CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (19,297)

page 708 of 965

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2008-6431	Bmforum Bmforum	0.03	—	0.01	Mar 6, 2009	Multiple cross-site scripting (XSS) vulnerabilities in BMForum 5.6 allow remote attackers to inject arbitrary web script or HTML via the (1) outpused parameter to index.php, the (2) footer_copyright and (3) verandproname parameters to newtem/footer/bsd01footer.php, and the (4) topads and (5) myplugin parameters to newtem/header/bsd01header.php.
CVE-2008-6406	Datalifecms Datalife Engine	0.03	—	0.00	Mar 6, 2009	Cross-site scripting (XSS) vulnerability in admin.php in DataLife Engine (DLE) 7.2 allows remote attackers to inject arbitrary web script or HTML via the query string.
CVE-2008-6404	Extrosoft Thyme	0.03	—	0.00	Mar 6, 2009	Cross-site scripting (XSS) vulnerability in add_calendars.php in eXtrovert Software Thyme 1.3 allows remote attackers to inject arbitrary web script or HTML via the callback parameter.
CVE-2009-0764	Bookelves Kipper	0.03	—	0.00	Mar 6, 2009	Multiple cross-site scripting (XSS) vulnerabilities in Kipper 2.01 allow remote attackers to inject arbitrary web script or HTML via the charm parameter to (1) index.php and (2) kipper.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2009-0763	Bookelves Kipper	0.03	—	0.04	Mar 6, 2009	Cross-site scripting (XSS) vulnerability in default.php in Kipper 2.01 allows remote attackers to inject arbitrary web script or HTML via the charm parameter.
CVE-2009-0761	Team5.team Board 10	0.03	—	0.01	Mar 6, 2009	Cross-site scripting (XSS) vulnerability in online.asp in Team Board 1.x allows remote attackers to inject arbitrary web script or HTML via the lookname parameter.
CVE-2009-0814	Blogsa Blogsa	0.03	—	0.02	Mar 5, 2009	Cross-site scripting (XSS) vulnerability in Widgets.aspx in Blogsa 1.0 Beta 3 and earlier allows remote attackers to inject arbitrary web script or HTML via the searchText parameter.
CVE-2008-6396	Celerondude Uploader	0.03	—	0.02	Mar 4, 2009	Cross-site scripting (XSS) vulnerability in account.php in Celerondude Uploader 6.1 allows remote attackers to inject arbitrary web script or HTML via the username parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-6386	1scripts Z1exchange	0.03	—	0.02	Mar 2, 2009	Cross-site scripting (XSS) vulnerability in showads.php in Z1Exchange 1.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter.
CVE-2008-6385	—	0.03	—	0.02	Mar 2, 2009	Cross-site scripting (XSS) vulnerability in index.php in W3matter RevSense 1.0 allows remote attackers to inject arbitrary web script or HTML via the section parameter.
CVE-2008-6370	Ocean12 Technologies Contact Manager Pro	0.03	—	0.04	Mar 2, 2009	Cross-site scripting (XSS) vulnerability in default.asp in Ocean12 Contact Manager Pro 1.02 allows remote attackers to inject arbitrary web script or HTML via the DisplayFormat parameter.
CVE-2008-6351	Turnkeyforms Local Classifieds	0.03	—	0.04	Mar 2, 2009	Cross-site scripting (XSS) vulnerability in listtest.php in TurnkeyForms Local Classifieds allows remote attackers to inject arbitrary web script or HTML via the r parameter.
CVE-2008-6325	Softbizscripts Classifieds Script	0.03	—	0.00	Feb 27, 2009	Multiple cross-site scripting (XSS) vulnerabilities in Softbiz Classifieds Script allow remote attackers to inject arbitrary web script or HTML via the (1) radio parameter to showcategory.php, (2) msg parameter to advertisers/signinform.php, (3) radio parameter to gallery.php, (4) msg parameter to lostpassword.php, (5) radio parameter to showcategory.php, (6) msg parameter to admin/adminhome.php, and (7) msg parameter to admin/index.php. NOTE: a different signinform.php file is already covered by CVE-2008-6306.
CVE-2008-6306	Softbizscripts Classifieds Script	0.03	—	0.00	Feb 26, 2009	Cross-site scripting (XSS) vulnerability in signinform.php in Softbiz Classifieds Script allows remote attackers to inject arbitrary web script or HTML via the msg parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6297	Dhcart Dhcart	0.03	—	0.02	Feb 26, 2009	Cross-site scripting (XSS) vulnerability in order.php in DHCart allows remote attackers to inject arbitrary web script or HTML via the (1) domain and (2) d1 parameters.
CVE-2008-6278	Rakhisoftware Rakhisoftware Shopping Cart	0.03	—	0.01	Feb 25, 2009	Multiple cross-site scripting (XSS) vulnerabilities in product.php in RakhiSoftware Price Comparison Script (aka Shopping Cart) allow remote attackers to inject arbitrary web script or HTML via the (1) category_id and (2) subcategory_id parameters.
CVE-2009-0541	Adobe Inc. Magento	0.03	—	0.01	Feb 25, 2009	Multiple cross-site scripting (XSS) vulnerabilities in Magento 1.2.0 and 1.2.1.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username field in an admin/ request to index.php, possibly related to the login[username] parameter and the app/code/core/Mage/Admin/Model/Session.php login function; (2) the email address field in an admin/index/forgotpassword/ request to index.php, possibly related to the email parameter and the app/code/core/Mage/Adminhtml/controllers/IndexController.php forgotpasswordAction function; or (3) the return parameter to the default URI under downloader/.
CVE-2008-6267	Sadi Samami Multi Languages Webshop Online	0.03	—	0.03	Feb 25, 2009	Cross-site scripting (XSS) vulnerability in detail.php in Multi Languages WebShop Online 1.02 allows remote attackers to inject arbitrary web script or HTML via the name parameter.
CVE-2008-6259	Quadcomm Q Shop	0.03	—	0.04	Feb 24, 2009	Cross-site scripting (XSS) vulnerability in search.asp in QuadComm Q-Shop 3.0, and possibly earlier, allows remote attackers to inject arbitrary web script or HTML via the srkeys parameter.
CVE-2008-6248	Galatolo Galatolo Webmanager	0.03	—	0.04	Feb 23, 2009	Cross-site scripting (XSS) vulnerability in all.php in Galatolo WebManager 1.3a and earlier allows remote attackers to inject arbitrary web script or HTML via the tag parameter.

CVE-2008-6431Mar 6, 2009
Bmforum
Bmforum
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in BMForum 5.6 allow remote attackers to inject arbitrary web script or HTML via the (1) outpused parameter to index.php, the (2) footer_copyright and (3) verandproname parameters to newtem/footer/bsd01footer.php, and the (4) topads and (5) myplugin parameters to newtem/header/bsd01header.php.
CVE-2008-6406Mar 6, 2009
Datalifecms
Datalife Engine
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in admin.php in DataLife Engine (DLE) 7.2 allows remote attackers to inject arbitrary web script or HTML via the query string.
CVE-2008-6404Mar 6, 2009
Extrosoft
Thyme
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in add_calendars.php in eXtrovert Software Thyme 1.3 allows remote attackers to inject arbitrary web script or HTML via the callback parameter.
CVE-2009-0764Mar 6, 2009
Bookelves
Kipper
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Kipper 2.01 allow remote attackers to inject arbitrary web script or HTML via the charm parameter to (1) index.php and (2) kipper.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2009-0763Mar 6, 2009
Bookelves
Kipper
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in default.php in Kipper 2.01 allows remote attackers to inject arbitrary web script or HTML via the charm parameter.
CVE-2009-0761Mar 6, 2009
Team5.team Board
10
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in online.asp in Team Board 1.x allows remote attackers to inject arbitrary web script or HTML via the lookname parameter.
CVE-2009-0814Mar 5, 2009
Blogsa
Blogsa
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Widgets.aspx in Blogsa 1.0 Beta 3 and earlier allows remote attackers to inject arbitrary web script or HTML via the searchText parameter.
CVE-2008-6396Mar 4, 2009
Celerondude
Uploader
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in account.php in Celerondude Uploader 6.1 allows remote attackers to inject arbitrary web script or HTML via the username parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-6386Mar 2, 2009
1scripts
Z1exchange
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in showads.php in Z1Exchange 1.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter.
CVE-2008-6385Mar 2, 2009
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in index.php in W3matter RevSense 1.0 allows remote attackers to inject arbitrary web script or HTML via the section parameter.
CVE-2008-6370Mar 2, 2009
Ocean12 Technologies
Contact Manager Pro
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in default.asp in Ocean12 Contact Manager Pro 1.02 allows remote attackers to inject arbitrary web script or HTML via the DisplayFormat parameter.
CVE-2008-6351Mar 2, 2009
Turnkeyforms
Local Classifieds
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in listtest.php in TurnkeyForms Local Classifieds allows remote attackers to inject arbitrary web script or HTML via the r parameter.
CVE-2008-6325Feb 27, 2009
Softbizscripts
Classifieds Script
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Softbiz Classifieds Script allow remote attackers to inject arbitrary web script or HTML via the (1) radio parameter to showcategory.php, (2) msg parameter to advertisers/signinform.php, (3) radio parameter to gallery.php, (4) msg parameter to lostpassword.php, (5) radio parameter to showcategory.php, (6) msg parameter to admin/adminhome.php, and (7) msg parameter to admin/index.php. NOTE: a different signinform.php file is already covered by CVE-2008-6306.
CVE-2008-6306Feb 26, 2009
Softbizscripts
Classifieds Script
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in signinform.php in Softbiz Classifieds Script allows remote attackers to inject arbitrary web script or HTML via the msg parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6297Feb 26, 2009
Dhcart
Dhcart
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in order.php in DHCart allows remote attackers to inject arbitrary web script or HTML via the (1) domain and (2) d1 parameters.
CVE-2008-6278Feb 25, 2009
Rakhisoftware
Rakhisoftware Shopping Cart
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in product.php in RakhiSoftware Price Comparison Script (aka Shopping Cart) allow remote attackers to inject arbitrary web script or HTML via the (1) category_id and (2) subcategory_id parameters.
CVE-2009-0541Feb 25, 2009
Adobe Inc.
Magento
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Magento 1.2.0 and 1.2.1.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username field in an admin/ request to index.php, possibly related to the login[username] parameter and the app/code/core/Mage/Admin/Model/Session.php login function; (2) the email address field in an admin/index/forgotpassword/ request to index.php, possibly related to the email parameter and the app/code/core/Mage/Adminhtml/controllers/IndexController.php forgotpasswordAction function; or (3) the return parameter to the default URI under downloader/.
CVE-2008-6267Feb 25, 2009
Sadi Samami
Multi Languages Webshop Online
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in detail.php in Multi Languages WebShop Online 1.02 allows remote attackers to inject arbitrary web script or HTML via the name parameter.
CVE-2008-6259Feb 24, 2009
Quadcomm
Q Shop
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in search.asp in QuadComm Q-Shop 3.0, and possibly earlier, allows remote attackers to inject arbitrary web script or HTML via the srkeys parameter.
CVE-2008-6248Feb 23, 2009
Galatolo
Galatolo Webmanager
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in all.php in Galatolo WebManager 1.3a and earlier allows remote attackers to inject arbitrary web script or HTML via the tag parameter.