CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (19,306)

page 693 of 966

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2009-4713	Alexandre Amaral Xoops Celepar	0.03	—	0.02	Mar 15, 2010	Multiple cross-site scripting (XSS) vulnerabilities in the Qas (aka Quas) module for XOOPS Celepar allow remote attackers to inject arbitrary web script or HTML via (1) the cod_categoria parameter to categoria.php, (2) the opcao parameter to index.php, and the PATH_INFO to (3) categoria.php and (4) index.php.
CVE-2009-4699	Skadate Skadate Online Dating Software	0.03	—	0.03	Mar 15, 2010	Multiple cross-site scripting (XSS) vulnerabilities in SkaDate Dating allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) admin/auth.php and (2) file_uploader.php.
CVE-2009-4697	Radscripts Radnics	0.03	—	0.01	Mar 10, 2010	Multiple cross-site scripting (XSS) vulnerabilities in index.php in RadNICS Gold 5 allow remote attackers to inject arbitrary web script or HTML via the (1) order parameter in a ulist action and the (2) fid parameter in a view_forum action.
CVE-2009-4694	Radscripts Radlance	0.03	—	0.01	Mar 10, 2010	Cross-site scripting (XSS) vulnerability in index.php in RadScripts RadLance Gold 7.5 allows remote attackers to inject arbitrary web script or HTML via the fid parameter in a view_forum action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2009-4692	Radscripts Radlance	0.03	—	0.01	Mar 10, 2010	Cross-site scripting (XSS) vulnerability in index.php in RadScripts RadLance Gold 7.5 allows remote attackers to inject arbitrary web script or HTML via the pr parameter in a ulist action.
CVE-2009-4690	Yourfreeworld Programs Rating Script	0.03	—	0.04	Mar 10, 2010	Multiple cross-site scripting (XSS) vulnerabilities in YourFreeWorld Programs Rating Script allow remote attackers to inject arbitrary web script or HTML via the id parameter to (1) rate.php and (2) postcomments.php.
CVE-2009-4688	Resalecode PHP Shopping Cart Selling Website Script	0.03	—	0.01	Mar 10, 2010	Multiple cross-site scripting (XSS) vulnerabilities in index.php in PHP Shopping Cart Selling Website Script allow remote attackers to inject arbitrary web script or HTML via the (1) txtkeywords and (2) cid parameters.
CVE-2009-4686	Phplemon Adquick	0.03	—	0.02	Mar 10, 2010	Cross-site scripting (XSS) vulnerability in account.php in phplemon AdQuick 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the red_url parameter.
CVE-2009-4685	Phpscriptsnow Astrology	0.03	—	0.02	Mar 10, 2010	Cross-site scripting (XSS) vulnerability in celebrities.php in PHP Scripts Now Astrology allows remote attackers to inject arbitrary web script or HTML via the day parameter.
CVE-2009-4684	Edgephp Ezodiak	0.03	—	0.01	Mar 10, 2010	Cross-site scripting (XSS) vulnerability in index.php in EZodiak allows remote attackers to inject arbitrary web script or HTML via the sign parameter.
CVE-2009-4682	Scriptsez Good\/bad Vote	0.03	—	0.02	Mar 10, 2010	Cross-site scripting (XSS) vulnerability in vote.php in Good/Bad Vote allows remote attackers to inject arbitrary web script or HTML via the id parameter in a vote action.
CVE-2009-4681	Phpdirectorysource Phpdirectorysource	0.03	—	0.03	Mar 10, 2010	Cross-site scripting (XSS) vulnerability in search.php in phpDirectorySource 1.x allows remote attackers to inject arbitrary web script or HTML via the st parameter.
CVE-2010-0936	Dlink Dkvm Ip8	0.03	—	0.01	Mar 8, 2010	Cross-site scripting (XSS) vulnerability in auth.asp on the D-LINK DKVM-IP8 with firmware 2282_dlinkA4_p8_20071213 allows remote attackers to inject arbitrary web script or HTML via the nickname parameter.
CVE-2009-4678	Winn Winn Guestbook	0.03	—	0.02	Mar 8, 2010	Cross-site scripting (XSS) vulnerability in index.php in Winn Guestbook 2.4 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
CVE-2010-0804	Netartmedia Iboutique	0.03	—	0.01	Mar 2, 2010	Cross-site scripting (XSS) vulnerability in index.php in iBoutique 4.0 allows remote attackers to inject arbitrary web script or HTML via the key parameter in a products action.
CVE-2010-0725	Mhd Zaher Ghaibeh Arab Cart	0.03	—	0.03	Feb 26, 2010	Cross-site scripting (XSS) vulnerability in showimg.php in Arab Cart 1.0.2.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter.
CVE-2010-0714	IBM Websphere Portal	0.03	—	0.01	Feb 26, 2010	Cross-site scripting (XSS) vulnerability in login.jsp in IBM WebSphere Portal, IBM Lotus Web Content Management (WCM), and IBM Lotus Workplace Web Content Management 5.1.0.0 through 5.1.0.5, 6.0.0.0 through 6.0.0.4, 6.0.1.0 through 6.0.1.7, 6.1.0.0 through 6.1.0.3, and 6.1.5.0; and IBM Lotus Quickr services 8.0, 8.0.0.2, 8.1, 8.1.1, and 8.1.1.1 for WebSphere Portal; allows remote attackers to inject arbitrary web script or HTML via the query string.
CVE-2010-0706	Subex Nikira Fraud Management System	0.03	—	0.01	Feb 25, 2010	Cross-site scripting (XSS) vulnerability in the login/prompt component in Subex Nikira Fraud Management System allows remote attackers to inject arbitrary web script or HTML via the message parameter.
CVE-2010-0703	Portwise SSL VPN	0.03	—	0.06	Feb 23, 2010	Cross-site scripting (XSS) vulnerability in wa/auth in PortWise SSL VPN 4.6 allows remote attackers to inject arbitrary web script or HTML via the reloadFrame parameter.
CVE-2010-0700	Wampserver Wampserver	0.03	—	0.06	Feb 23, 2010	Cross-site scripting (XSS) vulnerability in index.php in WampServer 2.0i allows remote attackers to inject arbitrary web script or HTML via the lang parameter.

CVE-2009-4713Mar 15, 2010
Alexandre Amaral
Xoops Celepar
risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the Qas (aka Quas) module for XOOPS Celepar allow remote attackers to inject arbitrary web script or HTML via (1) the cod_categoria parameter to categoria.php, (2) the opcao parameter to index.php, and the PATH_INFO to (3) categoria.php and (4) index.php.
CVE-2009-4699Mar 15, 2010
Skadate
Skadate Online Dating Software
risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in SkaDate Dating allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) admin/auth.php and (2) file_uploader.php.
CVE-2009-4697Mar 10, 2010
Radscripts
Radnics
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in index.php in RadNICS Gold 5 allow remote attackers to inject arbitrary web script or HTML via the (1) order parameter in a ulist action and the (2) fid parameter in a view_forum action.
CVE-2009-4694Mar 10, 2010
Radscripts
Radlance
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in RadScripts RadLance Gold 7.5 allows remote attackers to inject arbitrary web script or HTML via the fid parameter in a view_forum action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2009-4692Mar 10, 2010
Radscripts
Radlance
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in RadScripts RadLance Gold 7.5 allows remote attackers to inject arbitrary web script or HTML via the pr parameter in a ulist action.
CVE-2009-4690Mar 10, 2010
Yourfreeworld
Programs Rating Script
risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in YourFreeWorld Programs Rating Script allow remote attackers to inject arbitrary web script or HTML via the id parameter to (1) rate.php and (2) postcomments.php.
CVE-2009-4688Mar 10, 2010
Resalecode
PHP Shopping Cart Selling Website Script
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in index.php in PHP Shopping Cart Selling Website Script allow remote attackers to inject arbitrary web script or HTML via the (1) txtkeywords and (2) cid parameters.
CVE-2009-4686Mar 10, 2010
Phplemon
Adquick
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in account.php in phplemon AdQuick 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the red_url parameter.
CVE-2009-4685Mar 10, 2010
Phpscriptsnow
Astrology
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in celebrities.php in PHP Scripts Now Astrology allows remote attackers to inject arbitrary web script or HTML via the day parameter.
CVE-2009-4684Mar 10, 2010
Edgephp
Ezodiak
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in EZodiak allows remote attackers to inject arbitrary web script or HTML via the sign parameter.
CVE-2009-4682Mar 10, 2010
Scriptsez
Good\/bad Vote
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in vote.php in Good/Bad Vote allows remote attackers to inject arbitrary web script or HTML via the id parameter in a vote action.
CVE-2009-4681Mar 10, 2010
Phpdirectorysource
Phpdirectorysource
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in search.php in phpDirectorySource 1.x allows remote attackers to inject arbitrary web script or HTML via the st parameter.
CVE-2010-0936Mar 8, 2010
Dlink
Dkvm Ip8
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in auth.asp on the D-LINK DKVM-IP8 with firmware 2282_dlinkA4_p8_20071213 allows remote attackers to inject arbitrary web script or HTML via the nickname parameter.
CVE-2009-4678Mar 8, 2010
Winn
Winn Guestbook
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in index.php in Winn Guestbook 2.4 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
CVE-2010-0804Mar 2, 2010
Netartmedia
Iboutique
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in iBoutique 4.0 allows remote attackers to inject arbitrary web script or HTML via the key parameter in a products action.
CVE-2010-0725Feb 26, 2010
Mhd Zaher Ghaibeh
Arab Cart
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in showimg.php in Arab Cart 1.0.2.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter.
CVE-2010-0714Feb 26, 2010
IBM
Websphere Portal
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in login.jsp in IBM WebSphere Portal, IBM Lotus Web Content Management (WCM), and IBM Lotus Workplace Web Content Management 5.1.0.0 through 5.1.0.5, 6.0.0.0 through 6.0.0.4, 6.0.1.0 through 6.0.1.7, 6.1.0.0 through 6.1.0.3, and 6.1.5.0; and IBM Lotus Quickr services 8.0, 8.0.0.2, 8.1, 8.1.1, and 8.1.1.1 for WebSphere Portal; allows remote attackers to inject arbitrary web script or HTML via the query string.
CVE-2010-0706Feb 25, 2010
Subex
Nikira Fraud Management System
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the login/prompt component in Subex Nikira Fraud Management System allows remote attackers to inject arbitrary web script or HTML via the message parameter.
CVE-2010-0703Feb 23, 2010
Portwise
SSL VPN
risk 0.03cvss —epss 0.06
Cross-site scripting (XSS) vulnerability in wa/auth in PortWise SSL VPN 4.6 allows remote attackers to inject arbitrary web script or HTML via the reloadFrame parameter.
CVE-2010-0700Feb 23, 2010
Wampserver
Wampserver
risk 0.03cvss —epss 0.06
Cross-site scripting (XSS) vulnerability in index.php in WampServer 2.0i allows remote attackers to inject arbitrary web script or HTML via the lang parameter.