CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (19,297)

page 712 of 965

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2008-5290	Scripts4you Clean CMS	0.03	—	0.04	Dec 1, 2008	Cross-site scripting (XSS) vulnerability in full_txt.php in Werner Hilversum Clean CMS 1.5 allows remote attackers to inject arbitrary web script or HTML via the id parameter.
CVE-2008-5271	Syndeocms Syndeocms	0.03	—	0.04	Nov 28, 2008	Cross-site scripting (XSS) vulnerability in index.php in Fred Stuurman SyndeoCMS 2.6.0 allows remote attackers to inject arbitrary web script or HTML via the section parameter.
CVE-2008-5266	Sun Corporation Java System Application Server	0.03	—	0.01	Nov 28, 2008	Cross-site scripting (XSS) vulnerability in configuration/httpListenerEdit.jsf in the GlassFish 2 UR2 b04 webadmin interface in Sun Java System Application Server 9.1_01 build b09d-fcs and 9.1_02 build b04-fcs allows remote attackers to inject arbitrary web script or HTML via the name parameter, a different vector than CVE-2008-2751.
CVE-2008-5264	Tornado Tornado Knowledge Retrieval System	0.03	—	0.04	Nov 28, 2008	Cross-site scripting (XSS) vulnerability in searcher.exe in Tornado Knowledge Retrieval System 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the p parameter in a root action.
CVE-2008-5225	Xerox Docushare	0.03	—	0.04	Nov 25, 2008	Multiple cross-site scripting (XSS) vulnerabilities in Xerox DocuShare 6 and earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under (1) SearchResults/ and (2) Services/ in dsdn/dsweb/, and (3) the default URI under unspecified docushare/dsweb/ServicesLib/Group-#/ directories.
CVE-2008-5214	Clanlite Clanlite	0.03	—	0.03	Nov 24, 2008	Cross-site scripting (XSS) vulnerability in service/calendrier.php in ClanLite 2.2006.05.20 allows remote attackers to inject arbitrary web script or HTML via the annee parameter.
CVE-2008-5211	Sphider Sphider	0.03	—	0.05	Nov 24, 2008	Cross-site scripting (XSS) vulnerability in search.php in Sphider 1.3.4, when the search suggestion feature is enabled, allows remote attackers to inject arbitrary web script or HTML via the query parameter, a different vector than CVE-2006-2506.
CVE-2008-5203	Poweraward Poweraward	0.03	—	0.02	Nov 21, 2008	Cross-site scripting (XSS) vulnerability in external_vote.php in PowerAward 1.1.0 RC1 allows remote attackers to inject arbitrary web script or HTML via the l_vote_done parameter.
CVE-2008-5202	Otmanager Otmanager CMS	0.03	—	0.03	Nov 21, 2008	Cross-site scripting (XSS) vulnerability in index.php in OTManager CMS 24a allows remote attackers to inject arbitrary web script or HTML via the conteudo parameter.
CVE-2008-5193	Philboard Philboard	0.03	—	0.04	Nov 21, 2008	Cross-site scripting (XSS) vulnerability in search.asp in W1L3D4 Philboard 1.14 and 1.2 allows remote attackers to inject arbitrary web script or HTML via the searchterms parameter. NOTE: this might overlap CVE-2007-4024.
CVE-2008-5164	Theratstudios The Rat CMS	0.03	—	0.01	Nov 19, 2008	Multiple cross-site scripting (XSS) vulnerabilities in The Rat CMS Pre-Alpha 2 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to (a) viewarticle.php and (b) viewarticle2.php and the (2) PATH_INFO to viewarticle.php.
CVE-2008-5126	Boutikone Boutikone CMS	0.03	—	0.04	Nov 18, 2008	Cross-site scripting (XSS) vulnerability in search.php in BoutikOne CMS allows remote attackers to inject arbitrary web script or HTML via the search_query parameter.
CVE-2008-5068	Kkeim Kmita Gallery	0.03	—	0.00	Nov 13, 2008	Multiple cross-site scripting (XSS) vulnerabilities in Kmita Gallery allow remote attackers to inject arbitrary web script or HTML via the (1) begin parameter to index.php and the (2) searchtext parameter to search.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-5067	Kkeim Kmita Catalogue	0.03	—	0.00	Nov 13, 2008	Cross-site scripting (XSS) vulnerability in search.php in Kmita Catalogue 2.x allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-5059	Modernbill Modernbill	0.03	—	0.04	Nov 13, 2008	Cross-site scripting (XSS) vulnerability in index.php in ModernBill 4.4 and earlier allows remote attackers to inject arbitrary web script or HTML via a Javascript event in the new_language parameter in a login action.
CVE-2008-5039	PHP-Nuke League Module	0.03	—	0.02	Nov 12, 2008	Cross-site scripting (XSS) vulnerability in the League module for PHP-Nuke, possibly 2.4, allows remote attackers to inject arbitrary web script or HTML via the tid parameter in a team action to modules.php.
CVE-2008-4931	Firmchannel Digital Signage	0.03	—	0.02	Nov 5, 2008	Cross-site scripting (XSS) vulnerability in the account module in firmCHANNEL Digital Signage 3.24, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the action parameter to index.php.
CVE-2008-4896	Logz Logz	0.03	—	0.00	Nov 4, 2008	Cross-site scripting (XSS) vulnerability in fichiers/add_url.php in Logz CMS 1.3.1 allows remote attackers to inject arbitrary web script or HTML via the art parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-4893	Tribiq Tribiq CMS	0.03	—	0.00	Nov 4, 2008	Cross-site scripting (XSS) vulnerability in templates/mytribiqsite/tribal-GPL-1066/includes/header.inc.php in Tribiq CMS 5.0.10a, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the template_path parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-4888	Netrisk Netrisk	0.03	—	0.06	Nov 4, 2008	Cross-site scripting (XSS) vulnerability in error.php in NetRisk 2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the error parameter to index.php. NOTE: some of these details are obtained from third party information.

CVE-2008-5290Dec 1, 2008
Scripts4you
Clean CMS
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in full_txt.php in Werner Hilversum Clean CMS 1.5 allows remote attackers to inject arbitrary web script or HTML via the id parameter.
CVE-2008-5271Nov 28, 2008
Syndeocms
Syndeocms
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in index.php in Fred Stuurman SyndeoCMS 2.6.0 allows remote attackers to inject arbitrary web script or HTML via the section parameter.
CVE-2008-5266Nov 28, 2008
Sun Corporation
Java System Application Server
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in configuration/httpListenerEdit.jsf in the GlassFish 2 UR2 b04 webadmin interface in Sun Java System Application Server 9.1_01 build b09d-fcs and 9.1_02 build b04-fcs allows remote attackers to inject arbitrary web script or HTML via the name parameter, a different vector than CVE-2008-2751.
CVE-2008-5264Nov 28, 2008
Tornado
Tornado Knowledge Retrieval System
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in searcher.exe in Tornado Knowledge Retrieval System 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the p parameter in a root action.
CVE-2008-5225Nov 25, 2008
Xerox
Docushare
risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in Xerox DocuShare 6 and earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under (1) SearchResults/ and (2) Services/ in dsdn/dsweb/, and (3) the default URI under unspecified docushare/dsweb/ServicesLib/Group-#/ directories.
CVE-2008-5214Nov 24, 2008
Clanlite
Clanlite
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in service/calendrier.php in ClanLite 2.2006.05.20 allows remote attackers to inject arbitrary web script or HTML via the annee parameter.
CVE-2008-5211Nov 24, 2008
Sphider
Sphider
risk 0.03cvss —epss 0.05
Cross-site scripting (XSS) vulnerability in search.php in Sphider 1.3.4, when the search suggestion feature is enabled, allows remote attackers to inject arbitrary web script or HTML via the query parameter, a different vector than CVE-2006-2506.
CVE-2008-5203Nov 21, 2008
Poweraward
Poweraward
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in external_vote.php in PowerAward 1.1.0 RC1 allows remote attackers to inject arbitrary web script or HTML via the l_vote_done parameter.
CVE-2008-5202Nov 21, 2008
Otmanager
Otmanager CMS
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in index.php in OTManager CMS 24a allows remote attackers to inject arbitrary web script or HTML via the conteudo parameter.
CVE-2008-5193Nov 21, 2008
Philboard
Philboard
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in search.asp in W1L3D4 Philboard 1.14 and 1.2 allows remote attackers to inject arbitrary web script or HTML via the searchterms parameter. NOTE: this might overlap CVE-2007-4024.
CVE-2008-5164Nov 19, 2008
Theratstudios
The Rat CMS
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in The Rat CMS Pre-Alpha 2 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to (a) viewarticle.php and (b) viewarticle2.php and the (2) PATH_INFO to viewarticle.php.
CVE-2008-5126Nov 18, 2008
Boutikone
Boutikone CMS
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in search.php in BoutikOne CMS allows remote attackers to inject arbitrary web script or HTML via the search_query parameter.
CVE-2008-5068Nov 13, 2008
Kkeim
Kmita Gallery
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Kmita Gallery allow remote attackers to inject arbitrary web script or HTML via the (1) begin parameter to index.php and the (2) searchtext parameter to search.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-5067Nov 13, 2008
Kkeim
Kmita Catalogue
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in search.php in Kmita Catalogue 2.x allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-5059Nov 13, 2008
Modernbill
Modernbill
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in index.php in ModernBill 4.4 and earlier allows remote attackers to inject arbitrary web script or HTML via a Javascript event in the new_language parameter in a login action.
CVE-2008-5039Nov 12, 2008
PHP-Nuke
League Module
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the League module for PHP-Nuke, possibly 2.4, allows remote attackers to inject arbitrary web script or HTML via the tid parameter in a team action to modules.php.
CVE-2008-4931Nov 5, 2008
Firmchannel
Digital Signage
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the account module in firmCHANNEL Digital Signage 3.24, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the action parameter to index.php.
CVE-2008-4896Nov 4, 2008
Logz
Logz
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in fichiers/add_url.php in Logz CMS 1.3.1 allows remote attackers to inject arbitrary web script or HTML via the art parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-4893Nov 4, 2008
Tribiq
Tribiq CMS
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in templates/mytribiqsite/tribal-GPL-1066/includes/header.inc.php in Tribiq CMS 5.0.10a, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the template_path parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-4888Nov 4, 2008
Netrisk
Netrisk
risk 0.03cvss —epss 0.06
Cross-site scripting (XSS) vulnerability in error.php in NetRisk 2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the error parameter to index.php. NOTE: some of these details are obtained from third party information.