CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (19,329)

page 686 of 967

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2010-4913	Coldgen Coldusergroup	0.03	—	0.03	Oct 8, 2011	Cross-site scripting (XSS) vulnerability in the search feature in ColdGen ColdUserGroup 1.06 allows remote attackers to inject arbitrary web script or HTML via the Keywords parameter. NOTE: some of these details are obtained from third party information.
CVE-2010-4909	Mechbunny Paysitereviewcms	0.03	—	0.01	Oct 8, 2011	Multiple cross-site scripting (XSS) vulnerabilities in PaysiteReviewCMS 1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) q parameter to search.php or the (2) image parameter to image.php.
CVE-2010-4907	Zenphoto Zenphoto	0.03	—	0.05	Oct 8, 2011	Cross-site scripting (XSS) vulnerability in zp-core/admin.php in Zenphoto 1.3 allows remote attackers to inject arbitrary web script or HTML via the user parameter. NOTE: the from parameter is already covered by CVE-2009-4562.
CVE-2010-4901	Squiz Mysource Matrix	0.03	—	0.06	Oct 8, 2011	Multiple cross-site scripting (XSS) vulnerabilities in char_map.php in MySource Matrix 3.28.3 allow remote attackers to inject arbitrary web script or HTML via the (1) height or (2) width parameter.
CVE-2010-4893	Festengine Festos	0.03	—	0.02	Oct 8, 2011	Cross-site scripting (XSS) vulnerability in foodvendors.php in FestOS 2.3b allows remote attackers to inject arbitrary web script or HTML via the category parameter in a details action.
CVE-2010-4882	Ventics Auto CMS	0.03	—	0.03	Oct 7, 2011	Cross-site scripting (XSS) vulnerability in autocms.php in Auto CMS 1.6 allows remote attackers to inject arbitrary web script or HTML via the sitetitle parameter.
CVE-2010-4877	Insanevisions Onecms	0.03	—	0.01	Oct 7, 2011	Cross-site scripting (XSS) vulnerability in index.php in OneCMS 2.6.1 allows remote attackers to inject arbitrary web script or HTML via the view parameter.
CVE-2010-4875	Xondie Vodpod Video Gallery	0.03	—	0.02	Oct 7, 2011	Cross-site scripting (XSS) vulnerability in vodpod-video-gallery/vodpod_gallery_thumbs.php in the Vodpod Video Gallery Plugin 3.1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the gid parameter.
CVE-2010-4868	W Agora W Agora	0.03	—	0.01	Oct 5, 2011	Cross-site scripting (XSS) vulnerability in search.php3 (aka search.php) in W-Agora 4.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the bn parameter.
CVE-2010-4863	Get Simple Getsimplecms	0.03	—	0.04	Oct 5, 2011	Cross-site scripting (XSS) vulnerability in admin/changedata.php in GetSimple CMS 2.01 allows remote attackers to inject arbitrary web script or HTML via the post-title parameter.
CVE-2011-3865	Ulyssesonline Black Letterhead	0.03	—	0.00	Sep 28, 2011	Cross-site scripting (XSS) vulnerability in the Black-LetterHead theme before 1.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php.
CVE-2011-3863	Post Scriptum Redline	0.03	—	0.00	Sep 28, 2011	Cross-site scripting (XSS) vulnerability in the RedLine theme before 1.66 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
CVE-2011-3862	Adazing Morning Coffee	0.03	—	0.00	Sep 28, 2011	Cross-site scripting (XSS) vulnerability in the Morning Coffee theme before 3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php.
CVE-2011-3861	Webminimalist Web Minimalist 200901	0.03	—	0.00	Sep 28, 2011	Cross-site scripting (XSS) vulnerability in the Web Minimalist 200901 theme before 1.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php.
CVE-2011-3860	Onedesigns Cover Wp	0.03	—	0.00	Sep 28, 2011	Cross-site scripting (XSS) vulnerability in the Cover WP theme before 1.6.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
CVE-2011-3859	Themehybrid Trending	0.03	—	0.00	Sep 28, 2011	Cross-site scripting (XSS) vulnerability in the Trending theme before 0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cpage parameter.
CVE-2011-3858	Zespia Pixiv Custom	0.03	—	0.00	Sep 28, 2011	Cross-site scripting (XSS) vulnerability in the Pixiv Custom theme before 2.1.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
CVE-2011-3856	Atastypixel Elegant Grunge	0.03	—	0.00	Sep 28, 2011	Cross-site scripting (XSS) vulnerability in the Elegant Grunge theme before 1.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
CVE-2011-3855	Graphpaperpress F8 Lite	0.03	—	0.00	Sep 28, 2011	Cross-site scripting (XSS) vulnerability in the F8 Lite theme before 4.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
CVE-2011-3852	Theme4press Evolve	0.03	—	0.00	Sep 28, 2011	Cross-site scripting (XSS) vulnerability in the EvoLve theme before 1.2.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.

CVE-2010-4913Oct 8, 2011
Coldgen
Coldusergroup
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in the search feature in ColdGen ColdUserGroup 1.06 allows remote attackers to inject arbitrary web script or HTML via the Keywords parameter. NOTE: some of these details are obtained from third party information.
CVE-2010-4909Oct 8, 2011
Mechbunny
Paysitereviewcms
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in PaysiteReviewCMS 1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) q parameter to search.php or the (2) image parameter to image.php.
CVE-2010-4907Oct 8, 2011
Zenphoto
Zenphoto
risk 0.03cvss —epss 0.05
Cross-site scripting (XSS) vulnerability in zp-core/admin.php in Zenphoto 1.3 allows remote attackers to inject arbitrary web script or HTML via the user parameter. NOTE: the from parameter is already covered by CVE-2009-4562.
CVE-2010-4901Oct 8, 2011
Squiz
Mysource Matrix
risk 0.03cvss —epss 0.06
Multiple cross-site scripting (XSS) vulnerabilities in char_map.php in MySource Matrix 3.28.3 allow remote attackers to inject arbitrary web script or HTML via the (1) height or (2) width parameter.
CVE-2010-4893Oct 8, 2011
Festengine
Festos
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in foodvendors.php in FestOS 2.3b allows remote attackers to inject arbitrary web script or HTML via the category parameter in a details action.
CVE-2010-4882Oct 7, 2011
Ventics
Auto CMS
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in autocms.php in Auto CMS 1.6 allows remote attackers to inject arbitrary web script or HTML via the sitetitle parameter.
CVE-2010-4877Oct 7, 2011
Insanevisions
Onecms
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in OneCMS 2.6.1 allows remote attackers to inject arbitrary web script or HTML via the view parameter.
CVE-2010-4875Oct 7, 2011
Xondie
Vodpod Video Gallery
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in vodpod-video-gallery/vodpod_gallery_thumbs.php in the Vodpod Video Gallery Plugin 3.1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the gid parameter.
CVE-2010-4868Oct 5, 2011
W Agora
W Agora
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in search.php3 (aka search.php) in W-Agora 4.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the bn parameter.
CVE-2010-4863Oct 5, 2011
Get Simple
Getsimplecms
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in admin/changedata.php in GetSimple CMS 2.01 allows remote attackers to inject arbitrary web script or HTML via the post-title parameter.
CVE-2011-3865Sep 28, 2011
Ulyssesonline
Black Letterhead
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Black-LetterHead theme before 1.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php.
CVE-2011-3863Sep 28, 2011
Post Scriptum
Redline
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the RedLine theme before 1.66 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
CVE-2011-3862Sep 28, 2011
Adazing
Morning Coffee
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Morning Coffee theme before 3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php.
CVE-2011-3861Sep 28, 2011
Webminimalist
Web Minimalist 200901
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Web Minimalist 200901 theme before 1.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php.
CVE-2011-3860Sep 28, 2011
Onedesigns
Cover Wp
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Cover WP theme before 1.6.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
CVE-2011-3859Sep 28, 2011
Themehybrid
Trending
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Trending theme before 0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cpage parameter.
CVE-2011-3858Sep 28, 2011
Zespia
Pixiv Custom
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Pixiv Custom theme before 2.1.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
CVE-2011-3856Sep 28, 2011
Atastypixel
Elegant Grunge
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Elegant Grunge theme before 1.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
CVE-2011-3855Sep 28, 2011
Graphpaperpress
F8 Lite
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the F8 Lite theme before 4.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
CVE-2011-3852Sep 28, 2011
Theme4press
Evolve
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the EvoLve theme before 1.2.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.