CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (19,270)

page 718 of 964

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2008-2398	Appserv Open Project Appserv	0.03	—	0.01	May 21, 2008	Cross-site scripting (XSS) vulnerability in index.php in AppServ Open Project 2.5.10 and earlier allows remote attackers to inject arbitrary web script or HTML via the appservlang parameter.
CVE-2008-2295	Rgboard Rgboard	0.03	—	0.03	May 18, 2008	Cross-site scripting (XSS) vulnerability in rg_search.php in Rgboard 3.0.12, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the s_text parameter and other unspecified vectors.
CVE-2008-2264	Oued Cyrixmed	0.03	—	0.00	May 16, 2008	Cross-site scripting (XSS) vulnerability in index.php in CyrixMED 1.4 allows remote attackers to inject arbitrary web script or HTML via the msg_erreur parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-2219	C News.fr C News	0.03	—	0.00	May 14, 2008	Cross-site scripting (XSS) vulnerability in install.php in C-News.fr C-News 1.0.1 allows remote attackers to inject arbitrary web script or HTML via the etape parameter.
CVE-2008-2196	Lifetype Lifetype	0.03	—	0.00	May 14, 2008	Cross-site scripting (XSS) vulnerability in admin.php in LifeType 1.2.8 allows remote attackers to inject arbitrary web script or HTML via the newBlogUserName parameter in an addBlogUser action, a different vector than CVE-2008-2178.
CVE-2008-2202	Maianscriptworld Maian Uploader	0.03	—	0.00	May 14, 2008	Multiple cross-site scripting (XSS) vulnerabilities in Maian Uploader 4.0 allow remote attackers to inject arbitrary web script or HTML via the (1) keywords parameter to upload/admin/index.php in a search action, the (2) msg_charset and (3) msg_header9 parameters to admin/inc/header.php, and the (4) keywords parameter to index.php in a search action.
CVE-2008-2181	Cplinks Cplinks	0.03	—	0.04	May 13, 2008	Multiple cross-site scripting (XSS) vulnerabilities in search.php in cpLinks 1.03 allow remote attackers to inject arbitrary web script or HTML via the (1) search_text and (2) search_category parameters. NOTE: the XSS reportedly occurs in a forced SQL error message. NOTE: some of these details are obtained from third party information.
CVE-2008-2188	Eejj33 Blackbook	0.03	—	0.00	May 13, 2008	Multiple cross-site scripting (XSS) vulnerabilities in EJ3 BlackBook 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) bookCopyright and (2) ver parameters to (a) footer.php, and the (3) bookName, (4) bookMetaTags, and (5) estiloCSS parameters to (b) header.php.
CVE-2008-2187	Mdsjack Mjguest	0.03	—	0.01	May 13, 2008	Cross-site scripting (XSS) vulnerability in mjguest.php in Mjguest 6.7 GT Rev.01 allows remote attackers to inject arbitrary web script or HTML via the level parameter in a redirect action, possibly involving interface/redirect.htm.php.
CVE-2008-2167	Zyxel Zywall 100	0.03	—	0.05	May 13, 2008	Cross-site scripting (XSS) vulnerability in ZyXEL ZyWALL 100 allows remote attackers to inject arbitrary web script or HTML via the Referer header, which is not properly handled in a 404 Error page.
CVE-2008-2162	SonicWall Email Security	0.03	—	0.00	May 12, 2008	Cross-site scripting (XSS) vulnerability in SonicWall Email Security 6.1.1 allows remote attackers to inject arbitrary web script or HTML via the Host header in a request to a non-existent web page, which is not properly sanitized in an error page.
CVE-2008-2070	CPanel Cpanel	0.03	—	0.01	May 12, 2008	The WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allows remote attackers to bypass XSS protection and inject arbitrary script or HTML via repeated, improperly-ordered "<" and ">" characters in the (1) issue parameter to scripts2/knowlegebase, (2) user parameter to scripts2/changeip, (3) search parameter to scripts2/listaccts, and other unspecified vectors.
CVE-2008-2126	Tux Cms Tux CMS	0.03	—	0.00	May 9, 2008	Multiple cross-site scripting (XSS) vulnerabilities in Tux CMS 0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) q parameter to index.php and the (2) returnURL parameter to tux-login.php.
CVE-2008-2127	Cms Faethon CMS Faethon	0.03	—	0.04	May 9, 2008	Cross-site scripting (XSS) vulnerability in search.php in CMS Faethon 2.2 Ultimate allows remote attackers to inject arbitrary web script or HTML via the what parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-2115	Scriptsez Power Editor	0.03	—	0.04	May 8, 2008	Multiple cross-site scripting (XSS) vulnerabilities in editor.php in ScriptsEZ.net Power Editor 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) te and (2) dir parameters in a tempedit action.
CVE-2008-2117	Project Alumni Project Alumni	0.03	—	0.01	May 8, 2008	Cross-site scripting (XSS) vulnerability in pages/news.page.inc in Project Alumni 1.0.9 allows remote attackers to inject arbitrary web script or HTML via the year parameter in a news action to index.php, a different vector than CVE-2007-6126.
CVE-2008-2082	Siteman Siteman	0.03	—	0.03	May 5, 2008	Cross-site scripting (XSS) vulnerability in index.php in Siteman 2.0.x2 allows remote attackers to inject arbitrary web script or HTML via the module parameter, which leaks the path in an error message.
CVE-2008-2048	Aspindir Angelo Emlak	0.03	—	0.04	May 1, 2008	Cross-site scripting (XSS) vulnerability in hpz/admin/Default.asp in Angelo-Emlak 1.0 allows remote attackers to inject arbitrary web script or HTML via the sayfa parameter.
CVE-2008-2046	Softpedia Sitexs CMS	0.03	—	0.00	May 1, 2008	Cross-site scripting (XSS) vulnerability in index.php in Softpedia SiteXS CMS 0.1.1 Pre-Alpha allows remote attackers to inject arbitrary web script or HTML via the user parameter.
CVE-2008-2037	Editeurscripts Escontacts	0.03	—	0.00	Apr 30, 2008	Multiple cross-site scripting (XSS) vulnerabilities in EditeurScripts EsContacts 1.0 allow remote authenticated users to inject arbitrary web script or HTML via the msg parameter to (1) login.php, (2) importer.php, (3) add_groupe.php, (4) contacts.php, (5) groupes.php, and (6) search.php.

CVE-2008-2398May 21, 2008
Appserv Open Project
Appserv
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in AppServ Open Project 2.5.10 and earlier allows remote attackers to inject arbitrary web script or HTML via the appservlang parameter.
CVE-2008-2295May 18, 2008
Rgboard
Rgboard
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in rg_search.php in Rgboard 3.0.12, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the s_text parameter and other unspecified vectors.
CVE-2008-2264May 16, 2008
Oued
Cyrixmed
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in index.php in CyrixMED 1.4 allows remote attackers to inject arbitrary web script or HTML via the msg_erreur parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-2219May 14, 2008
C News.fr
C News
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in install.php in C-News.fr C-News 1.0.1 allows remote attackers to inject arbitrary web script or HTML via the etape parameter.
CVE-2008-2196May 14, 2008
Lifetype
Lifetype
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in admin.php in LifeType 1.2.8 allows remote attackers to inject arbitrary web script or HTML via the newBlogUserName parameter in an addBlogUser action, a different vector than CVE-2008-2178.
CVE-2008-2202May 14, 2008
Maianscriptworld
Maian Uploader
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Maian Uploader 4.0 allow remote attackers to inject arbitrary web script or HTML via the (1) keywords parameter to upload/admin/index.php in a search action, the (2) msg_charset and (3) msg_header9 parameters to admin/inc/header.php, and the (4) keywords parameter to index.php in a search action.
CVE-2008-2181May 13, 2008
Cplinks
Cplinks
risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in search.php in cpLinks 1.03 allow remote attackers to inject arbitrary web script or HTML via the (1) search_text and (2) search_category parameters. NOTE: the XSS reportedly occurs in a forced SQL error message. NOTE: some of these details are obtained from third party information.
CVE-2008-2188May 13, 2008
Eejj33
Blackbook
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in EJ3 BlackBook 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) bookCopyright and (2) ver parameters to (a) footer.php, and the (3) bookName, (4) bookMetaTags, and (5) estiloCSS parameters to (b) header.php.
CVE-2008-2187May 13, 2008
Mdsjack
Mjguest
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in mjguest.php in Mjguest 6.7 GT Rev.01 allows remote attackers to inject arbitrary web script or HTML via the level parameter in a redirect action, possibly involving interface/redirect.htm.php.
CVE-2008-2167May 13, 2008
Zyxel
Zywall 100
risk 0.03cvss —epss 0.05
Cross-site scripting (XSS) vulnerability in ZyXEL ZyWALL 100 allows remote attackers to inject arbitrary web script or HTML via the Referer header, which is not properly handled in a 404 Error page.
CVE-2008-2162May 12, 2008
SonicWall
Email Security
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in SonicWall Email Security 6.1.1 allows remote attackers to inject arbitrary web script or HTML via the Host header in a request to a non-existent web page, which is not properly sanitized in an error page.
CVE-2008-2070May 12, 2008
CPanel
Cpanel
risk 0.03cvss —epss 0.01
The WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allows remote attackers to bypass XSS protection and inject arbitrary script or HTML via repeated, improperly-ordered "<" and ">" characters in the (1) issue parameter to scripts2/knowlegebase, (2) user parameter to scripts2/changeip, (3) search parameter to scripts2/listaccts, and other unspecified vectors.
CVE-2008-2126May 9, 2008
Tux Cms
Tux CMS
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Tux CMS 0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) q parameter to index.php and the (2) returnURL parameter to tux-login.php.
CVE-2008-2127May 9, 2008
Cms Faethon
CMS Faethon
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in search.php in CMS Faethon 2.2 Ultimate allows remote attackers to inject arbitrary web script or HTML via the what parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-2115May 8, 2008
Scriptsez
Power Editor
risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in editor.php in ScriptsEZ.net Power Editor 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) te and (2) dir parameters in a tempedit action.
CVE-2008-2117May 8, 2008
Project Alumni
Project Alumni
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in pages/news.page.inc in Project Alumni 1.0.9 allows remote attackers to inject arbitrary web script or HTML via the year parameter in a news action to index.php, a different vector than CVE-2007-6126.
CVE-2008-2082May 5, 2008
Siteman
Siteman
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in index.php in Siteman 2.0.x2 allows remote attackers to inject arbitrary web script or HTML via the module parameter, which leaks the path in an error message.
CVE-2008-2048May 1, 2008
Aspindir
Angelo Emlak
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in hpz/admin/Default.asp in Angelo-Emlak 1.0 allows remote attackers to inject arbitrary web script or HTML via the sayfa parameter.
CVE-2008-2046May 1, 2008
Softpedia
Sitexs CMS
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in index.php in Softpedia SiteXS CMS 0.1.1 Pre-Alpha allows remote attackers to inject arbitrary web script or HTML via the user parameter.
CVE-2008-2037Apr 30, 2008
Editeurscripts
Escontacts
risk 0.03cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in EditeurScripts EsContacts 1.0 allow remote authenticated users to inject arbitrary web script or HTML via the msg parameter to (1) login.php, (2) importer.php, (3) add_groupe.php, (4) contacts.php, (5) groupes.php, and (6) search.php.