CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (19,297)
page 707 of 965| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2009-1218 | 0.03 | — | 0.02 | Apr 1, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Sun Calendar Express Web Server in Sun ONE Calendar Server 6.0 and Sun Java System Calendar Server 6 2004Q2 through 6.3-7.01 allow remote attackers to inject arbitrary web script or HTML via (1) the fmt-out parameter to login.wcap or (2) the date parameter to command.shtml. | |||
| CVE-2009-1204 | 0.03 | — | 0.04 | Apr 1, 2009 | Cross-site scripting (XSS) vulnerability in TikiWiki (Tiki) CMS/Groupware 2.2 allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to (1) tiki-galleries.php, (2) tiki-list_file_gallery.php, (3) tiki-listpages.php, and (4) tiki-orphan_pages.php. | |||
| CVE-2008-6565 | 0.03 | — | 0.00 | Mar 31, 2009 | Cross-site scripting (XSS) vulnerability in Invision Power Board 2.3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via an IFRAME tag in the signature. | |||
| CVE-2008-6562 | 0.03 | — | 0.00 | Mar 31, 2009 | Cross-site scripting (XSS) vulnerability in jax_linklists.php in Jack (tR) Jax LinkLists 1.00 allows remote attackers to inject arbitrary web script or HTML via the cat parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||
| CVE-2005-4879 | 0.03 | — | 0.00 | Mar 31, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in jax_guestbook.php in Jax Guestbook 3.1 and 3.31 allow remote attackers to inject arbitrary web script or HTML via the (1) gmt_ofs and (2) language parameters. NOTE: the page parameter is already covered by CVE-2006-1913. NOTE: it was later reported that 3.50 is also affected. | |||
| CVE-2008-6550 | 0.03 | — | 0.01 | Mar 30, 2009 | Cross-site scripting (XSS) vulnerability in glossaire.php in Glossaire 2.0 allows remote attackers to inject arbitrary web script or HTML via the letter parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||
| CVE-2008-6529 | 0.03 | — | 0.04 | Mar 26, 2009 | Cross-site scripting (XSS) vulnerability in listtest.php in eZoneScripts Living Local 1.1 allows remote attackers to inject arbitrary web script or HTML via the r parameter. | |||
| CVE-2009-1070 | 0.03 | — | 0.03 | Mar 26, 2009 | Cross-site scripting (XSS) vulnerability in system/index.php in ExpressionEngine 1.6.4 through 1.6.6, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the avatar parameter. | |||
| CVE-2009-1067 | 0.03 | — | 0.05 | Mar 26, 2009 | Cross-site scripting (XSS) vulnerability in index.php in Pixie CMS 1.01a allows remote attackers to inject arbitrary web script or HTML via the x parameter. | |||
| CVE-2008-6515 | 0.03 | — | 0.02 | Mar 24, 2009 | Cross-site scripting (XSS) vulnerability in Fritz Berger yet another php photo album - next generation (yappa-ng) allows remote attackers to inject arbitrary web script or HTML via the query string to the default URI. | |||
| CVE-2008-6503 | 0.03 | — | 0.01 | Mar 20, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in PrestaShop 1.1.0.3 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) admin/login.php and (2) order.php. | |||
| CVE-2008-6501 | 0.03 | — | 0.04 | Mar 20, 2009 | Cross-site scripting (XSS) vulnerability in profiles/index.php in Pro Chat Rooms 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the gud parameter. | |||
| CVE-2008-6500 | 0.03 | — | 0.03 | Mar 20, 2009 | Cross-site scripting (XSS) vulnerability in CodeToad ASP Shopping Cart Script allows remote attackers to inject arbitrary web script or HTML via the query string to the default URI. | |||
| CVE-2009-1030 | 0.03 | — | 0.02 | Mar 20, 2009 | Cross-site scripting (XSS) vulnerability in the choose_primary_blog function in wp-includes/wpmu-functions.php in WordPress MU (WPMU) before 2.7 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header. | |||
| CVE-2008-6495 | 0.03 | — | 0.02 | Mar 20, 2009 | Cross-site scripting (XSS) vulnerability in index.php in Fritz Berger yet another php photo album - next generation (yappa-ng) 2.3.2 allows remote attackers to inject arbitrary web script or HTML via the album parameter. | |||
| CVE-2008-6476 | 0.03 | — | 0.01 | Mar 16, 2009 | Cross-site scripting (XSS) vulnerability in blog/search.aspx in BlogEngine.NET allows remote attackers to inject arbitrary web script or HTML via the q parameter. | |||
| CVE-2009-0781 | 0.03 | — | 0.37 | Mar 9, 2009 | Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." | |||
| CVE-2008-6439 | 0.03 | — | 0.01 | Mar 6, 2009 | Cross-site scripting (XSS) vulnerability in search_results.php in ABK-Soft AbleDating 2.4 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter. | |||
| CVE-2008-6437 | 0.03 | — | 0.01 | Mar 6, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in PHPFreeForum 1.0 RC2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) message parameter to error.php, and the (2) nickname and (3) randomid parameters to part/menu.php. | |||
| CVE-2008-6435 | 0.03 | — | 0.00 | Mar 6, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in phpSQLiteCMS 1 RC2 allow remote attackers to inject arbitrary web script or HTML via the (1) lang[home], (2) lang[admin_menu], and (3) lang[admin_menu_page_overview] parameters to cms/includes/header.inc.php; and the (4) lang[login_username] and (5) lang[login_password] parameters to cms/includes/login.inc.php. |
- CVE-2009-1218Apr 1, 2009risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Sun Calendar Express Web Server in Sun ONE Calendar Server 6.0 and Sun Java System Calendar Server 6 2004Q2 through 6.3-7.01 allow remote attackers to inject arbitrary web script or HTML via (1) the fmt-out parameter to login.wcap or (2) the date parameter to command.shtml.
- CVE-2009-1204Apr 1, 2009risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in TikiWiki (Tiki) CMS/Groupware 2.2 allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to (1) tiki-galleries.php, (2) tiki-list_file_gallery.php, (3) tiki-listpages.php, and (4) tiki-orphan_pages.php.
- CVE-2008-6565Mar 31, 2009risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Invision Power Board 2.3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via an IFRAME tag in the signature.
- CVE-2008-6562Mar 31, 2009risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in jax_linklists.php in Jack (tR) Jax LinkLists 1.00 allows remote attackers to inject arbitrary web script or HTML via the cat parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2005-4879Mar 31, 2009risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in jax_guestbook.php in Jax Guestbook 3.1 and 3.31 allow remote attackers to inject arbitrary web script or HTML via the (1) gmt_ofs and (2) language parameters. NOTE: the page parameter is already covered by CVE-2006-1913. NOTE: it was later reported that 3.50 is also affected.
- CVE-2008-6550Mar 30, 2009risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in glossaire.php in Glossaire 2.0 allows remote attackers to inject arbitrary web script or HTML via the letter parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2008-6529Mar 26, 2009risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in listtest.php in eZoneScripts Living Local 1.1 allows remote attackers to inject arbitrary web script or HTML via the r parameter.
- CVE-2009-1070Mar 26, 2009risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in system/index.php in ExpressionEngine 1.6.4 through 1.6.6, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the avatar parameter.
- CVE-2009-1067Mar 26, 2009risk 0.03cvss —epss 0.05
Cross-site scripting (XSS) vulnerability in index.php in Pixie CMS 1.01a allows remote attackers to inject arbitrary web script or HTML via the x parameter.
- CVE-2008-6515Mar 24, 2009risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Fritz Berger yet another php photo album - next generation (yappa-ng) allows remote attackers to inject arbitrary web script or HTML via the query string to the default URI.
- CVE-2008-6503Mar 20, 2009risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in PrestaShop 1.1.0.3 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) admin/login.php and (2) order.php.
- CVE-2008-6501Mar 20, 2009risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in profiles/index.php in Pro Chat Rooms 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the gud parameter.
- CVE-2008-6500Mar 20, 2009risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in CodeToad ASP Shopping Cart Script allows remote attackers to inject arbitrary web script or HTML via the query string to the default URI.
- CVE-2009-1030Mar 20, 2009risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the choose_primary_blog function in wp-includes/wpmu-functions.php in WordPress MU (WPMU) before 2.7 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.
- CVE-2008-6495Mar 20, 2009risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in index.php in Fritz Berger yet another php photo album - next generation (yappa-ng) 2.3.2 allows remote attackers to inject arbitrary web script or HTML via the album parameter.
- CVE-2008-6476Mar 16, 2009risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in blog/search.aspx in BlogEngine.NET allows remote attackers to inject arbitrary web script or HTML via the q parameter.
- CVE-2009-0781Mar 9, 2009risk 0.03cvss —epss 0.37
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML."
- CVE-2008-6439Mar 6, 2009risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in search_results.php in ABK-Soft AbleDating 2.4 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter.
- CVE-2008-6437Mar 6, 2009risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in PHPFreeForum 1.0 RC2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) message parameter to error.php, and the (2) nickname and (3) randomid parameters to part/menu.php.
- CVE-2008-6435Mar 6, 2009risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in phpSQLiteCMS 1 RC2 allow remote attackers to inject arbitrary web script or HTML via the (1) lang[home], (2) lang[admin_menu], and (3) lang[admin_menu_page_overview] parameters to cms/includes/header.inc.php; and the (4) lang[login_username] and (5) lang[login_password] parameters to cms/includes/login.inc.php.