CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (19,297)

page 709 of 965

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2009-0710	Phpfootball Phpfootball	0.03	—	0.00	Feb 23, 2009	Multiple cross-site scripting (XSS) vulnerabilities in PHPFootball 1.6 allow remote attackers to inject arbitrary web script or HTML via (1) the user parameter to login.php or (2) the dbfield parameter to filter.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2009-0699	Plunet Business Manager	0.03	—	0.00	Feb 23, 2009	Cross-site scripting (XSS) vulnerability in pagesUTF8/auftrag_allgemeinauftrag.jsp in Plunet BusinessManager 4.1 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the (1) QUB and (2) Bez74 parameters.
CVE-2008-6217	Extrakt Extrakt Framework	0.03	—	0.00	Feb 20, 2009	Cross-site scripting (XSS) vulnerability in index.php in Extrakt Framework 0.7 allows remote attackers to inject arbitrary web script or HTML via the plugins[file][id] parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6215	Bookingcentre Booking System For Hotels Group	0.03	—	0.04	Feb 20, 2009	Cross-site scripting (XSS) vulnerability in cadena_ofertas_ext.php in Venalsur Booking Centre Booking System for Hotels Group allows remote attackers to inject arbitrary web script or HTML via the OfertaID parameter.
CVE-2008-6164	Dreamcost Hostadmin	0.03	—	0.00	Feb 20, 2009	Cross-site scripting (XSS) vulnerability in index.php in DreamCost HostAdmin 3.1.1 allows remote attackers to inject arbitrary web script or HTML via the page parameter.
CVE-2008-6212	Php Stats Phpstats	0.03	—	0.00	Feb 20, 2009	Cross-site scripting (XSS) vulnerability in admin.php in Php-Stats 0.1.9.1 allows remote attackers to inject arbitrary web script or HTML via the (1) sel_mese and (2) sel_anno parameters in a systems action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6211	Mcgallery Mcgallery	0.03	—	0.00	Feb 20, 2009	Multiple cross-site scripting (XSS) vulnerabilities in PhpForums.net mcGallery 1.1 allow remote attackers to inject arbitrary web script or HTML via the lang parameter to (1) admin.php, (2) index.php, (3) sess.php, (4) stats.php, (5) detail.php, (6) resize.php, and (7) show.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6205	Xaaaaav38 Urlstreet	0.03	—	0.00	Feb 20, 2009	Cross-site scripting (XSS) vulnerability in seeurl.php in Xavier Flahaut URLStreet 1.0 allows remote attackers to inject arbitrary web script or HTML via the (1) language, (2) order, and (3) filter parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6200	Dokuwiki Swiki	0.03	—	0.00	Feb 20, 2009	Multiple cross-site scripting (XSS) vulnerabilities in Swiki 1.5 allow remote attackers to inject arbitrary web script or HTML via (1) the query string and (2) a new wiki entry.
CVE-2008-6174	Jetbox Jetbox CMS	0.03	—	0.00	Feb 19, 2009	Cross-site scripting (XSS) vulnerability in admin/postlister/index.php in Jetbox CMS 2.1 allows remote attackers to inject arbitrary web script or HTML via the liste parameter.
CVE-2008-6173	Clip Share Clipshare	0.03	—	0.00	Feb 19, 2009	Cross-site scripting (XSS) vulnerability in fullscreen.php in ClipShare Pro 4.0 allows remote attackers to inject arbitrary web script or HTML via the title parameter.
CVE-2008-6168	Miniportail Miniportail	0.03	—	0.03	Feb 19, 2009	Cross-site scripting (XSS) vulnerability in search.php in miniPortail 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via an unspecified argument, probably the search string.
CVE-2009-0594	Apmuthu Phpskelsite	0.03	—	0.04	Feb 16, 2009	Cross-site scripting (XSS) vulnerability in index.php in phpSkelSite 1.4 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
CVE-2009-0573	Fotoware Fotoweb	0.03	—	0.01	Feb 13, 2009	Multiple cross-site scripting (XSS) vulnerabilities in FotoWeb 6.0 (Build 273) allow remote attackers to inject arbitrary web script or HTML via the (1) s parameter to cmdrequest/Login.fwx and the (2) search parameter to Grid.fwx.
CVE-2009-0529	Electrictoad Snippetmaster Webpage Editor	0.03	—	0.04	Feb 11, 2009	Cross-site scripting (XSS) vulnerability in index.php in SnippetMaster Webpage Editor 2.2.2 allows remote attackers to inject arbitrary web script or HTML via the language parameter.
CVE-2009-0526	Adaptcms Adaptcms	0.03	—	0.04	Feb 11, 2009	Multiple cross-site scripting (XSS) vulnerabilities in index.php in AdaptCMS Lite 1.4 allow remote attackers to inject arbitrary web script or HTML via the (1) url and (2) acuparam parameters, and (3) the URI.
CVE-2009-0455	Glfusion Glfusion	0.03	—	0.02	Feb 11, 2009	Cross-site scripting (XSS) vulnerability in the anonymous comments feature in lib-comment.php in glFusion 1.1.0, 1.1.1, and earlier versions allows remote attackers to inject arbitrary web script or HTML via the username parameter to comment.php.
CVE-2009-0467	Armorlogic Profense Web Application Firewall	0.03	—	0.04	Feb 10, 2009	Cross-site scripting (XSS) vulnerability in proxy.html in Profense Web Application Firewall 2.6.2 and 2.6.3 allows remote attackers to inject arbitrary web script or HTML via the proxy parameter in a deny_log manage action.
CVE-2008-6097	Wikyblog Wikyblog	0.03	—	0.00	Feb 9, 2009	Multiple cross-site scripting (XSS) vulnerabilities in WikyBlog before 1.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) key parameter to index.php/Special/Main/keywordSearch, (2) revNum parameter to index.php/Edit/Main/Home, (3) to parameter to index.php/Special/Main/WhatLinksHere, (4) user parameter to index.php/Special/Main/UserEdits, and (5) the PATH_INFO to index.php.
CVE-2008-6094	Celoxis Celoxis	0.03	—	0.01	Feb 9, 2009	Cross-site scripting (XSS) vulnerability in user.do in Celoxis Technologies Celoxis allows remote attackers to inject arbitrary web script or HTML via the ni.smessage parameter.

CVE-2009-0710Feb 23, 2009
Phpfootball
Phpfootball
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in PHPFootball 1.6 allow remote attackers to inject arbitrary web script or HTML via (1) the user parameter to login.php or (2) the dbfield parameter to filter.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2009-0699Feb 23, 2009
Plunet
Business Manager
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in pagesUTF8/auftrag_allgemeinauftrag.jsp in Plunet BusinessManager 4.1 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the (1) QUB and (2) Bez74 parameters.
CVE-2008-6217Feb 20, 2009
Extrakt
Extrakt Framework
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in index.php in Extrakt Framework 0.7 allows remote attackers to inject arbitrary web script or HTML via the plugins[file][id] parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6215Feb 20, 2009
Bookingcentre
Booking System For Hotels Group
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in cadena_ofertas_ext.php in Venalsur Booking Centre Booking System for Hotels Group allows remote attackers to inject arbitrary web script or HTML via the OfertaID parameter.
CVE-2008-6164Feb 20, 2009
Dreamcost
Hostadmin
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in index.php in DreamCost HostAdmin 3.1.1 allows remote attackers to inject arbitrary web script or HTML via the page parameter.
CVE-2008-6212Feb 20, 2009
Php Stats
Phpstats
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in admin.php in Php-Stats 0.1.9.1 allows remote attackers to inject arbitrary web script or HTML via the (1) sel_mese and (2) sel_anno parameters in a systems action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6211Feb 20, 2009
Mcgallery
Mcgallery
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in PhpForums.net mcGallery 1.1 allow remote attackers to inject arbitrary web script or HTML via the lang parameter to (1) admin.php, (2) index.php, (3) sess.php, (4) stats.php, (5) detail.php, (6) resize.php, and (7) show.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6205Feb 20, 2009
Xaaaaav38
Urlstreet
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in seeurl.php in Xavier Flahaut URLStreet 1.0 allows remote attackers to inject arbitrary web script or HTML via the (1) language, (2) order, and (3) filter parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6200Feb 20, 2009
Dokuwiki
Swiki
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Swiki 1.5 allow remote attackers to inject arbitrary web script or HTML via (1) the query string and (2) a new wiki entry.
CVE-2008-6174Feb 19, 2009
Jetbox
Jetbox CMS
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in admin/postlister/index.php in Jetbox CMS 2.1 allows remote attackers to inject arbitrary web script or HTML via the liste parameter.
CVE-2008-6173Feb 19, 2009
Clip Share
Clipshare
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in fullscreen.php in ClipShare Pro 4.0 allows remote attackers to inject arbitrary web script or HTML via the title parameter.
CVE-2008-6168Feb 19, 2009
Miniportail
Miniportail
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in search.php in miniPortail 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via an unspecified argument, probably the search string.
CVE-2009-0594Feb 16, 2009
Apmuthu
Phpskelsite
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in index.php in phpSkelSite 1.4 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
CVE-2009-0573Feb 13, 2009
Fotoware
Fotoweb
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in FotoWeb 6.0 (Build 273) allow remote attackers to inject arbitrary web script or HTML via the (1) s parameter to cmdrequest/Login.fwx and the (2) search parameter to Grid.fwx.
CVE-2009-0529Feb 11, 2009
Electrictoad
Snippetmaster Webpage Editor
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in index.php in SnippetMaster Webpage Editor 2.2.2 allows remote attackers to inject arbitrary web script or HTML via the language parameter.
CVE-2009-0526Feb 11, 2009
Adaptcms
Adaptcms
risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in index.php in AdaptCMS Lite 1.4 allow remote attackers to inject arbitrary web script or HTML via the (1) url and (2) acuparam parameters, and (3) the URI.
CVE-2009-0455Feb 11, 2009
Glfusion
Glfusion
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the anonymous comments feature in lib-comment.php in glFusion 1.1.0, 1.1.1, and earlier versions allows remote attackers to inject arbitrary web script or HTML via the username parameter to comment.php.
CVE-2009-0467Feb 10, 2009
Armorlogic
Profense Web Application Firewall
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in proxy.html in Profense Web Application Firewall 2.6.2 and 2.6.3 allows remote attackers to inject arbitrary web script or HTML via the proxy parameter in a deny_log manage action.
CVE-2008-6097Feb 9, 2009
Wikyblog
Wikyblog
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in WikyBlog before 1.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) key parameter to index.php/Special/Main/keywordSearch, (2) revNum parameter to index.php/Edit/Main/Home, (3) to parameter to index.php/Special/Main/WhatLinksHere, (4) user parameter to index.php/Special/Main/UserEdits, and (5) the PATH_INFO to index.php.
CVE-2008-6094Feb 9, 2009
Celoxis
Celoxis
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in user.do in Celoxis Technologies Celoxis allows remote attackers to inject arbitrary web script or HTML via the ni.smessage parameter.