CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (22,695)
page 675 of 1,135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2014-9516 | 0.03 | — | 0.00 | Jan 5, 2015 | Cross-site scripting (XSS) vulnerability in Social Microblogging PRO 1.5 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI, related to the "Web Site" input in the Profile section. | |||
| CVE-2014-9439 | 0.03 | — | 0.01 | Jan 2, 2015 | Cross-site scripting (XSS) vulnerability in Easy File Sharing Web Server 6.8 allows remote attackers to inject arbitrary web script or HTML via the username field during registration, which is not properly handled by forum.ghp. | |||
| CVE-2014-9434 | 0.03 | — | 0.01 | Jan 2, 2015 | Cross-site scripting (XSS) vulnerability in admin/managerrelated.php in the administrative backend in Absolut Engine 1.73 allows remote authenticated users to inject arbitrary web script or HTML via the title parameter. | |||
| CVE-2011-5283 | 0.03 | — | 0.03 | Dec 31, 2014 | Cross-site scripting (XSS) vulnerability in the web management interface in httpd/cgi-bin/ipinfo.cgi in Smoothwall Express 3.1 and 3.0 SP3 and earlier allows remote attackers to inject arbitrary web script or HTML via the IP parameter in a Run action. | |||
| CVE-2014-9349 | 0.03 | — | 0.03 | Dec 8, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in admin/robots.lib.php in RobotStats 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) nom or (2) user_agent parameter to admin/robots.php. | |||
| CVE-2014-9142 | 0.03 | — | 0.03 | Dec 5, 2014 | Cross-site scripting (XSS) vulnerability in Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to inject arbitrary web script or HTML via the failrefer parameter. | |||
| CVE-2014-8800 | 0.03 | — | 0.02 | Dec 5, 2014 | Cross-site scripting (XSS) vulnerability in nextend-facebook-settings.php in the Nextend Facebook Connect plugin before 1.5.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the fb_login_button parameter in a newfb_update_options action. | |||
| CVE-2014-9243 | 0.03 | — | 0.01 | Dec 3, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in WebsiteBaker 2.8.3 allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to wb/admin/admintools/tool.php or (2) section_id parameter to edit_module_files.php, (3) news/add_post.php, (4)… | |||
| CVE-2014-9241 | 0.03 | — | 0.01 | Dec 3, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) type parameter to report.php, (2) signature parameter in a do_editsig action to usercp.php, or (3) title… | |||
| CVE-2014-9236 | 0.03 | — | 0.01 | Dec 3, 2014 | Cross-site scripting (XSS) vulnerability in php/edit_photos.php in Zoph (aka Zoph Organizes Photos) 0.9.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) photographer_id or (2) _crumb parameter. | |||
| CVE-2014-8774 | 0.03 | — | 0.01 | Dec 3, 2014 | Cross-site scripting (XSS) vulnerability in manager/index.php in MODX Revolution 2.x before 2.2.15 allows remote attackers to inject arbitrary web script or HTML via the context_key parameter. | |||
| CVE-2014-9179 | 0.03 | — | 0.00 | Dec 2, 2014 | Cross-site scripting (XSS) vulnerability in the SupportEzzy Ticket System plugin 1.2.5 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the "URL (optional)" field in a new ticket. | |||
| CVE-2014-9098 | 0.03 | — | 0.00 | Nov 26, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in the Apptha WordPress Video Gallery (contus-video-gallery) plugin 2.5, possibly before 2014-07-23, for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the videoadssearchQuery parameter to… | |||
| CVE-2014-9004 | 0.03 | — | 0.00 | Nov 20, 2014 | Cross-site scripting (XSS) vulnerability in vldPersonals before 2.7.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter in a member_profile action to index.php. | |||
| CVE-2014-8954 | 0.03 | — | 0.03 | Nov 17, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in phpSound 1.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) Title or (2) Description fields in a playlist or the (3) filter parameter in an explore action to index.php. | |||
| CVE-2014-2021 | 0.03 | — | 0.01 | Oct 25, 2014 | Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name. | |||
| CVE-2014-8380 | 0.03 | — | 0.03 | Oct 21, 2014 | Cross-site scripting (XSS) vulnerability in Splunk 6.1.1 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer Header in a "404 Not Found" response. NOTE: this vulnerability might exist because of a CVE-2010-2429 regression. | |||
| CVE-2012-5702 | 0.03 | — | 0.01 | Oct 21, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in… | |||
| CVE-2014-5276 | 0.03 | — | 0.01 | Oct 20, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in Pro Chat Rooms Text Chat Rooms 8.2.0 allow remote authenticated users to inject arbitrary web script or HTML via (1) an uploaded profile picture or (2) the edit parameter to profiles/index.php. | |||
| CVE-2014-2647 | 0.03 | — | 0.02 | Oct 19, 2014 | Cross-site scripting (XSS) vulnerability in HP Operations Agent in HP Operations Manager (formerly OpenView Communications Broker) before 11.14 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
- CVE-2014-9516Jan 5, 2015risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Social Microblogging PRO 1.5 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI, related to the "Web Site" input in the Profile section.
- CVE-2014-9439Jan 2, 2015risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Easy File Sharing Web Server 6.8 allows remote attackers to inject arbitrary web script or HTML via the username field during registration, which is not properly handled by forum.ghp.
- CVE-2014-9434Jan 2, 2015risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in admin/managerrelated.php in the administrative backend in Absolut Engine 1.73 allows remote authenticated users to inject arbitrary web script or HTML via the title parameter.
- CVE-2011-5283Dec 31, 2014risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in the web management interface in httpd/cgi-bin/ipinfo.cgi in Smoothwall Express 3.1 and 3.0 SP3 and earlier allows remote attackers to inject arbitrary web script or HTML via the IP parameter in a Run action.
- CVE-2014-9349Dec 8, 2014risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in admin/robots.lib.php in RobotStats 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) nom or (2) user_agent parameter to admin/robots.php.
- CVE-2014-9142Dec 5, 2014risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to inject arbitrary web script or HTML via the failrefer parameter.
- CVE-2014-8800Dec 5, 2014risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in nextend-facebook-settings.php in the Nextend Facebook Connect plugin before 1.5.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the fb_login_button parameter in a newfb_update_options action.
- CVE-2014-9243Dec 3, 2014risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in WebsiteBaker 2.8.3 allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to wb/admin/admintools/tool.php or (2) section_id parameter to edit_module_files.php, (3) news/add_post.php, (4)…
- CVE-2014-9241Dec 3, 2014risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) type parameter to report.php, (2) signature parameter in a do_editsig action to usercp.php, or (3) title…
- CVE-2014-9236Dec 3, 2014risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in php/edit_photos.php in Zoph (aka Zoph Organizes Photos) 0.9.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) photographer_id or (2) _crumb parameter.
- CVE-2014-8774Dec 3, 2014risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in manager/index.php in MODX Revolution 2.x before 2.2.15 allows remote attackers to inject arbitrary web script or HTML via the context_key parameter.
- CVE-2014-9179Dec 2, 2014risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the SupportEzzy Ticket System plugin 1.2.5 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the "URL (optional)" field in a new ticket.
- CVE-2014-9098Nov 26, 2014risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in the Apptha WordPress Video Gallery (contus-video-gallery) plugin 2.5, possibly before 2014-07-23, for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the videoadssearchQuery parameter to…
- CVE-2014-9004Nov 20, 2014risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in vldPersonals before 2.7.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter in a member_profile action to index.php.
- CVE-2014-8954Nov 17, 2014risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in phpSound 1.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) Title or (2) Description fields in a playlist or the (3) filter parameter in an explore action to index.php.
- CVE-2014-2021Oct 25, 2014risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.
- CVE-2014-8380Oct 21, 2014risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in Splunk 6.1.1 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer Header in a "404 Not Found" response. NOTE: this vulnerability might exist because of a CVE-2010-2429 regression.
- CVE-2012-5702Oct 21, 2014risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in…
- CVE-2014-5276Oct 20, 2014risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Pro Chat Rooms Text Chat Rooms 8.2.0 allow remote authenticated users to inject arbitrary web script or HTML via (1) an uploaded profile picture or (2) the edit parameter to profiles/index.php.
- CVE-2014-2647Oct 19, 2014risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in HP Operations Agent in HP Operations Manager (formerly OpenView Communications Broker) before 11.14 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.