CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (19,297)

page 713 of 965

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2008-4803	Simplephpscripts Gallery	0.03	—	0.00	Oct 31, 2008	Cross-site scripting (XSS) vulnerability in index.php in Simple PHP Scripts gallery 0.1, 0.3, and 0.4 allows remote attackers to inject arbitrary web script or HTML via the gallery parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-4774	Questwork Questcms	0.03	—	0.03	Oct 28, 2008	Cross-site scripting (XSS) vulnerability in main/main.php in QuestCMS allows remote attackers to inject arbitrary web script or HTML via the cx parameter.
CVE-2008-4761	Kayako Esupport	0.03	—	0.01	Oct 28, 2008	Cross-site scripting (XSS) vulnerability in includes/htmlArea/plugins/HtmlTidy/html-tidy-logic.php in Kayako eSupport 3.20.2 allows remote attackers to inject arbitrary web script or HTML via the jsMakeSrc parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: this issue is probably in the HTMLArea HTMLTidy (HTML Tidy) plugin, not eSupport.
CVE-2008-4756	Php Daily PHP Daily	0.03	—	0.03	Oct 28, 2008	Cross-site scripting (XSS) vulnerability in add_prest_date.php in PHP-Daily allows remote attackers to inject arbitrary web script or HTML via the date parameter.
CVE-2008-4751	Epistream Ipei Guestbook	0.03	—	0.06	Oct 27, 2008	Cross-site scripting (XSS) vulnerability in index.php in iPei Guestbook 2.0 allows remote attackers to inject arbitrary web script or HTML via the pg parameter, a different vector than CVE-2005-4597.
CVE-2008-4742	Timetrex Timetrex	0.03	—	0.00	Oct 27, 2008	Multiple cross-site scripting (XSS) vulnerabilities in interface/Login.php in TimeTrex 2.2.11 allow remote attackers to inject arbitrary web script or HTML via the (1) password and (2) user_name parameters.
CVE-2008-4737	—	0.03	—	0.01	Oct 24, 2008	Cross-site scripting (XSS) vulnerability in wholite.cgi in WhoDomLite 1.1.3 allows remote attackers to inject arbitrary web script or HTML via the dom parameter.
CVE-2008-4727	Ellucian Banner Student	0.03	—	0.06	Oct 24, 2008	Cross-site scripting (XSS) vulnerability in the contact update page (ss/bwgkoemr.P_UpdateEmrgContacts) in SunGard Banner Student 7.3 allows remote attackers to inject arbitrary web script or HTML via the addr1 parameter. NOTE: this might be resultant from a CSRF vulnerability, but there are insufficient details to be sure.
CVE-2008-4672	Goodlyrics Lyrics Script	0.03	—	0.00	Oct 22, 2008	Cross-site scripting (XSS) vulnerability in search_results.php in buymyscripts Lyrics Script allows remote attackers to inject arbitrary web script or HTML via the k parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-4671	WordPress Wordpress Mu	0.03	—	0.01	Oct 22, 2008	Cross-site scripting (XSS) vulnerability in wp-admin/wp-blogs.php in Wordpress MU (WPMU) before 2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) s and (2) ip_address parameters.
CVE-2008-4670	Ed Putal Clickbank Portal	0.03	—	0.00	Oct 22, 2008	Cross-site scripting (XSS) vulnerability in search.php in Ed Pudol Clickbank Portal allows remote attackers to inject arbitrary web script or HTML via the search box. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-4669	Recipescript Recipe Script	0.03	—	0.00	Oct 22, 2008	Cross-site scripting (XSS) vulnerability in search.php in Dan Fletcher Recipe Script allows remote attackers to inject arbitrary web script or HTML via the keyword parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-4648	Elxis Elxis CMS	0.03	—	0.03	Oct 22, 2008	Cross-site scripting (XSS) vulnerability in index.php in Elxis CMS 2008.1 revision 2204 allows remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO or the (2) option, (3) Itemid, (4) id, (5) task, (6) bid, and (7) contact_id parameters. NOTE: the error might be located in modules/mod_language.php, and index.php might be the interaction point.
CVE-2008-4601	Habari CMS	0.03	—	0.03	Oct 18, 2008	Cross-site scripting (XSS) vulnerability in the login feature in Habari CMS 0.5.1 allows remote attackers to inject arbitrary web script or HTML via the habari_username parameter.
CVE-2008-4591	Phpwebgallery Phpwebgallery	0.03	—	0.03	Oct 16, 2008	Multiple cross-site scripting (XSS) vulnerabilities in admin/include/isadmin.inc.php in PhpWebGallery 1.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) lang[access_forbiden] and (2) lang[ident_title] parameters.
CVE-2008-4020	Microsoft Office	0.03	—	0.31	Oct 15, 2008	Cross-site scripting (XSS) vulnerability in Microsoft Office XP SP3 allows remote attackers to inject arbitrary web script or HTML via a document that contains a "Content-Disposition: attachment" header and is accessed through a cdo: URL, which renders the content instead of raising a File Download dialog box, aka "Vulnerability in Content-Disposition Header Vulnerability."
CVE-2008-4532	Maxiscript Website Directory	0.03	—	0.03	Oct 9, 2008	Cross-site scripting (XSS) vulnerability in index.php in MaxiScript Website Directory allows remote attackers to inject arbitrary web script or HTML via the keyword parameter in a search action.
CVE-2008-4393	Verisign Kontiki Delivery Management System	0.03	—	0.01	Oct 7, 2008	Cross-site scripting (XSS) vulnerability in VeriSign Kontiki Delivery Management System (DMS) 5.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to zodiac/servlet/zodiac.
CVE-2008-4447	Positive Software H Sphere	0.03	—	0.02	Oct 6, 2008	Cross-site scripting (XSS) vulnerability in actions.php in Positive Software H-Sphere WebShell 4.3.10 allows remote attackers to inject arbitrary web script or HTML via (1) the fn parameter during a dload action, (2) the mask parameter during a search action, and (3) the tab parameter during a sysinfo action.
CVE-2008-4438	Datafeed Studio Datafeed Studio	0.03	—	0.00	Oct 3, 2008	Cross-site scripting (XSS) vulnerability in search.php in Datafeed Studio 1.6.2 allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

CVE-2008-4803Oct 31, 2008
Simplephpscripts
Gallery
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in index.php in Simple PHP Scripts gallery 0.1, 0.3, and 0.4 allows remote attackers to inject arbitrary web script or HTML via the gallery parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-4774Oct 28, 2008
Questwork
Questcms
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in main/main.php in QuestCMS allows remote attackers to inject arbitrary web script or HTML via the cx parameter.
CVE-2008-4761Oct 28, 2008
Kayako
Esupport
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in includes/htmlArea/plugins/HtmlTidy/html-tidy-logic.php in Kayako eSupport 3.20.2 allows remote attackers to inject arbitrary web script or HTML via the jsMakeSrc parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: this issue is probably in the HTMLArea HTMLTidy (HTML Tidy) plugin, not eSupport.
CVE-2008-4756Oct 28, 2008
Php Daily
PHP Daily
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in add_prest_date.php in PHP-Daily allows remote attackers to inject arbitrary web script or HTML via the date parameter.
CVE-2008-4751Oct 27, 2008
Epistream
Ipei Guestbook
risk 0.03cvss —epss 0.06
Cross-site scripting (XSS) vulnerability in index.php in iPei Guestbook 2.0 allows remote attackers to inject arbitrary web script or HTML via the pg parameter, a different vector than CVE-2005-4597.
CVE-2008-4742Oct 27, 2008
Timetrex
Timetrex
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in interface/Login.php in TimeTrex 2.2.11 allow remote attackers to inject arbitrary web script or HTML via the (1) password and (2) user_name parameters.
CVE-2008-4737Oct 24, 2008
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in wholite.cgi in WhoDomLite 1.1.3 allows remote attackers to inject arbitrary web script or HTML via the dom parameter.
CVE-2008-4727Oct 24, 2008
Ellucian
Banner Student
risk 0.03cvss —epss 0.06
Cross-site scripting (XSS) vulnerability in the contact update page (ss/bwgkoemr.P_UpdateEmrgContacts) in SunGard Banner Student 7.3 allows remote attackers to inject arbitrary web script or HTML via the addr1 parameter. NOTE: this might be resultant from a CSRF vulnerability, but there are insufficient details to be sure.
CVE-2008-4672Oct 22, 2008
Goodlyrics
Lyrics Script
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in search_results.php in buymyscripts Lyrics Script allows remote attackers to inject arbitrary web script or HTML via the k parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-4671Oct 22, 2008
WordPress
Wordpress Mu
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in wp-admin/wp-blogs.php in Wordpress MU (WPMU) before 2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) s and (2) ip_address parameters.
CVE-2008-4670Oct 22, 2008
Ed Putal
Clickbank Portal
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in search.php in Ed Pudol Clickbank Portal allows remote attackers to inject arbitrary web script or HTML via the search box. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-4669Oct 22, 2008
Recipescript
Recipe Script
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in search.php in Dan Fletcher Recipe Script allows remote attackers to inject arbitrary web script or HTML via the keyword parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-4648Oct 22, 2008
Elxis
Elxis CMS
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in index.php in Elxis CMS 2008.1 revision 2204 allows remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO or the (2) option, (3) Itemid, (4) id, (5) task, (6) bid, and (7) contact_id parameters. NOTE: the error might be located in modules/mod_language.php, and index.php might be the interaction point.
CVE-2008-4601Oct 18, 2008
Habari
CMS
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in the login feature in Habari CMS 0.5.1 allows remote attackers to inject arbitrary web script or HTML via the habari_username parameter.
CVE-2008-4591Oct 16, 2008
Phpwebgallery
Phpwebgallery
risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in admin/include/isadmin.inc.php in PhpWebGallery 1.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) lang[access_forbiden] and (2) lang[ident_title] parameters.
CVE-2008-4020Oct 15, 2008
Microsoft
Office
risk 0.03cvss —epss 0.31
Cross-site scripting (XSS) vulnerability in Microsoft Office XP SP3 allows remote attackers to inject arbitrary web script or HTML via a document that contains a "Content-Disposition: attachment" header and is accessed through a cdo: URL, which renders the content instead of raising a File Download dialog box, aka "Vulnerability in Content-Disposition Header Vulnerability."
CVE-2008-4532Oct 9, 2008
Maxiscript
Website Directory
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in index.php in MaxiScript Website Directory allows remote attackers to inject arbitrary web script or HTML via the keyword parameter in a search action.
CVE-2008-4393Oct 7, 2008
Verisign
Kontiki Delivery Management System
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in VeriSign Kontiki Delivery Management System (DMS) 5.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to zodiac/servlet/zodiac.
CVE-2008-4447Oct 6, 2008
Positive Software
H Sphere
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in actions.php in Positive Software H-Sphere WebShell 4.3.10 allows remote attackers to inject arbitrary web script or HTML via (1) the fn parameter during a dload action, (2) the mask parameter during a search action, and (3) the tab parameter during a sysinfo action.
CVE-2008-4438Oct 3, 2008
Datafeed Studio
Datafeed Studio
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in search.php in Datafeed Studio 1.6.2 allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.