CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (19,297)

page 704 of 965

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2009-2145	Pantha Translucid	0.03	—	0.03	Jun 22, 2009	Multiple cross-site scripting (XSS) vulnerabilities in transLucid 1.75 allow remote attackers to inject arbitrary web script or HTML via the (a) NodeID and (b) action parameters to the default URI, and the (c) NodeID parameter to the default URI for the admin section; and allow remote authenticated users to inject arbitrary web script or HTML via the (d) Title (aka page name) and (e) Url fields in a (1) new or (2) modified page.
CVE-2009-2141	Tbdev Tbdev.net	0.03	—	0.03	Jun 22, 2009	Multiple cross-site scripting (XSS) vulnerabilities in TBDev.NET 01-01-08 allow remote attackers to inject arbitrary web script or HTML via (1) the returnto parameter to makepoll.php, (2) the returnto parameter in a delete action to polls.php, or the (3) Info or (4) Avatar field to my.php.
CVE-2009-2131	4homepages 4images	0.03	—	0.01	Jun 19, 2009	Cross-site scripting (XSS) vulnerability in 4images 1.7.7 and earlier allows remote authenticated users to inject arbitrary web script or HTML by providing a crafted user_homepage parameter to member.php, and then posting a comment associated with a picture.
CVE-2009-2127	Elvinbts Elvinbts	0.03	—	0.01	Jun 19, 2009	Cross-site scripting (XSS) vulnerability in show_activity.php in Elvin 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter.
CVE-2009-2114	Skybluecanvas Skybluecanvas	0.03	—	0.01	Jun 18, 2009	Multiple cross-site scripting (XSS) vulnerabilities in admin.php in SkyBlueCanvas 1.1 r237 allow remote attackers to inject arbitrary web script or HTML via the (1) mgroup, (2) mgr, (3) objtype, (4) id, and (5) dir parameters.
CVE-2009-2107	Webmedia Explorer Webmedia Explorer	0.03	—	0.01	Jun 17, 2009	Multiple cross-site scripting (XSS) vulnerabilities in index.php in Webmedia Explorer (webmex) 5.09 and 5.10 allow remote attackers to inject arbitrary web script or HTML via event handlers such as onmouseover in the (1) search or (2) tag parameters; (3) arbitrary invalid parameter names that are not properly handled when triggered on a column; (4) bookmark parameter in an edit action; or (5) email parameter in a remember action.
CVE-2009-2033	Ricardo Alexandre De Oliveira Staudt Yogurt	0.03	—	0.02	Jun 12, 2009	Cross-site scripting (XSS) vulnerability in index.php in Yogurt 0.3 allows remote attackers to inject arbitrary web script or HTML via the msg parameter.
CVE-2009-1684	Apple Inc. Safari	0.03	—	0.02	Jun 10, 2009	Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to inject arbitrary web script or HTML via an event handler that triggers script execution in the context of the next loaded document.
CVE-2009-2020	Virtuenetz Virtue News Manager	0.03	—	0.01	Jun 9, 2009	Cross-site scripting (XSS) vulnerability in news_detail.php in Virtue News Manager allows remote attackers to inject arbitrary web script or HTML via the nid parameter.
CVE-2009-1951	Propertymaxpro Propertymax Pro Free	0.03	—	0.01	Jun 5, 2009	Cross-site scripting (XSS) vulnerability in index.php in PropertyMax Pro FREE 0.3 allows remote attackers to inject arbitrary web script or HTML via the pl parameter in a mi action.
CVE-2009-1938	Joomla Joomla!	0.03	—	0.00	Jun 5, 2009	Cross-site scripting (XSS) vulnerability in Joomla! 1.5.x through 1.5.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to database output and the frontend administrative panel.
CVE-2009-1907	Claroline Claroline	0.03	—	0.03	Jun 4, 2009	Cross-site scripting (XSS) vulnerability in claroline/linker/notfound.php in Claroline 1.8.11 allows remote attackers to inject arbitrary web script or HTML via the Referer HTTP header.
CVE-2009-1845	Lussumo Vanilla	0.03	—	0.01	Jun 1, 2009	Cross-site scripting (XSS) vulnerability in ajax/updatecheck.php in Lussumo Vanilla 1.1.5 and 1.1.7 allows remote attackers to inject arbitrary web script or HTML via the RequestName parameter.
CVE-2009-1820	2daybiz Custom T Shirt Design Script	0.03	—	0.03	May 29, 2009	Cross-site scripting (XSS) vulnerability in product.php in 2daybiz Custom T-shirt Design Script allows remote attackers to inject arbitrary web script or HTML via the id parameter.
CVE-2009-1811	Collector Mygesuad	0.03	—	0.03	May 29, 2009	Multiple cross-site scripting (XSS) vulnerabilities in myGesuad 0.9.14 (aka 0.9) allow remote attackers to inject arbitrary web script or HTML via (1) the Page parameter in a List action to modules/ereignis.php, (2) the Kontext parameter in a Search action to modules/kategorie.php, (3) the image parameter to modules/image.php, or (4) the ID parameter in a Detail action to modules/sitzung.php.
CVE-2009-1809	Collector Mycolex	0.03	—	0.03	May 29, 2009	Multiple cross-site scripting (XSS) vulnerabilities in myColex 1.4.2 allow remote attackers to inject arbitrary web script or HTML via (1) the year parameter to modules/kalender.php, (2) the Page parameter in a List action to modules/ereignis.php, (3) the Kontext parameter in a Search action to modules/kategorie.php, or (4) the image parameter to modules/image.php.
CVE-2009-1776	Matt Wright Formmail	0.03	—	0.00	May 22, 2009	Multiple cross-site scripting (XSS) vulnerabilities in FormMail.pl in Matt Wright FormMail 1.92, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via javascript: URIs in the (1) request and (2) return_link_url parameters.
CVE-2009-1749	Joost Horward Catviz	0.03	—	0.01	May 22, 2009	Multiple cross-site scripting (XSS) vulnerabilities in index.php in Catviz 0.4.0 beta 1 allow remote attackers to inject arbitrary web script or HTML via the (1) userman_form and (2) webpages_form parameters.
CVE-2009-1593	Armorlogic Profense Web Application Firewall	0.03	—	0.00	May 21, 2009	Armorlogic Profense Web Application Firewall before 2.2.22, and 2.4.x before 2.4.4, does not properly implement the "negative model," which allows remote attackers to conduct cross-site scripting (XSS) attacks via a modified end tag of a SCRIPT element.
CVE-2009-1735	Omnisoftsol Vidsharepro	0.03	—	0.05	May 20, 2009	Cross-site scripting (XSS) vulnerability in search.php in VidSharePro allows remote attackers to inject arbitrary web script or HTML via the searchtxt parameter. NOTE: some of these details are obtained from third party information.

CVE-2009-2145Jun 22, 2009
Pantha
Translucid
risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in transLucid 1.75 allow remote attackers to inject arbitrary web script or HTML via the (a) NodeID and (b) action parameters to the default URI, and the (c) NodeID parameter to the default URI for the admin section; and allow remote authenticated users to inject arbitrary web script or HTML via the (d) Title (aka page name) and (e) Url fields in a (1) new or (2) modified page.
CVE-2009-2141Jun 22, 2009
Tbdev
Tbdev.net
risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in TBDev.NET 01-01-08 allow remote attackers to inject arbitrary web script or HTML via (1) the returnto parameter to makepoll.php, (2) the returnto parameter in a delete action to polls.php, or the (3) Info or (4) Avatar field to my.php.
CVE-2009-2131Jun 19, 2009
4homepages
4images
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in 4images 1.7.7 and earlier allows remote authenticated users to inject arbitrary web script or HTML by providing a crafted user_homepage parameter to member.php, and then posting a comment associated with a picture.
CVE-2009-2127Jun 19, 2009
Elvinbts
Elvinbts
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in show_activity.php in Elvin 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter.
CVE-2009-2114Jun 18, 2009
Skybluecanvas
Skybluecanvas
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in admin.php in SkyBlueCanvas 1.1 r237 allow remote attackers to inject arbitrary web script or HTML via the (1) mgroup, (2) mgr, (3) objtype, (4) id, and (5) dir parameters.
CVE-2009-2107Jun 17, 2009
Webmedia Explorer
Webmedia Explorer
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in index.php in Webmedia Explorer (webmex) 5.09 and 5.10 allow remote attackers to inject arbitrary web script or HTML via event handlers such as onmouseover in the (1) search or (2) tag parameters; (3) arbitrary invalid parameter names that are not properly handled when triggered on a column; (4) bookmark parameter in an edit action; or (5) email parameter in a remember action.
CVE-2009-2033Jun 12, 2009
Ricardo Alexandre De Oliveira Staudt
Yogurt
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in index.php in Yogurt 0.3 allows remote attackers to inject arbitrary web script or HTML via the msg parameter.
CVE-2009-1684Jun 10, 2009
Apple Inc.
Safari
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to inject arbitrary web script or HTML via an event handler that triggers script execution in the context of the next loaded document.
CVE-2009-2020Jun 9, 2009
Virtuenetz
Virtue News Manager
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in news_detail.php in Virtue News Manager allows remote attackers to inject arbitrary web script or HTML via the nid parameter.
CVE-2009-1951Jun 5, 2009
Propertymaxpro
Propertymax Pro Free
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in PropertyMax Pro FREE 0.3 allows remote attackers to inject arbitrary web script or HTML via the pl parameter in a mi action.
CVE-2009-1938Jun 5, 2009
Joomla
Joomla!
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Joomla! 1.5.x through 1.5.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to database output and the frontend administrative panel.
CVE-2009-1907Jun 4, 2009
Claroline
Claroline
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in claroline/linker/notfound.php in Claroline 1.8.11 allows remote attackers to inject arbitrary web script or HTML via the Referer HTTP header.
CVE-2009-1845Jun 1, 2009
Lussumo
Vanilla
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in ajax/updatecheck.php in Lussumo Vanilla 1.1.5 and 1.1.7 allows remote attackers to inject arbitrary web script or HTML via the RequestName parameter.
CVE-2009-1820May 29, 2009
2daybiz
Custom T Shirt Design Script
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in product.php in 2daybiz Custom T-shirt Design Script allows remote attackers to inject arbitrary web script or HTML via the id parameter.
CVE-2009-1811May 29, 2009
Collector
Mygesuad
risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in myGesuad 0.9.14 (aka 0.9) allow remote attackers to inject arbitrary web script or HTML via (1) the Page parameter in a List action to modules/ereignis.php, (2) the Kontext parameter in a Search action to modules/kategorie.php, (3) the image parameter to modules/image.php, or (4) the ID parameter in a Detail action to modules/sitzung.php.
CVE-2009-1809May 29, 2009
Collector
Mycolex
risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in myColex 1.4.2 allow remote attackers to inject arbitrary web script or HTML via (1) the year parameter to modules/kalender.php, (2) the Page parameter in a List action to modules/ereignis.php, (3) the Kontext parameter in a Search action to modules/kategorie.php, or (4) the image parameter to modules/image.php.
CVE-2009-1776May 22, 2009
Matt Wright
Formmail
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in FormMail.pl in Matt Wright FormMail 1.92, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via javascript: URIs in the (1) request and (2) return_link_url parameters.
CVE-2009-1749May 22, 2009
Joost Horward
Catviz
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in index.php in Catviz 0.4.0 beta 1 allow remote attackers to inject arbitrary web script or HTML via the (1) userman_form and (2) webpages_form parameters.
CVE-2009-1593May 21, 2009
Armorlogic
Profense Web Application Firewall
risk 0.03cvss —epss 0.00
Armorlogic Profense Web Application Firewall before 2.2.22, and 2.4.x before 2.4.4, does not properly implement the "negative model," which allows remote attackers to conduct cross-site scripting (XSS) attacks via a modified end tag of a SCRIPT element.
CVE-2009-1735May 20, 2009
Omnisoftsol
Vidsharepro
risk 0.03cvss —epss 0.05
Cross-site scripting (XSS) vulnerability in search.php in VidSharePro allows remote attackers to inject arbitrary web script or HTML via the searchtxt parameter. NOTE: some of these details are obtained from third party information.