CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (19,306)

page 688 of 966

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2010-3936	Microsoft Forefront Unified Access Gateway	0.03	—	0.42	Nov 10, 2010	Cross-site scripting (XSS) vulnerability in Signurl.asp in Microsoft Forefront Unified Access Gateway (UAG) 2010 Gold, 2010 Update 1, and 2010 Update 2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "XSS in Signurl.asp Vulnerability."
CVE-2010-3077	Horde (software) Application Framework	0.03	—	0.01	Nov 9, 2010	Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the Horde Application Framework before 3.3.9 allows remote attackers to inject arbitrary web script or HTML via the subdir parameter.
CVE-2010-3977	Deliciousdays Cforms	0.03	—	0.01	Nov 3, 2010	Multiple cross-site scripting (XSS) vulnerabilities in wp-content/plugins/cforms/lib_ajax.php in cforms WordPress plugin 11.5 allow remote attackers to inject arbitrary web script or HTML via the (1) rs and (2) rsargs[] parameters.
CVE-2010-3841	TWiki Twiki	0.03	—	0.00	Oct 18, 2010	Multiple cross-site scripting (XSS) vulnerabilities in lib/TWiki.pm in TWiki before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via (1) the rev parameter to the view script or (2) the query string to the login script.
CVE-2010-3489	Digitalworkroom CMS Digital Workroom	0.03	—	0.02	Sep 22, 2010	Cross-site scripting (XSS) vulnerability in netautor/napro4/home/login2.php in CMS Digital Workroom (formerly Netautor Professional) 5.5.0 allows remote attackers to inject arbitrary web script or HTML via the goback parameter.
CVE-2010-3314	Egroupware Egroupware	0.03	—	0.02	Sep 22, 2010	Cross-site scripting (XSS) vulnerability in login.php in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows remote attackers to inject arbitrary web script or HTML via the lang parameter.
CVE-2010-3462	Mollify Mollify	0.03	—	0.01	Sep 17, 2010	Cross-site scripting (XSS) vulnerability in backend/plugin/Registration/index.php in Mollify 1.6, 1.6.5.5, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the confirm parameter. NOTE: some of these details are obtained from third party information.
CVE-2010-3457	Getsymphony Symphony	0.03	—	0.02	Sep 17, 2010	Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2.0.7 and 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) fields[website] parameter in the post comments feature in articles/a-primer-to-symphony-2s-default-theme/ or (2) send-email[recipient] parameter to about/. NOTE: some of these details are obtained from third party information.
CVE-2010-3425	Smartertools Smarterstats	0.03	—	0.03	Sep 16, 2010	Cross-site scripting (XSS) vulnerability in UserControls/Popups/frmHelp.aspx in SmarterStats 5.3, 5.3.3819, and possibly other 5.3 versions, allows remote attackers to inject arbitrary web script or HTML via the url parameter.
CVE-2010-3202	Flock Flock	0.03	—	0.02	Sep 13, 2010	Cross-site scripting (XSS) vulnerability in Flock Browser 3.0.0.3989 allows remote attackers to inject arbitrary web script or HTML via a crafted bookmark.
CVE-2010-3003	Microfocus Insight Diagnostics	0.03	—	0.00	Sep 10, 2010	Cross-site scripting (XSS) vulnerability in HP Insight Diagnostics Online Edition before 8.5.0-11 on Linux allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-4991	Omnistaretools Omnistar Recruiting	0.03	—	0.00	Aug 25, 2010	Cross-site scripting (XSS) vulnerability in users/resume_register.php in Omnistar Recruiting allows remote attackers to inject arbitrary web script or HTML via the job2 parameter.
CVE-2009-4989	Aj Square Aj Auction Pro Oopd	0.03	—	0.03	Aug 25, 2010	Cross-site scripting (XSS) vulnerability in index.php in AJ Auction Pro OOPD 3.0 allows remote attackers to inject arbitrary web script or HTML via the txtkeyword parameter in a search action.
CVE-2009-4984	Websitesrus Accessories Me PHP Affiliate Script	0.03	—	0.01	Aug 25, 2010	Multiple cross-site scripting (XSS) vulnerabilities in Accessories Me PHP Affiliate Script 1.4 allow remote attackers to inject arbitrary web script or HTML via the (1) Keywords parameter to search.php and (2) SearchIndex parameter to browse.php.
CVE-2009-4983	Snowhall Silurus System	0.03	—	0.00	Aug 25, 2010	Multiple cross-site scripting (XSS) vulnerabilities in Silurus Classifieds 1.0 allow remote attackers to inject arbitrary web script or HTML via the ID parameter to (1) category.php and (2) wcategory.php, and the (3) keywords parameter to search.php.
CVE-2010-2544	Cacti (software) Cacti	0.03	—	0.06	Aug 23, 2010	Cross-site scripting (XSS) vulnerability in utilities.php in Cacti before 0.8.7g, as used in Red Hat High Performance Computing (HPC) Solution and other products, allows remote attackers to inject arbitrary web script or HTML via the filter parameter.
CVE-2010-2917	Aj Square Aj Article	0.03	—	0.06	Jul 30, 2010	Multiple cross-site scripting (XSS) vulnerabilities in index.php in AJ Square AJ Article 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) emailid, (2) fname, (3) lname, (4) company, (5) address1, (6) address2, (7) city, (8) state, (9) zipcode, (10) phone, and (11) fax parameters in an update action. NOTE: some of these details are obtained from third party information.
CVE-2010-2858	Boesch It Simpnews	0.03	—	0.04	Jul 25, 2010	Multiple cross-site scripting (XSS) vulnerabilities in news.php in SimpNews 2.47.03 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) layout and (2) sortorder parameters.
CVE-2010-2856	Oscss Oscss	0.03	—	0.01	Jul 25, 2010	Cross-site scripting (XSS) vulnerability in admin/currencies.php in osCSS 1.2.2, and probably earlier versions, allows remote attackers to inject arbitrary web script or HTML via the page parameter.
CVE-2010-2846	Gonzalo Maser Com Artforms	0.03	—	0.02	Jul 25, 2010	Cross-site scripting (XSS) vulnerability in the InterJoomla ArtForms (com_artforms) component 2.1b7.2 RC2 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the afmsg parameter to index.php.

CVE-2010-3936Nov 10, 2010
Microsoft
Forefront Unified Access Gateway
risk 0.03cvss —epss 0.42
Cross-site scripting (XSS) vulnerability in Signurl.asp in Microsoft Forefront Unified Access Gateway (UAG) 2010 Gold, 2010 Update 1, and 2010 Update 2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "XSS in Signurl.asp Vulnerability."
CVE-2010-3077Nov 9, 2010
Horde (software)
Application Framework
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the Horde Application Framework before 3.3.9 allows remote attackers to inject arbitrary web script or HTML via the subdir parameter.
CVE-2010-3977Nov 3, 2010
Deliciousdays
Cforms
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in wp-content/plugins/cforms/lib_ajax.php in cforms WordPress plugin 11.5 allow remote attackers to inject arbitrary web script or HTML via the (1) rs and (2) rsargs[] parameters.
CVE-2010-3841Oct 18, 2010
TWiki
Twiki
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in lib/TWiki.pm in TWiki before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via (1) the rev parameter to the view script or (2) the query string to the login script.
CVE-2010-3489Sep 22, 2010
Digitalworkroom
CMS Digital Workroom
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in netautor/napro4/home/login2.php in CMS Digital Workroom (formerly Netautor Professional) 5.5.0 allows remote attackers to inject arbitrary web script or HTML via the goback parameter.
CVE-2010-3314Sep 22, 2010
Egroupware
Egroupware
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in login.php in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows remote attackers to inject arbitrary web script or HTML via the lang parameter.
CVE-2010-3462Sep 17, 2010
Mollify
Mollify
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in backend/plugin/Registration/index.php in Mollify 1.6, 1.6.5.5, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the confirm parameter. NOTE: some of these details are obtained from third party information.
CVE-2010-3457Sep 17, 2010
Getsymphony
Symphony
risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2.0.7 and 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) fields[website] parameter in the post comments feature in articles/a-primer-to-symphony-2s-default-theme/ or (2) send-email[recipient] parameter to about/. NOTE: some of these details are obtained from third party information.
CVE-2010-3425Sep 16, 2010
Smartertools
Smarterstats
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in UserControls/Popups/frmHelp.aspx in SmarterStats 5.3, 5.3.3819, and possibly other 5.3 versions, allows remote attackers to inject arbitrary web script or HTML via the url parameter.
CVE-2010-3202Sep 13, 2010
Flock
Flock
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Flock Browser 3.0.0.3989 allows remote attackers to inject arbitrary web script or HTML via a crafted bookmark.
CVE-2010-3003Sep 10, 2010
Microfocus
Insight Diagnostics
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in HP Insight Diagnostics Online Edition before 8.5.0-11 on Linux allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-4991Aug 25, 2010
Omnistaretools
Omnistar Recruiting
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in users/resume_register.php in Omnistar Recruiting allows remote attackers to inject arbitrary web script or HTML via the job2 parameter.
CVE-2009-4989Aug 25, 2010
Aj Square
Aj Auction Pro Oopd
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in index.php in AJ Auction Pro OOPD 3.0 allows remote attackers to inject arbitrary web script or HTML via the txtkeyword parameter in a search action.
CVE-2009-4984Aug 25, 2010
Websitesrus
Accessories Me PHP Affiliate Script
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Accessories Me PHP Affiliate Script 1.4 allow remote attackers to inject arbitrary web script or HTML via the (1) Keywords parameter to search.php and (2) SearchIndex parameter to browse.php.
CVE-2009-4983Aug 25, 2010
Snowhall
Silurus System
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Silurus Classifieds 1.0 allow remote attackers to inject arbitrary web script or HTML via the ID parameter to (1) category.php and (2) wcategory.php, and the (3) keywords parameter to search.php.
CVE-2010-2544Aug 23, 2010
Cacti (software)
Cacti
risk 0.03cvss —epss 0.06
Cross-site scripting (XSS) vulnerability in utilities.php in Cacti before 0.8.7g, as used in Red Hat High Performance Computing (HPC) Solution and other products, allows remote attackers to inject arbitrary web script or HTML via the filter parameter.
CVE-2010-2917Jul 30, 2010
Aj Square
Aj Article
risk 0.03cvss —epss 0.06
Multiple cross-site scripting (XSS) vulnerabilities in index.php in AJ Square AJ Article 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) emailid, (2) fname, (3) lname, (4) company, (5) address1, (6) address2, (7) city, (8) state, (9) zipcode, (10) phone, and (11) fax parameters in an update action. NOTE: some of these details are obtained from third party information.
CVE-2010-2858Jul 25, 2010
Boesch It
Simpnews
risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in news.php in SimpNews 2.47.03 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) layout and (2) sortorder parameters.
CVE-2010-2856Jul 25, 2010
Oscss
Oscss
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in admin/currencies.php in osCSS 1.2.2, and probably earlier versions, allows remote attackers to inject arbitrary web script or HTML via the page parameter.
CVE-2010-2846Jul 25, 2010
Gonzalo Maser
Com Artforms
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the InterJoomla ArtForms (com_artforms) component 2.1b7.2 RC2 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the afmsg parameter to index.php.