CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (19,306)

page 689 of 966

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2010-2844	Newanz Newsoffice	0.03	—	0.02	Jul 25, 2010	Cross-site scripting (XSS) vulnerability in news_show.php in Newanz NewsOffice 2.0.18 allows remote attackers to inject arbitrary web script or HTML via the n-cat parameter.
CVE-2009-4939	Impactsoftcompany Adpeeps	0.03	—	0.03	Jul 22, 2010	Multiple cross-site scripting (XSS) vulnerabilities in index.php in AdPeeps 8.5d1 allow remote attackers to inject arbitrary web script or HTML via the (1) uid parameter, (2) uid parameter in a login_lookup action, (3) uid parameter in an adminlogin action, (4) campaignid parameter in a createcampaign action, (5) type parameter in a view_account_stats action, (6) period parameter in a view_account_stats action, (7) uid parameter in a view_adrates action, (8) accname parameter in an account_confirmation action, (9) loginpass parameter in an account_confirmation action, (10) e9 parameter in a setup_account action, (11) from parameter in an email_advertisers action, (12) message parameter in an email_advertisers action, (13) idno parameter in an edit_ad_package action, (14) Advertiser Name field, (15) First Name field, (16) Last Name field, (17) Address field, (18) Phone Number field, (19) Password Hint field, or (20) URL field; and (21) allow remote authenticated users to inject arbitrary web script or HTML via an unspecified form associated with a view_adrates action.
CVE-2010-2715	Tcwonline Tcw PHP Album	0.03	—	0.00	Jul 13, 2010	Cross-site scripting (XSS) vulnerability in photos/index.php in TCW PHP Album 1.0 allows remote attackers to inject arbitrary web script or HTML via the album parameter.
CVE-2010-2700	Edgephp Clickbank Affiliate Marketplace Script	0.03	—	0.00	Jul 12, 2010	Cross-site scripting (XSS) vulnerability in index.php in Edge PHP Clickbank Affiliate Marketplace Script (CBQuick) allows remote attackers to inject arbitrary web script or HTML via the search parameter.
CVE-2010-2698	Sijio Community Software	0.03	—	0.00	Jul 12, 2010	Multiple cross-site scripting (XSS) vulnerabilities in Sijio Community Software allow remote authenticated users to inject arbitrary web script or HTML via the title parameter when (1) editing a new blog, (2) adding an album, or (3) editing an album. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2010-2697	Sijio Community Software	0.03	—	0.00	Jul 12, 2010	Cross-site scripting (XSS) vulnerability in Sijio Community Software allows remote authenticated users to inject arbitrary web script or HTML via the title parameter when adding a new blog, related to edit_blog/index.php. NOTE: some of these details are obtained from third party information.
CVE-2009-4934	Esoftpro Online Photo Pro	0.03	—	0.01	Jul 12, 2010	Cross-site scripting (XSS) vulnerability in index.php in Online Photo Pro 2.0 allows remote attackers to inject arbitrary web script or HTML via the section parameter.
CVE-2009-4926	Esoftpro Online Contact Manager	0.03	—	0.01	Jul 12, 2010	Multiple cross-site scripting (XSS) vulnerabilities in Online Contact Manager (formerly EContact PRO) 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) showGroup parameter to (a) index.php and the (2) id parameter to (b) view.php, (c) email.php, (d) edit.php, and (e) delete.php.
CVE-2010-2675	Alanzard Tsoka\	0.03	—	0.00	Jul 8, 2010	Cross-site scripting (XSS) vulnerability in index.php in TSOKA:CMS 1.1, 1.9, and 2.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter in an articolo action.
CVE-2010-2669	Novo Ws Orbis CMS	0.03	—	0.02	Jul 8, 2010	Cross-site scripting (XSS) vulnerability in admin/editors/text/editor-body.php in Orbis CMS 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the s parameter.
CVE-2010-2654	IBM Advanced Management Module	0.03	—	0.03	Jul 8, 2010	Multiple cross-site scripting (XSS) vulnerabilities on the IBM BladeCenter with Advanced Management Module (AMM) firmware build ID BPET48L, and possibly other versions before 4.7 and 5.0, allow remote attackers to inject arbitrary web script or HTML via the (1) INDEX or (2) IPADDR parameter to private/cindefn.php, (3) the domain parameter to private/power_management_policy_options.php, the slot parameter to (4) private/pm_temp.php or (5) private/power_module.php, (6) the WEBINDEX parameter to private/blade_leds.php, or (7) the SLOT parameter to private/ipmi_bladestatus.php.
CVE-2010-2617	Paul Mcenery PHP Bible Search	0.03	—	0.01	Jul 2, 2010	Cross-site scripting (XSS) vulnerability in bible.php in PHP Bible Search allows remote attackers to inject arbitrary web script or HTML via the chapter parameter.
CVE-2010-2615	Grafik Power Grafik CMS	0.03	—	0.00	Jul 2, 2010	Multiple cross-site scripting (XSS) vulnerabilities in admin/admin.php in Grafik CMS 1.1.2, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) page_menu and (2) description parameters in an edit_page action.
CVE-2010-2613	Harmistechnology Com Awd Song	0.03	—	0.02	Jul 2, 2010	Cross-site scripting (XSS) vulnerability in the JExtensions JE Awd Song (com_awd_song) component for Joomla! allows remote attackers to inject arbitrary web script or HTML via the song review field, which is not properly handled in a view action to index.php.
CVE-2010-2509	2daybiz Web Template Software	0.03	—	0.00	Jun 28, 2010	Multiple cross-site scripting (XSS) vulnerabilities in 2daybiz Web Template Software allow remote attackers to inject arbitrary web script or HTML via the (1) keyword parameter to category.php and the (2) password parameter to memberlogin.php.
CVE-2010-2464	Rsjoomla Com Rscomments	0.03	—	0.04	Jun 25, 2010	Multiple cross-site scripting (XSS) vulnerabilities in the RSComments (com_rscomments) component 1.0.0 Rev 2 for Joomla! allow remote attackers to inject arbitrary web script or HTML via the (1) website and (2) name parameters to index.php.
CVE-2010-2463	Jamroom Jamroom	0.03	—	0.00	Jun 25, 2010	Cross-site scripting (XSS) vulnerability in forum.php in Jamroom before 4.1.9 allows remote attackers to inject arbitrary web script or HTML via the post_id parameter in a modify action.
CVE-2010-2458	2daybiz Video Community Portal Script	0.03	—	0.04	Jun 25, 2010	Cross-site scripting (XSS) vulnerability in video.php in 2daybiz Video Community Portal Script 1.0 allows remote attackers to inject arbitrary web script or HTML via the videoid parameter.
CVE-2010-2457	Qsoft Inc K Search	0.03	—	0.00	Jun 25, 2010	Cross-site scripting (XSS) vulnerability in index.php in K-Search allows remote attackers to inject arbitrary web script or HTML via the term parameter.
CVE-2009-4908	Dootzky Oblog	0.03	—	0.03	Jun 25, 2010	Multiple cross-site scripting (XSS) vulnerabilities in oBlog allow remote attackers to inject arbitrary web script or HTML via the (1) commentName, (2) commentEmail, (3) commentWeb, or (4) commentText parameter to article.php; and allow remote authenticated administrators to inject arbitrary web script or HTML via the (5) article_id or (6) title parameter to admin/write.php, the (7) category_id or (8) category_name parameter to admin/groups.php, the (9) blogroll_id or (10) title parameter to admin/blogroll.php, or the (11) blog_name or (12) tag_line parameter to admin/settings.php.

CVE-2010-2844Jul 25, 2010
Newanz
Newsoffice
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in news_show.php in Newanz NewsOffice 2.0.18 allows remote attackers to inject arbitrary web script or HTML via the n-cat parameter.
CVE-2009-4939Jul 22, 2010
Impactsoftcompany
Adpeeps
risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in index.php in AdPeeps 8.5d1 allow remote attackers to inject arbitrary web script or HTML via the (1) uid parameter, (2) uid parameter in a login_lookup action, (3) uid parameter in an adminlogin action, (4) campaignid parameter in a createcampaign action, (5) type parameter in a view_account_stats action, (6) period parameter in a view_account_stats action, (7) uid parameter in a view_adrates action, (8) accname parameter in an account_confirmation action, (9) loginpass parameter in an account_confirmation action, (10) e9 parameter in a setup_account action, (11) from parameter in an email_advertisers action, (12) message parameter in an email_advertisers action, (13) idno parameter in an edit_ad_package action, (14) Advertiser Name field, (15) First Name field, (16) Last Name field, (17) Address field, (18) Phone Number field, (19) Password Hint field, or (20) URL field; and (21) allow remote authenticated users to inject arbitrary web script or HTML via an unspecified form associated with a view_adrates action.
CVE-2010-2715Jul 13, 2010
Tcwonline
Tcw PHP Album
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in photos/index.php in TCW PHP Album 1.0 allows remote attackers to inject arbitrary web script or HTML via the album parameter.
CVE-2010-2700Jul 12, 2010
Edgephp
Clickbank Affiliate Marketplace Script
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in index.php in Edge PHP Clickbank Affiliate Marketplace Script (CBQuick) allows remote attackers to inject arbitrary web script or HTML via the search parameter.
CVE-2010-2698Jul 12, 2010
Sijio
Community Software
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Sijio Community Software allow remote authenticated users to inject arbitrary web script or HTML via the title parameter when (1) editing a new blog, (2) adding an album, or (3) editing an album. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2010-2697Jul 12, 2010
Sijio
Community Software
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Sijio Community Software allows remote authenticated users to inject arbitrary web script or HTML via the title parameter when adding a new blog, related to edit_blog/index.php. NOTE: some of these details are obtained from third party information.
CVE-2009-4934Jul 12, 2010
Esoftpro
Online Photo Pro
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in Online Photo Pro 2.0 allows remote attackers to inject arbitrary web script or HTML via the section parameter.
CVE-2009-4926Jul 12, 2010
Esoftpro
Online Contact Manager
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Online Contact Manager (formerly EContact PRO) 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) showGroup parameter to (a) index.php and the (2) id parameter to (b) view.php, (c) email.php, (d) edit.php, and (e) delete.php.
CVE-2010-2675Jul 8, 2010
Alanzard
Tsoka\
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in index.php in TSOKA:CMS 1.1, 1.9, and 2.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter in an articolo action.
CVE-2010-2669Jul 8, 2010
Novo Ws
Orbis CMS
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in admin/editors/text/editor-body.php in Orbis CMS 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the s parameter.
CVE-2010-2654Jul 8, 2010
IBM
Advanced Management Module
risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities on the IBM BladeCenter with Advanced Management Module (AMM) firmware build ID BPET48L, and possibly other versions before 4.7 and 5.0, allow remote attackers to inject arbitrary web script or HTML via the (1) INDEX or (2) IPADDR parameter to private/cindefn.php, (3) the domain parameter to private/power_management_policy_options.php, the slot parameter to (4) private/pm_temp.php or (5) private/power_module.php, (6) the WEBINDEX parameter to private/blade_leds.php, or (7) the SLOT parameter to private/ipmi_bladestatus.php.
CVE-2010-2617Jul 2, 2010
Paul Mcenery
PHP Bible Search
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in bible.php in PHP Bible Search allows remote attackers to inject arbitrary web script or HTML via the chapter parameter.
CVE-2010-2615Jul 2, 2010
Grafik Power
Grafik CMS
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in admin/admin.php in Grafik CMS 1.1.2, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) page_menu and (2) description parameters in an edit_page action.
CVE-2010-2613Jul 2, 2010
Harmistechnology
Com Awd Song
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the JExtensions JE Awd Song (com_awd_song) component for Joomla! allows remote attackers to inject arbitrary web script or HTML via the song review field, which is not properly handled in a view action to index.php.
CVE-2010-2509Jun 28, 2010
2daybiz
Web Template Software
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in 2daybiz Web Template Software allow remote attackers to inject arbitrary web script or HTML via the (1) keyword parameter to category.php and the (2) password parameter to memberlogin.php.
CVE-2010-2464Jun 25, 2010
Rsjoomla
Com Rscomments
risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in the RSComments (com_rscomments) component 1.0.0 Rev 2 for Joomla! allow remote attackers to inject arbitrary web script or HTML via the (1) website and (2) name parameters to index.php.
CVE-2010-2463Jun 25, 2010
Jamroom
Jamroom
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in forum.php in Jamroom before 4.1.9 allows remote attackers to inject arbitrary web script or HTML via the post_id parameter in a modify action.
CVE-2010-2458Jun 25, 2010
2daybiz
Video Community Portal Script
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in video.php in 2daybiz Video Community Portal Script 1.0 allows remote attackers to inject arbitrary web script or HTML via the videoid parameter.
CVE-2010-2457Jun 25, 2010
Qsoft Inc
K Search
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in index.php in K-Search allows remote attackers to inject arbitrary web script or HTML via the term parameter.
CVE-2009-4908Jun 25, 2010
Dootzky
Oblog
risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in oBlog allow remote attackers to inject arbitrary web script or HTML via the (1) commentName, (2) commentEmail, (3) commentWeb, or (4) commentText parameter to article.php; and allow remote authenticated administrators to inject arbitrary web script or HTML via the (5) article_id or (6) title parameter to admin/write.php, the (7) category_id or (8) category_name parameter to admin/groups.php, the (9) blogroll_id or (10) title parameter to admin/blogroll.php, or the (11) blog_name or (12) tag_line parameter to admin/settings.php.