CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (19,333)

page 678 of 967

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2012-5341	Otterware Statit	0.03	—	0.03	Oct 9, 2012	Multiple cross-site scripting (XSS) vulnerabilities in statistik.php in Otterware StatIt 4 allow remote attackers to inject arbitrary web script or HTML via the (1) action parameter, (2) show parameter in a stat_tld action, or (3) order parameter in a stat_abfragen action.
CVE-2012-5330	Nasir Khan Asaancart	0.03	—	0.01	Oct 8, 2012	Multiple cross-site scripting (XSS) vulnerabilities in asaanCart 0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to calc.php, (2) chat.php, (3) register.php, or (4) index.php in libs/smarty_ajax/; or the (5) page parameter to libs/smarty_ajax/index.php.
CVE-2012-5315	Php Ireport Project PHP Ireport	0.03	—	0.01	Oct 8, 2012	Multiple cross-site scripting (XSS) vulnerabilities in php ireport 1.0 allow remote attackers to inject arbitrary web script or HTML via the message parameter to (1) messages_viewer.php, (2) home.php, or (3) history.php.
CVE-2011-4909	Joomla Joomla!	0.03	—	0.00	Oct 7, 2012	Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.5.12 allow remote attackers to inject arbitrary web script or HTML via the HTTP_REFERER header to (1) components/com_content/views/article/tmpl/form.php, (2) components/com_user/controller.php, (3) plugins/system/legacy/html.php, or (4) templates/beez/html/com_content/article/form.php.
CVE-2012-5295	Fusetalk. Fusetalk	0.03	—	0.01	Oct 4, 2012	Cross-site scripting (XSS) vulnerability in login.cfm in FuseTalk Forums 3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the windowed parameter.
CVE-2011-5207	Thecartpress Thecartpress	0.03	—	0.04	Oct 4, 2012	Cross-site scripting (XSS) vulnerability in admin/OptionsPostsList.php in the TheCartPress plugin for WordPress before 1.1.6 before 2011-12-31 allows remote attackers to inject arbitrary web script or HTML via the tcp_name_post_XXXXX parameter.
CVE-2012-0989	Oneorzero Action And Information Management System	0.03	—	0.01	Oct 1, 2012	Cross-site scripting (XSS) vulnerability in OneOrZero AIMS 2.8.0 Trial Edition build231211 and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php.
CVE-2012-5229	WordPress Slideshow Gallery2	0.03	—	0.01	Oct 1, 2012	Cross-site scripting (XSS) vulnerability in css/gallery-css.php in the Slideshow Gallery2 plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the border parameter.
CVE-2012-5226	Peel Peel Shopping	0.03	—	0.01	Oct 1, 2012	Multiple cross-site scripting (XSS) vulnerabilities in Peel SHOPPING 2.8 and 2.9 allow remote attackers to inject arbitrary web script or HTML via the (1) motclef parameter to achat/recherche.php or (2) PATH_INFO to index.php.
CVE-2012-5225	Eliteweaver Xclick Cart	0.03	—	0.04	Oct 1, 2012	Cross-site scripting (XSS) vulnerability in webscr.php in xClick Cart 1.0.1 and 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the shopping_url parameter.
CVE-2012-1898	Wolfcms Wolf CMS	0.03	—	0.02	Oct 1, 2012	Multiple cross-site scripting (XSS) vulnerabilities in wolfcms/admin/user/add in Wolf CMS 0.75 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) user[name], (2) user[email], or (3) user[username] parameters.
CVE-2011-4551	Tiki Tikiwiki CMS\/groupware	0.03	—	0.05	Oct 1, 2012	Cross-site scripting (XSS) vulnerability in tiki-cookie-jar.php in TikiWiki CMS/Groupware before 8.2 and LTS before 6.5 allows remote attackers to inject arbitrary web script or HTML via arbitrary parameters.
CVE-2012-5102	Dariusz Handzlik Vertrigoserv	0.03	—	0.01	Sep 23, 2012	Cross-site scripting (XSS) vulnerability in inc/extensions.php in VertrigoServ 2.25 allows remote attackers to inject arbitrary web script or HTML via the ext parameter.
CVE-2012-5099	Phpb2b Phpb2b	0.03	—	0.01	Sep 23, 2012	Cross-site scripting (XSS) vulnerability in list.php in PHPB2B 4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the q parameter in a search action.
CVE-2011-5193	Phpace Samswhois	0.03	—	0.01	Sep 23, 2012	Cross-site scripting (XSS) vulnerability in vendors/samswhois/samswhois.inc.php in the Whois Search plugin 1.4.2.3 for WordPress, when the WHOIS widget is enabled, allows remote attackers to inject arbitrary web script or HTML via the domain parameter to index.php, a different vulnerability than CVE-2011-5194.
CVE-2011-5186	Burnsy Jbshop Plugin	0.03	—	0.01	Sep 20, 2012	Cross-site scripting (XSS) vulnerability in jbshop.php in the jbShop plugin for e107 7 allows remote attackers to inject arbitrary web script or HTML via the item_id parameter.
CVE-2011-5185	Realmatrix Online Subtitles Workshop	0.03	—	0.01	Sep 20, 2012	Cross-site scripting (XSS) vulnerability in video_comments.php in Online Subtitles Workshop before 2.0 rev 131 allows remote attackers to inject arbitrary web script or HTML via the comment parameter.
CVE-2011-5184	Microfocus Network Node Manager I	0.03	—	0.03	Sep 20, 2012	Multiple cross-site scripting (XSS) vulnerabilities in HP Network Node Manager i 9.10 allow remote attackers to inject arbitrary web script or HTML via the (1) node parameter to nnm/mibdiscover; (2) nodename parameter to nnm/protected/configurationpoll.jsp, (3) nnm/protected/ping.jsp, (4) nnm/protected/statuspoll.jsp, or (5) nnm/protected/traceroute.jsp; or (6) field parameter to nmm/validate. NOTE: this might be a duplicate of CVE-2011-4155 or CVE-2011-4156.
CVE-2011-5182	WordPress Lanoba Social Plugin	0.03	—	0.02	Sep 20, 2012	Cross-site scripting (XSS) vulnerability in lanoba-social-plugin/index.php in the Lanoba Social plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter. NOTE: the vendor disputes this issue, stating "Lanoba's plug in does sanitize user input, and because that input is never sent to the browser, an attacker has no way of executing script or code on a user's behalf.
CVE-2011-5181	Clickdesk Clickdesk Live Support Live Chat Plugin	0.03	—	0.02	Sep 20, 2012	Cross-site scripting (XSS) vulnerability in clickdesk.php in ClickDesk Live Support - Live Chat plugin 2.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cdwidgetid parameter. NOTE: some of these details are obtained from third party information.

CVE-2012-5341Oct 9, 2012
Otterware
Statit
risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in statistik.php in Otterware StatIt 4 allow remote attackers to inject arbitrary web script or HTML via the (1) action parameter, (2) show parameter in a stat_tld action, or (3) order parameter in a stat_abfragen action.
CVE-2012-5330Oct 8, 2012
Nasir Khan
Asaancart
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in asaanCart 0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to calc.php, (2) chat.php, (3) register.php, or (4) index.php in libs/smarty_ajax/; or the (5) page parameter to libs/smarty_ajax/index.php.
CVE-2012-5315Oct 8, 2012
Php Ireport Project
PHP Ireport
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in php ireport 1.0 allow remote attackers to inject arbitrary web script or HTML via the message parameter to (1) messages_viewer.php, (2) home.php, or (3) history.php.
CVE-2011-4909Oct 7, 2012
Joomla
Joomla!
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.5.12 allow remote attackers to inject arbitrary web script or HTML via the HTTP_REFERER header to (1) components/com_content/views/article/tmpl/form.php, (2) components/com_user/controller.php, (3) plugins/system/legacy/html.php, or (4) templates/beez/html/com_content/article/form.php.
CVE-2012-5295Oct 4, 2012
Fusetalk.
Fusetalk
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in login.cfm in FuseTalk Forums 3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the windowed parameter.
CVE-2011-5207Oct 4, 2012
Thecartpress
Thecartpress
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in admin/OptionsPostsList.php in the TheCartPress plugin for WordPress before 1.1.6 before 2011-12-31 allows remote attackers to inject arbitrary web script or HTML via the tcp_name_post_XXXXX parameter.
CVE-2012-0989Oct 1, 2012
Oneorzero
Action And Information Management System
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in OneOrZero AIMS 2.8.0 Trial Edition build231211 and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php.
CVE-2012-5229Oct 1, 2012
WordPress
Slideshow Gallery2
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in css/gallery-css.php in the Slideshow Gallery2 plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the border parameter.
CVE-2012-5226Oct 1, 2012
Peel
Peel Shopping
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Peel SHOPPING 2.8 and 2.9 allow remote attackers to inject arbitrary web script or HTML via the (1) motclef parameter to achat/recherche.php or (2) PATH_INFO to index.php.
CVE-2012-5225Oct 1, 2012
Eliteweaver
Xclick Cart
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in webscr.php in xClick Cart 1.0.1 and 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the shopping_url parameter.
CVE-2012-1898Oct 1, 2012
Wolfcms
Wolf CMS
risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in wolfcms/admin/user/add in Wolf CMS 0.75 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) user[name], (2) user[email], or (3) user[username] parameters.
CVE-2011-4551Oct 1, 2012
Tiki
Tikiwiki CMS\/groupware
risk 0.03cvss —epss 0.05
Cross-site scripting (XSS) vulnerability in tiki-cookie-jar.php in TikiWiki CMS/Groupware before 8.2 and LTS before 6.5 allows remote attackers to inject arbitrary web script or HTML via arbitrary parameters.
CVE-2012-5102Sep 23, 2012
Dariusz Handzlik
Vertrigoserv
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in inc/extensions.php in VertrigoServ 2.25 allows remote attackers to inject arbitrary web script or HTML via the ext parameter.
CVE-2012-5099Sep 23, 2012
Phpb2b
Phpb2b
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in list.php in PHPB2B 4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the q parameter in a search action.
CVE-2011-5193Sep 23, 2012
Phpace
Samswhois
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in vendors/samswhois/samswhois.inc.php in the Whois Search plugin 1.4.2.3 for WordPress, when the WHOIS widget is enabled, allows remote attackers to inject arbitrary web script or HTML via the domain parameter to index.php, a different vulnerability than CVE-2011-5194.
CVE-2011-5186Sep 20, 2012
Burnsy
Jbshop Plugin
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in jbshop.php in the jbShop plugin for e107 7 allows remote attackers to inject arbitrary web script or HTML via the item_id parameter.
CVE-2011-5185Sep 20, 2012
Realmatrix
Online Subtitles Workshop
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in video_comments.php in Online Subtitles Workshop before 2.0 rev 131 allows remote attackers to inject arbitrary web script or HTML via the comment parameter.
CVE-2011-5184Sep 20, 2012
Microfocus
Network Node Manager I
risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in HP Network Node Manager i 9.10 allow remote attackers to inject arbitrary web script or HTML via the (1) node parameter to nnm/mibdiscover; (2) nodename parameter to nnm/protected/configurationpoll.jsp, (3) nnm/protected/ping.jsp, (4) nnm/protected/statuspoll.jsp, or (5) nnm/protected/traceroute.jsp; or (6) field parameter to nmm/validate. NOTE: this might be a duplicate of CVE-2011-4155 or CVE-2011-4156.
CVE-2011-5182Sep 20, 2012
WordPress
Lanoba Social Plugin
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in lanoba-social-plugin/index.php in the Lanoba Social plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter. NOTE: the vendor disputes this issue, stating "Lanoba's plug in does sanitize user input, and because that input is never sent to the browser, an attacker has no way of executing script or code on a user's behalf.
CVE-2011-5181Sep 20, 2012
Clickdesk
Clickdesk Live Support Live Chat Plugin
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in clickdesk.php in ClickDesk Live Support - Live Chat plugin 2.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cdwidgetid parameter. NOTE: some of these details are obtained from third party information.