTML injection. A remote attacker with project administrator privileges could send a project that contains malicious HTML code, which when the project is viewed, would be executed in the victim's Web browser within the security…
CVE-2016-4866	Cybozu Office	Med	0.31	4.8	0.00	Apr 17, 2017	Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows attackers with administrator rights to inject arbitrary web script or HTML via the Project function.
CVE-2016-4865	Cybozu Office	Med	0.31	4.8	0.00	Apr 17, 2017	Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows attackers with administrator rights to inject arbitrary web script or HTML via the Customapp function.
CVE-2016-4318	Atlassian Jira	Med	0.31	4.8	0.00	Apr 10, 2017	Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name.
CVE-2017-7400	OpenStack Horizon	Med	0.31	4.8	0.00	Apr 3, 2017	OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 allows remote authenticated administrators to conduct XSS attacks via a crafted federation mapping.
CVE-2016-9473	Brave Browser	Med	0.31	4.7	0.01	Mar 28, 2017	Brave Browser iOS before 1.2.18 and Brave Browser Android 1.9.56 and earlier suffer from Full Address Bar Spoofing, allowing attackers to trick a victim by displaying a malicious page for legitimate domain names.
CVE-2017-6061	SAP Businessobjects Financial Consolidation	Med	0.31	4.7	0.01	Mar 16, 2017	Cross-site scripting (XSS) vulnerability in the help component of SAP BusinessObjects Financial Consolidation 10.0.0.1933 allows remote attackers to inject arbitrary web script or HTML via a GET request. /finance/help/en/frameset.htm is the URI for this component. The vendor…

CVE-2017-12844MedAug 23, 2017
IceWarp
Mail Server
risk 0.31cvss 4.8epss 0.00
Cross-site scripting (XSS) vulnerability in the admin panel in IceWarp Mail Server 10.4.4 allows remote authenticated domain administrators to inject arbitrary web script or HTML via a crafted user name.
CVE-2017-12572MedAug 5, 2017
Splunk
Splunk
risk 0.31cvss 4.8epss 0.00
Persistent Cross Site Scripting (XSS) exists in Splunk Enterprise 6.5.x before 6.5.2, 6.4.x before 6.4.6, and 6.3.x before 6.3.9 and Splunk Light before 6.5.2, with exploitation requiring administrative access, aka SPL-134104.
CVE-2017-8000MedJul 17, 2017
EMC Corporation
Rsa Authentication Manager
risk 0.31cvss 4.8epss 0.00
In EMC RSA Authentication Manager 8.2 SP1 and earlier, a malicious RSA Security Console Administrator could craft a token profile and store the profile name in the RSA Authentication Manager database. The profile name could include a crafted script (with an XSS payload) that…
CVE-2017-2146MedJul 7, 2017
Cybozu
Garoon
risk 0.31cvss 4.8epss 0.00
Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.4 allows remote attackers to inject arbitrary web script or HTML via application menu.
CVE-2017-9836MedJun 24, 2017
Piwigo
Piwigo
risk 0.31cvss 4.8epss 0.00
Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the virtual_name parameter to /admin.php (i.e., creating a virtual album).
CVE-2016-8751MedJun 14, 2017
Apache
Ranger
risk 0.31cvss 4.8epss 0.00
Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.
CVE-2016-7810MedJun 9, 2017
Corega
Cg Wlr300nm
risk 0.31cvss 4.8epss 0.00
Cross-site scripting vulnerability in Corega CG-WLR300NX firmware Ver. 1.20 and earlier allows attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors.
CVE-2017-9452MedJun 6, 2017
Piwigo
Piwigo
risk 0.31cvss 4.8epss 0.00
Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter.
CVE-2017-9366MedJun 2, 2017
Epesi
Epesi
risk 0.31cvss 4.8epss 0.00
Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in modules/Base/Dashboard/Dashboard_0.php, which allows remote attackers to inject arbitrary web script or HTML via a crafted tab_name parameter.
CVE-2017-3128MedMay 23, 2017
Fortinet
Fortios
risk 0.31cvss 4.8epss 0.00
A stored XSS (Cross-Site-Scripting) vulnerability in Fortinet FortiOS allows attackers to execute unauthorized code or commands via the policy global-label parameter.
CVE-2017-9071MedMay 18, 2017
Modx
Revolution
risk 0.31cvss 4.7epss 0.00
In MODX Revolution before 2.5.7, an attacker might be able to trigger XSS by injecting a payload into the HTTP Host header of a request. This is exploitable only in conjunction with other issues such as Cache Poisoning.
CVE-2016-4858MedMay 12, 2017
Splunk
Splunk
risk 0.31cvss 4.8epss 0.00
Cross-site scripting vulnerability in Splunk Enterprise 6.4.x prior to 6.4.2, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.10, Splunk Enterprise 6.1.x prior to 6.1.11, Splunk Enterprise 6.0.x prior to 6.0.12, Splunk Enterprise 5.0.x prior to…
CVE-2016-4856MedMay 12, 2017
Splunk
Splunk Enterprise
risk 0.31cvss 4.8epss 0.00
Cross-site scripting vulnerability in Splunk Enterprise 6.3.x prior to 6.3.5 and Splunk Light 6.3.x prior to 6.3.5 allows attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors.
CVE-2016-6037MedMay 10, 2017
IBM
Rational Team Concert
risk 0.31cvss 4.8epss 0.00
IBM Rational Team Concert (RTC) is vulnerable to HTML injection. A remote attacker with project administrator privileges could send a project that contains malicious HTML code, which when the project is viewed, would be executed in the victim's Web browser within the security…
CVE-2016-4866MedApr 17, 2017
Cybozu
Office
risk 0.31cvss 4.8epss 0.00
Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows attackers with administrator rights to inject arbitrary web script or HTML via the Project function.
CVE-2016-4865MedApr 17, 2017
Cybozu
Office
risk 0.31cvss 4.8epss 0.00
Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows attackers with administrator rights to inject arbitrary web script or HTML via the Customapp function.
CVE-2016-4318MedApr 10, 2017
Atlassian
Jira
risk 0.31cvss 4.8epss 0.00
Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name.
CVE-2017-7400MedApr 3, 2017
OpenStack
Horizon
risk 0.31cvss 4.8epss 0.00
OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 allows remote authenticated administrators to conduct XSS attacks via a crafted federation mapping.
CVE-2016-9473MedMar 28, 2017
Brave
Browser
risk 0.31cvss 4.7epss 0.01
Brave Browser iOS before 1.2.18 and Brave Browser Android 1.9.56 and earlier suffer from Full Address Bar Spoofing, allowing attackers to trick a victim by displaying a malicious page for legitimate domain names.
CVE-2017-6061MedMar 16, 2017
SAP
Businessobjects Financial Consolidation
risk 0.31cvss 4.7epss 0.01
Cross-site scripting (XSS) vulnerability in the help component of SAP BusinessObjects Financial Consolidation 10.0.0.1933 allows remote attackers to inject arbitrary web script or HTML via a GET request. /finance/help/en/frameset.htm is the URI for this component. The vendor…