CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (22,695)

page 673 of 1,135

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2015-6972	Igniterealtime Openfire	0.03	—	0.05	Sep 16, 2015	Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to plugins/clientcontrol/create-bookmark.jsp; the (2) urlName parameter to…
CVE-2015-6945	Jsp\/mysql Administrador Web Project Jsp\/mysql Administrador Web	0.03	—	0.04	Sep 15, 2015	Cross-site scripting (XSS) vulnerability in JSP/MySQL Administrador Web 1 allows remote attackers to inject arbitrary web script or HTML via the bd parameter to sys/sys/listaBD2.jsp.
CVE-2015-6810	Invision Power Services Invision Power Board	0.03	—	0.01	Sep 4, 2015	Cross-site scripting (XSS) vulnerability in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) 4.x before 4.0.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the event_location[address] array parameter to…
CVE-2015-6809	Bedita Bedita	0.03	—	0.04	Sep 4, 2015	Multiple cross-site scripting (XSS) vulnerabilities in BEdita before 3.6.0 allow remote attackers to inject arbitrary web script or HTML via the (1) cfg[projectName] parameter to index.php/admin/saveConfig, the (2) data[stats_provider_url] parameter to index.php/areas/saveArea,…
CVE-2015-6805	Medhabidotcom Mdc Private Message	0.03	—	0.00	Sep 2, 2015	Cross-site scripting (XSS) vulnerability in the MDC Private Message plugin 1.0.0 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the message field in a private message.
CVE-2015-6518	Phpliteadmin Phpliteadmin	0.03	—	0.01	Aug 18, 2015	Multiple cross-site scripting (XSS) vulnerabilities in phpLiteAdmin 1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, (2) droptable parameter, or (3) table parameter to phpliteadmin.php.
CVE-2015-4665	Xceedium Xsuite	0.03	—	0.03	Aug 13, 2015	Cross-site scripting (XSS) vulnerability in ajax_cmd.php in Xceedium Xsuite 2.4.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the fileName parameter.
CVE-2015-2321	Job Manager Project Job Manager	0.03	—	0.02	Aug 13, 2015	Cross-site scripting (XSS) vulnerability in the Job Manager plugin 0.7.22 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the email field.
CVE-2015-3443	Thycotic Secret Server	0.03	—	0.02	Jul 2, 2015	Cross-site scripting (XSS) vulnerability in the basic dashboard in Thycotic Secret Server 8.6.x, 8.7.x, and 8.8.x before 8.8.000005 allows remote authenticated users to inject arbitrary web script or HTML via a password entry, which is not properly handled when toggling the…
CVE-2015-5150	Zohocorp Manageengine Supportcenter Plus	0.03	—	0.01	Jun 30, 2015	Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.90 allow remote authenticated users to inject arbitrary web script or HTML via the (1) query parameter in the run_query_editor_query module to CustomReportHandler.do, (2) compAcct…
CVE-2015-2169	Zohocorp Manageengine Assetexplorer	0.03	—	0.04	Jun 24, 2015	Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 allows remote attackers to inject arbitrary web script or HTML via a Publisher registry entry, which is not properly handled when the machine is scanned.
CVE-2015-4420	Opsview Opsview	0.03	—	0.01	Jun 18, 2015	Multiple cross-site scripting (XSS) vulnerabilities in Opsview 4.6.2 and earlier allow remote attackers to inject arbitrary web script or HTML via a (1) crafted check plugin, the (2) description in a host profile, or the (3) plugin_args parameter to a Test service check page.
CVE-2015-4465	Zanematthew Zm Ajax Login \& Register	0.03	—	0.00	Jun 10, 2015	Cross-site scripting (XSS) vulnerability in the zM Ajax Login & Register plugin before 1.1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2015-4127	Church Admin Project Church Admin	0.03	—	0.03	May 28, 2015	Cross-site scripting (XSS) vulnerability in the church_admin plugin before 0.810 for WordPress allows remote attackers to inject arbitrary web script or HTML via the address parameter, as demonstrated by a request to index.php/2015/05/21/church_admin-registration-form/.
CVE-2015-4084	Free Counter Free Counter	0.03	—	0.01	May 28, 2015	Cross-site scripting (XSS) vulnerability in the Free Counter plugin 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the value_ parameter in a check_stat action to wp-admin/admin-ajax.php.
CVE-2015-4065	Landing Pages Project Landing Pages	0.03	—	0.01	May 27, 2015	Cross-site scripting (XSS) vulnerability in shared/shortcodes/inbound-shortcodes.php in the Landing Pages plugin before 1.8.5 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the post parameter to wp-admin/post-new.php.
CVE-2015-4063	Newstatpress Project Newstatpress	0.03	—	0.01	May 27, 2015	Cross-site scripting (XSS) vulnerability in includes/nsp_search.php in the NewStatPress plugin before 0.9.9 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the where1 parameter in the nsp_search page to wp-admin/admin.php.
CVE-2012-4901	Template Cms Project Template CMS	0.03	—	0.05	May 20, 2015	Cross-site scripting (XSS) vulnerability in Template CMS 2.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the themes_editor parameter in an add_template action to admin/index.php.
CVE-2012-1664	Oscmax Oscmax	0.03	—	0.01	May 20, 2015	Multiple cross-site scripting (XSS) vulnerabilities in the admin panel in osCMax before 2.5.1 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter in a process action to admin/login.php; (2) pageTitle, (3) current_product_id, or (4) cPath…
CVE-2015-3300	—	0.03	—	0.05	May 14, 2015	Multiple cross-site scripting (XSS) vulnerabilities in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allow remote attackers to inject arbitrary web script or HTML via the (1) billing_firstname, (2)…

CVE-2015-6972Sep 16, 2015
Igniterealtime
Openfire
risk 0.03cvss —epss 0.05
Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to plugins/clientcontrol/create-bookmark.jsp; the (2) urlName parameter to…
CVE-2015-6945Sep 15, 2015
Jsp\/mysql Administrador Web Project
Jsp\/mysql Administrador Web
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in JSP/MySQL Administrador Web 1 allows remote attackers to inject arbitrary web script or HTML via the bd parameter to sys/sys/listaBD2.jsp.
CVE-2015-6810Sep 4, 2015
Invision Power Services
Invision Power Board
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) 4.x before 4.0.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the event_location[address] array parameter to…
CVE-2015-6809Sep 4, 2015
Bedita
Bedita
risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in BEdita before 3.6.0 allow remote attackers to inject arbitrary web script or HTML via the (1) cfg[projectName] parameter to index.php/admin/saveConfig, the (2) data[stats_provider_url] parameter to index.php/areas/saveArea,…
CVE-2015-6805Sep 2, 2015
Medhabidotcom
Mdc Private Message
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the MDC Private Message plugin 1.0.0 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the message field in a private message.
CVE-2015-6518Aug 18, 2015
Phpliteadmin
Phpliteadmin
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in phpLiteAdmin 1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, (2) droptable parameter, or (3) table parameter to phpliteadmin.php.
CVE-2015-4665Aug 13, 2015
Xceedium
Xsuite
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in ajax_cmd.php in Xceedium Xsuite 2.4.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the fileName parameter.
CVE-2015-2321Aug 13, 2015
Job Manager Project
Job Manager
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the Job Manager plugin 0.7.22 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the email field.
CVE-2015-3443Jul 2, 2015
Thycotic
Secret Server
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the basic dashboard in Thycotic Secret Server 8.6.x, 8.7.x, and 8.8.x before 8.8.000005 allows remote authenticated users to inject arbitrary web script or HTML via a password entry, which is not properly handled when toggling the…
CVE-2015-5150Jun 30, 2015
Zohocorp
Manageengine Supportcenter Plus
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.90 allow remote authenticated users to inject arbitrary web script or HTML via the (1) query parameter in the run_query_editor_query module to CustomReportHandler.do, (2) compAcct…
CVE-2015-2169Jun 24, 2015
Zohocorp
Manageengine Assetexplorer
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 allows remote attackers to inject arbitrary web script or HTML via a Publisher registry entry, which is not properly handled when the machine is scanned.
CVE-2015-4420Jun 18, 2015
Opsview
Opsview
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Opsview 4.6.2 and earlier allow remote attackers to inject arbitrary web script or HTML via a (1) crafted check plugin, the (2) description in a host profile, or the (3) plugin_args parameter to a Test service check page.
CVE-2015-4465Jun 10, 2015
Zanematthew
Zm Ajax Login \& Register
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the zM Ajax Login & Register plugin before 1.1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2015-4127May 28, 2015
Church Admin Project
Church Admin
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in the church_admin plugin before 0.810 for WordPress allows remote attackers to inject arbitrary web script or HTML via the address parameter, as demonstrated by a request to index.php/2015/05/21/church_admin-registration-form/.
CVE-2015-4084May 28, 2015
Free Counter
Free Counter
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Free Counter plugin 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the value_ parameter in a check_stat action to wp-admin/admin-ajax.php.
CVE-2015-4065May 27, 2015
Landing Pages Project
Landing Pages
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in shared/shortcodes/inbound-shortcodes.php in the Landing Pages plugin before 1.8.5 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the post parameter to wp-admin/post-new.php.
CVE-2015-4063May 27, 2015
Newstatpress Project
Newstatpress
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in includes/nsp_search.php in the NewStatPress plugin before 0.9.9 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the where1 parameter in the nsp_search page to wp-admin/admin.php.
CVE-2012-4901May 20, 2015
Template Cms Project
Template CMS
risk 0.03cvss —epss 0.05
Cross-site scripting (XSS) vulnerability in Template CMS 2.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the themes_editor parameter in an add_template action to admin/index.php.
CVE-2012-1664May 20, 2015
Oscmax
Oscmax
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the admin panel in osCMax before 2.5.1 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter in a process action to admin/login.php; (2) pageTitle, (3) current_product_id, or (4) cPath…
CVE-2015-3300May 14, 2015
risk 0.03cvss —epss 0.05
Multiple cross-site scripting (XSS) vulnerabilities in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allow remote attackers to inject arbitrary web script or HTML via the (1) billing_firstname, (2)…