CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (19,306)

page 691 of 966

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2009-4868	Hitronsoft Answer Me	0.03	—	0.00	May 11, 2010	Cross-site scripting (XSS) vulnerability in Hitron Soft Answer Me 1.0 allows remote attackers to inject arbitrary web script or HTML via the q_id parameter to the answers script (aka answers.php). NOTE: some of these details are obtained from third party information.
CVE-2009-4864	I Escorts I Escorts Directory Script	0.03	—	0.00	May 11, 2010	Multiple cross-site scripting (XSS) vulnerabilities in escorts_search.php in I-Escorts Directory Script and Agency Script allow remote attackers to inject arbitrary web script or HTML via the (1) search_name and (2) languages parameters. NOTE: some of these details are obtained from third party information.
CVE-2009-4858	Turnkeyforms Yahoo Answers Clone	0.03	—	0.00	May 11, 2010	Cross-site scripting (XSS) vulnerability in questiondetail.php in Yahoo Answers Clone allows remote attackers to inject arbitrary web script or HTML via the questionid parameter.
CVE-2009-4857	Ecomstudio PHP Photo Vote1.3f	0.03	—	0.01	May 11, 2010	Cross-site scripting (XSS) vulnerability in login.php in PHP Photo Vote 1.3F allows remote attackers to inject arbitrary web script or HTML via the page parameter.
CVE-2009-4856	Ecomstudio PHP Easy Shopping Cart	0.03	—	0.01	May 11, 2010	Cross-site scripting (XSS) vulnerability in subitems.php in PHP Easy Shopping Cart 3.1R allows remote attackers to inject arbitrary web script or HTML via the name parameter.
CVE-2010-1856	Realitymedias Repairshop2	0.03	—	0.01	May 7, 2010	Cross-site scripting (XSS) vulnerability in index.php in RepairShop2 1.9.023 Trial, when magic_quotes_gpc is disabled, allows remote attackers to inject arbitrary web script or HTML via the prod parameter in a products.details action.
CVE-2010-1453	Matomo Matomo	0.03	—	0.02	May 7, 2010	Cross-site scripting (XSS) vulnerability in the Login form in Piwik 0.1.6 through 0.5.5 allows remote attackers to inject arbitrary web script or HTML via the form_url parameter.
CVE-2010-1143	VMware View Manager	0.03	—	0.01	May 7, 2010	Cross-site scripting (XSS) vulnerability in VMware View (formerly Virtual Desktop Manager or VDM) 3.1.x before 3.1.3 build 252693 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2010-1746	Toolsjx Com Grid	0.03	—	0.00	May 6, 2010	Multiple cross-site scripting (XSS) vulnerabilities in the Table JX (com_grid) component for Joomla! allow remote attackers to inject arbitrary web script or HTML via the (1) data_search and (2) rpp parameters to index.php.
CVE-2010-1742	Satyadeep Scratcher	0.03	—	0.04	May 6, 2010	Cross-site scripting (XSS) vulnerability in projects.php in Scratcher allows remote attackers to inject arbitrary web script or HTML via the show parameter.
CVE-2010-1724	Zikula Zikula Application Framework	0.03	—	0.03	May 6, 2010	Multiple cross-site scripting (XSS) vulnerabilities in Zikula Application Framework 1.2.2, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) func parameter to index.php, or the (2) lang parameter to index.php, which is not properly handled by ZLanguage.php.
CVE-2010-1712	Webmobo Wbnews	0.03	—	0.01	May 4, 2010	Multiple cross-site scripting (XSS) vulnerabilities in base/Comments.php in Webmobo WB News 2.3.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name and possibly (2) message parameters. NOTE: some of these details are obtained from third party information.
CVE-2010-1711	Ramoncastro Siestta	0.03	—	0.04	May 4, 2010	Cross-site scripting (XSS) vulnerability in carga_foto_al.php in Siestta 2.0, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the usuario parameter.
CVE-2010-1703	2daybiz Polls Script	0.03	—	0.06	May 4, 2010	Multiple cross-site scripting (XSS) vulnerabilities in index_search.php in 2daybiz Polls (aka Advanced Poll) Script allow remote attackers to inject arbitrary web script or HTML via the (1) category parameter or (2) search field.
CVE-2010-1662	Jcink PHP Quick Arcade	0.03	—	0.02	May 3, 2010	Cross-site scripting (XSS) vulnerability in acpmoderate.php in PHP-Quick-Arcade (PHPQA) 3.0.21 allows remote attackers to inject arbitrary web script or HTML via the serv parameter.
CVE-2010-1606	Ncrypted Nct Jobs Portal Script	0.03	—	0.01	Apr 29, 2010	Multiple cross-site scripting (XSS) vulnerabilities in NCT Jobs Portal Script allow remote attackers to inject arbitrary web script or HTML via the (1) search, (2) Keywords, (3) Tags, or (4) Desired City field.
CVE-2009-4823	CPanel Cpanel	0.03	—	0.02	Apr 27, 2010	Cross-site scripting (XSS) vulnerability in frontend/x3/files/fileop.html in cPanel 11.0 through 11.24.7 allows remote attackers to inject arbitrary web script or HTML via the fileop parameter.
CVE-2009-4822	Kasseler Cms Kasseler CMS	0.03	—	0.01	Apr 27, 2010	Multiple cross-site scripting (XSS) vulnerabilities in index.php in Kasseler CMS 1.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) do, (2) id, and (3) uname parameters.
CVE-2009-4814	Wolfram Research Webmathematica	0.03	—	0.02	Apr 27, 2010	Cross-site scripting (XSS) vulnerability in Wolfram Research webMathematica allows remote attackers to inject arbitrary web script or HTML via the URI to the MSP script.
CVE-2009-4813	MyBB Mybb	0.03	—	0.02	Apr 27, 2010	Cross-site scripting (XSS) vulnerability in myps.php in MyBB (aka MyBulletinBoard) 1.4.10 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a donate action.

CVE-2009-4868May 11, 2010
Hitronsoft
Answer Me
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Hitron Soft Answer Me 1.0 allows remote attackers to inject arbitrary web script or HTML via the q_id parameter to the answers script (aka answers.php). NOTE: some of these details are obtained from third party information.
CVE-2009-4864May 11, 2010
I Escorts
I Escorts Directory Script
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in escorts_search.php in I-Escorts Directory Script and Agency Script allow remote attackers to inject arbitrary web script or HTML via the (1) search_name and (2) languages parameters. NOTE: some of these details are obtained from third party information.
CVE-2009-4858May 11, 2010
Turnkeyforms
Yahoo Answers Clone
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in questiondetail.php in Yahoo Answers Clone allows remote attackers to inject arbitrary web script or HTML via the questionid parameter.
CVE-2009-4857May 11, 2010
Ecomstudio
PHP Photo Vote1.3f
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in login.php in PHP Photo Vote 1.3F allows remote attackers to inject arbitrary web script or HTML via the page parameter.
CVE-2009-4856May 11, 2010
Ecomstudio
PHP Easy Shopping Cart
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in subitems.php in PHP Easy Shopping Cart 3.1R allows remote attackers to inject arbitrary web script or HTML via the name parameter.
CVE-2010-1856May 7, 2010
Realitymedias
Repairshop2
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in RepairShop2 1.9.023 Trial, when magic_quotes_gpc is disabled, allows remote attackers to inject arbitrary web script or HTML via the prod parameter in a products.details action.
CVE-2010-1453May 7, 2010
Matomo
Matomo
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the Login form in Piwik 0.1.6 through 0.5.5 allows remote attackers to inject arbitrary web script or HTML via the form_url parameter.
CVE-2010-1143May 7, 2010
VMware
View Manager
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in VMware View (formerly Virtual Desktop Manager or VDM) 3.1.x before 3.1.3 build 252693 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2010-1746May 6, 2010
Toolsjx
Com Grid
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in the Table JX (com_grid) component for Joomla! allow remote attackers to inject arbitrary web script or HTML via the (1) data_search and (2) rpp parameters to index.php.
CVE-2010-1742May 6, 2010
Satyadeep
Scratcher
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in projects.php in Scratcher allows remote attackers to inject arbitrary web script or HTML via the show parameter.
CVE-2010-1724May 6, 2010
Zikula
Zikula Application Framework
risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in Zikula Application Framework 1.2.2, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) func parameter to index.php, or the (2) lang parameter to index.php, which is not properly handled by ZLanguage.php.
CVE-2010-1712May 4, 2010
Webmobo
Wbnews
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in base/Comments.php in Webmobo WB News 2.3.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name and possibly (2) message parameters. NOTE: some of these details are obtained from third party information.
CVE-2010-1711May 4, 2010
Ramoncastro
Siestta
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in carga_foto_al.php in Siestta 2.0, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the usuario parameter.
CVE-2010-1703May 4, 2010
2daybiz
Polls Script
risk 0.03cvss —epss 0.06
Multiple cross-site scripting (XSS) vulnerabilities in index_search.php in 2daybiz Polls (aka Advanced Poll) Script allow remote attackers to inject arbitrary web script or HTML via the (1) category parameter or (2) search field.
CVE-2010-1662May 3, 2010
Jcink
PHP Quick Arcade
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in acpmoderate.php in PHP-Quick-Arcade (PHPQA) 3.0.21 allows remote attackers to inject arbitrary web script or HTML via the serv parameter.
CVE-2010-1606Apr 29, 2010
Ncrypted
Nct Jobs Portal Script
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in NCT Jobs Portal Script allow remote attackers to inject arbitrary web script or HTML via the (1) search, (2) Keywords, (3) Tags, or (4) Desired City field.
CVE-2009-4823Apr 27, 2010
CPanel
Cpanel
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in frontend/x3/files/fileop.html in cPanel 11.0 through 11.24.7 allows remote attackers to inject arbitrary web script or HTML via the fileop parameter.
CVE-2009-4822Apr 27, 2010
Kasseler Cms
Kasseler CMS
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in index.php in Kasseler CMS 1.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) do, (2) id, and (3) uname parameters.
CVE-2009-4814Apr 27, 2010
Wolfram Research
Webmathematica
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Wolfram Research webMathematica allows remote attackers to inject arbitrary web script or HTML via the URI to the MSP script.
CVE-2009-4813Apr 27, 2010
MyBB
Mybb
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in myps.php in MyBB (aka MyBulletinBoard) 1.4.10 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a donate action.