CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (22,695)

page 659 of 1,135

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2012-1503	Sixapart Movabletype	0.04	—	0.07	Aug 29, 2014	Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.
CVE-2014-3080	IBM Global Console Manager 16 Firmware	0.04	—	0.09	Aug 17, 2014	Multiple cross-site scripting (XSS) vulnerabilities on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to kvm.cgi or (2) the key parameter to…
CVE-2012-5684	Zpanel Zpanel	0.04	—	0.08	Aug 14, 2014	Cross-site scripting (XSS) vulnerability in ZPanel 10.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the inFullname parameter in an UpdateAccountSettings action in the my_account module to zpanel/.
CVE-2014-0870	IBM Algo Credit Limits	0.04	—	0.09	Jul 7, 2014	Multiple cross-site scripting (XSS) vulnerabilities in RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics allow remote attackers to inject arbitrary web script or HTML via (1) the Message parameter to rcore6/main/showerror.jsp,…
CVE-2013-2618	Network Weathermap .network Weathermap	0.04	—	0.09	Jun 5, 2014	Cross-site scripting (XSS) vulnerability in editor.php in Network Weathermap before 0.97b allows remote attackers to inject arbitrary web script or HTML via the map_title parameter.
CVE-2013-2712	Krisonav Krisonav	0.04	—	0.07	May 23, 2014	Cross-site scripting (XSS) vulnerability in services/get_article.php in KrisonAV CMS before 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the content parameter.
CVE-2013-1804	PHP-Fusion Phpfusion	0.04	—	0.10	Apr 29, 2014	Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to forum/viewthread.php; or remote authenticated users with certain permissions to inject arbitrary web…
CVE-2014-2879	SonicWall Email Security Appliance	0.04	—	0.15	Apr 17, 2014	Multiple cross-site scripting (XSS) vulnerabilities in Dell SonicWALL Email Security 7.4.5 and earlier allow remote authenticated administrators to inject arbitrary web script or HTML via (1) the uploadPatch parameter to the System/Advanced page (settings_advanced.html) or (2)…
CVE-2012-6644	Clip Bucket Clipbucket	0.04	—	0.12	Apr 8, 2014	Multiple cross-site scripting (XSS) vulnerabilities in ClipBucket 2.6 allow remote attackers to inject arbitrary web script or HTML via the (1) cat parameter to channels.php, (2) collections.php, (3) groups.php, or (4) videos.php; (5) query parameter to search_result.php; or (6)…
CVE-2011-4958	Silverstripe Silverstripe	0.04	—	0.08	Apr 8, 2014	Cross-site scripting (XSS) vulnerability in the process function in SSViewer.php in SilverStripe before 2.3.13 and 2.4.x before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING to template placeholders, as demonstrated by a request to (1)…
CVE-2013-2287	Roberta Bramski Uploader	0.04	—	0.08	Apr 4, 2014	Multiple cross-site scripting (XSS) vulnerabilities in views/notify.php in the Uploader plugin 1.0.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) notify or (2) blog parameter.
CVE-2013-0807	Gpeasy Gpeasy CMS	0.04	—	0.10	Mar 28, 2014	Cross-site scripting (XSS) vulnerability in the NewSectionPrompt function in include/tool/editing_page.php in gpEasy CMS 3.5.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the section parameter in a new_section action to index.php.
CVE-2012-6430	Open Solution Quick.cart	0.04	—	0.11	Mar 24, 2014	Cross-site scripting (XSS) vulnerability in Open Solution Quick.Cms 5.0 and Quick.Cart 6.0, possibly as downloaded before December 19, 2012, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin.php. NOTE: this might be a duplicate of…
CVE-2014-2586	WordPress Cloud Sso Single Sign On	0.04	—	0.09	Mar 24, 2014	Cross-site scripting (XSS) vulnerability in the login audit form in McAfee Cloud Single Sign On (SSO) allows remote attackers to inject arbitrary web script or HTML via a crafted password.
CVE-2013-1636	Civicrm Civicrm	0.04	—	0.10	Mar 12, 2014	Cross-site scripting (XSS) vulnerability in open-flash-chart.swf in Open Flash Chart (aka Open-Flash Chart), as used in the Pretty Link Lite plugin before 1.6.3 for WordPress, JNews (com_jnews) component 8.0.1 for Joomla!, and CiviCRM 3.1.0 through 4.2.9 and 4.3.0 through 4.3.3,…
CVE-2013-7319	WordPress Download Manager	0.04	—	0.08	Feb 6, 2014	Cross-site scripting (XSS) vulnerability in the Download Manager plugin before 2.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the title field.
CVE-2013-3639	Xaraya Xaraya	0.04	—	0.06	Feb 5, 2014	Multiple cross-site scripting (XSS) vulnerabilities in Xaraya 2.4.0-b1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) id, (2) interface, (3) name, or (4) tabmodule parameter to index.php.
CVE-2013-1466	Glfusion Glfusion	0.04	—	0.09	Feb 5, 2014	Multiple cross-site scripting (XSS) vulnerabilities in glFusion before 1.2.2.pl4 allow remote attackers to inject arbitrary web script or HTML via the (1) subject parameter to profiles.php; (2) address1, (3) address2, (4) calendar_type, (5) city, (6) state, (7) title, (8) url,…
CVE-2013-6882	Cru Inc Ditto Forensic Fieldstation Firmware	0.04	—	0.11	Dec 17, 2013	Multiple cross-site scripting (XSS) vulnerabilities in CRU Ditto Forensic FieldStation with firmware 2013Oct15a and earlier allow (1) remote attackers to inject arbitrary web script or HTML via the username parameter in a login or (2) remote authenticated users to inject…
CVE-2013-6793	Olat Olat	0.04	—	0.08	Nov 14, 2013	Multiple cross-site scripting (XSS) vulnerabilities in the Calendar module in Olat 7.8.0.1 (b20130821 N1) allow remote attackers to inject arbitrary web script or HTML via the (1) event name or (2) date field.

CVE-2012-1503Aug 29, 2014
Sixapart
Movabletype
risk 0.04cvss —epss 0.07
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.
CVE-2014-3080Aug 17, 2014
IBM
Global Console Manager 16 Firmware
risk 0.04cvss —epss 0.09
Multiple cross-site scripting (XSS) vulnerabilities on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to kvm.cgi or (2) the key parameter to…
CVE-2012-5684Aug 14, 2014
Zpanel
Zpanel
risk 0.04cvss —epss 0.08
Cross-site scripting (XSS) vulnerability in ZPanel 10.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the inFullname parameter in an UpdateAccountSettings action in the my_account module to zpanel/.
CVE-2014-0870Jul 7, 2014
IBM
Algo Credit Limits
risk 0.04cvss —epss 0.09
Multiple cross-site scripting (XSS) vulnerabilities in RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics allow remote attackers to inject arbitrary web script or HTML via (1) the Message parameter to rcore6/main/showerror.jsp,…
CVE-2013-2618Jun 5, 2014
Network Weathermap
.network Weathermap
risk 0.04cvss —epss 0.09
Cross-site scripting (XSS) vulnerability in editor.php in Network Weathermap before 0.97b allows remote attackers to inject arbitrary web script or HTML via the map_title parameter.
CVE-2013-2712May 23, 2014
Krisonav
Krisonav
risk 0.04cvss —epss 0.07
Cross-site scripting (XSS) vulnerability in services/get_article.php in KrisonAV CMS before 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the content parameter.
CVE-2013-1804Apr 29, 2014
PHP-Fusion
Phpfusion
risk 0.04cvss —epss 0.10
Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to forum/viewthread.php; or remote authenticated users with certain permissions to inject arbitrary web…
CVE-2014-2879Apr 17, 2014
SonicWall
Email Security Appliance
risk 0.04cvss —epss 0.15
Multiple cross-site scripting (XSS) vulnerabilities in Dell SonicWALL Email Security 7.4.5 and earlier allow remote authenticated administrators to inject arbitrary web script or HTML via (1) the uploadPatch parameter to the System/Advanced page (settings_advanced.html) or (2)…
CVE-2012-6644Apr 8, 2014
Clip Bucket
Clipbucket
risk 0.04cvss —epss 0.12
Multiple cross-site scripting (XSS) vulnerabilities in ClipBucket 2.6 allow remote attackers to inject arbitrary web script or HTML via the (1) cat parameter to channels.php, (2) collections.php, (3) groups.php, or (4) videos.php; (5) query parameter to search_result.php; or (6)…
CVE-2011-4958Apr 8, 2014
Silverstripe
Silverstripe
risk 0.04cvss —epss 0.08
Cross-site scripting (XSS) vulnerability in the process function in SSViewer.php in SilverStripe before 2.3.13 and 2.4.x before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING to template placeholders, as demonstrated by a request to (1)…
CVE-2013-2287Apr 4, 2014
Roberta Bramski
Uploader
risk 0.04cvss —epss 0.08
Multiple cross-site scripting (XSS) vulnerabilities in views/notify.php in the Uploader plugin 1.0.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) notify or (2) blog parameter.
CVE-2013-0807Mar 28, 2014
Gpeasy
Gpeasy CMS
risk 0.04cvss —epss 0.10
Cross-site scripting (XSS) vulnerability in the NewSectionPrompt function in include/tool/editing_page.php in gpEasy CMS 3.5.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the section parameter in a new_section action to index.php.
CVE-2012-6430Mar 24, 2014
Open Solution
Quick.cart
risk 0.04cvss —epss 0.11
Cross-site scripting (XSS) vulnerability in Open Solution Quick.Cms 5.0 and Quick.Cart 6.0, possibly as downloaded before December 19, 2012, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin.php. NOTE: this might be a duplicate of…
CVE-2014-2586Mar 24, 2014
WordPress
Cloud Sso Single Sign On
risk 0.04cvss —epss 0.09
Cross-site scripting (XSS) vulnerability in the login audit form in McAfee Cloud Single Sign On (SSO) allows remote attackers to inject arbitrary web script or HTML via a crafted password.
CVE-2013-1636Mar 12, 2014
Civicrm
Civicrm
risk 0.04cvss —epss 0.10
Cross-site scripting (XSS) vulnerability in open-flash-chart.swf in Open Flash Chart (aka Open-Flash Chart), as used in the Pretty Link Lite plugin before 1.6.3 for WordPress, JNews (com_jnews) component 8.0.1 for Joomla!, and CiviCRM 3.1.0 through 4.2.9 and 4.3.0 through 4.3.3,…
CVE-2013-7319Feb 6, 2014
WordPress
Download Manager
risk 0.04cvss —epss 0.08
Cross-site scripting (XSS) vulnerability in the Download Manager plugin before 2.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the title field.
CVE-2013-3639Feb 5, 2014
Xaraya
Xaraya
risk 0.04cvss —epss 0.06
Multiple cross-site scripting (XSS) vulnerabilities in Xaraya 2.4.0-b1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) id, (2) interface, (3) name, or (4) tabmodule parameter to index.php.
CVE-2013-1466Feb 5, 2014
Glfusion
Glfusion
risk 0.04cvss —epss 0.09
Multiple cross-site scripting (XSS) vulnerabilities in glFusion before 1.2.2.pl4 allow remote attackers to inject arbitrary web script or HTML via the (1) subject parameter to profiles.php; (2) address1, (3) address2, (4) calendar_type, (5) city, (6) state, (7) title, (8) url,…
CVE-2013-6882Dec 17, 2013
Cru Inc
Ditto Forensic Fieldstation Firmware
risk 0.04cvss —epss 0.11
Multiple cross-site scripting (XSS) vulnerabilities in CRU Ditto Forensic FieldStation with firmware 2013Oct15a and earlier allow (1) remote attackers to inject arbitrary web script or HTML via the username parameter in a login or (2) remote authenticated users to inject…
CVE-2013-6793Nov 14, 2013
Olat
Olat
risk 0.04cvss —epss 0.08
Multiple cross-site scripting (XSS) vulnerabilities in the Calendar module in Olat 7.8.0.1 (b20130821 N1) allow remote attackers to inject arbitrary web script or HTML via the (1) event name or (2) date field.