CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (19,270)

page 723 of 964

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2008-0258	Php Running Management Phprunman	0.03	—	0.01	Jan 15, 2008	Cross-site scripting (XSS) vulnerability in index.php in PHP Running Management (phpRunMan) before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the message parameter.
CVE-2008-0123	Moodle Moodle	0.03	—	0.01	Jan 12, 2008	Cross-site scripting (XSS) vulnerability in install.php for Moodle 1.8.3, and possibly other versions before 1.8.4, allows remote attackers to inject arbitrary web script or HTML via the dbname parameter. NOTE: this issue only exists until the installation is complete.
CVE-2008-0218	Merak Icewarp Mail Server	0.03	—	0.00	Jan 10, 2008	Cross-site scripting (XSS) vulnerability in admin/index.html in Merak IceWarp Mail Server allows remote attackers to inject arbitrary web script or HTML via the message parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-0207	Pro Search Pro Search	0.03	—	0.01	Jan 10, 2008	Multiple cross-site scripting (XSS) vulnerabilities in PRO-Search 0.17 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) prot, (2) host, (3) path, (4) name, (5) ext, (6) size, (7) search_days, or (8) show_page parameter to the default URI.
CVE-2008-0192	WordPress WordPress	0.03	—	0.02	Jan 10, 2008	Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the popuptitle parameter to (1) wp-admin/post.php or (2) wp-admin/page-new.php.
CVE-2008-0190	Awesometemplateengine Awesometemplateengine	0.03	—	0.01	Jan 10, 2008	Multiple cross-site scripting (XSS) vulnerabilities in templates/example_template.php in AwesomeTemplateEngine allow remote attackers to inject arbitrary web script or HTML via the (1) data[title], (2) data[message], (3) data[table][1][item], (4) data[table][1][url], or (5) data[poweredby] parameter.
CVE-2008-0193	WordPress WordPress	0.03	—	0.02	Jan 10, 2008	Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress 2.0.11 and earlier, and possibly 2.1.x through 2.3.x, allows remote attackers to inject arbitrary web script or HTML via the backup parameter in a wp-db-backup.php action to wp-admin/edit.php.
CVE-2008-0186	Phprisk Netrisk	0.03	—	0.03	Jan 9, 2008	Cross-site scripting (XSS) vulnerability in index.php in NetRisk 1.9.7 and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter, possibly related to CVE-2008-0144.
CVE-2008-0155	Evilboard Evilboard	0.03	—	0.02	Jan 9, 2008	Cross-site scripting (XSS) vulnerability in index.php in EvilBoard 0.1a (Alpha) allows remote attackers to inject arbitrary web script or HTML via the c parameter.
CVE-2008-0146	Hughes Technologies W3 Msql	0.03	—	0.01	Jan 8, 2008	Cross-site scripting (XSS) vulnerability in the error page in W3-mSQL allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the top-level URI.
CVE-2007-6673	Makale Scripti Makale Scripti	0.03	—	0.02	Jan 8, 2008	Cross-site scripting (XSS) vulnerability in Makale Scripti allows remote attackers to inject arbitrary web script or HTML via the ara parameter to the default URI under Ara/ in a search action.
CVE-2007-6669	Phpcredo Phcdownload	0.03	—	0.02	Jan 8, 2008	Cross-site scripting (XSS) vulnerability in search.php in PHCDownload 1.1.0 allows remote attackers to inject arbitrary web script or HTML via the string parameter.
CVE-2008-0092	Phpwebsite Phpwebsite	0.03	—	0.05	Jan 4, 2008	Cross-site scripting (XSS) vulnerability in index.php in the search module in Appalachian State University phpWebSite 1.4.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter.
CVE-2007-6646	Integry Systems Livecart	0.03	—	0.02	Jan 4, 2008	Multiple cross-site scripting (XSS) vulnerabilities in LiveCart 1.0.1, and possibly other versions before 1.1.0, allow remote attackers to inject arbitrary web script or HTML via (1) the return parameter to user/remindPassword, (2) the q parameter to the category script, (3) the return parameter to the order script, or (4) the email parameter to user/remindComplete.
CVE-2007-6641	Milliscripts Milliscripts	0.03	—	0.03	Jan 4, 2008	Cross-site scripting (XSS) vulnerability in dir.php in milliscripts Redirection allows remote attackers to inject arbitrary web script or HTML via the cat parameter in a browse action.
CVE-2007-6637	Adobe Inc. Flash Player	0.03	—	0.38	Jan 4, 2008	Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash Player allow remote attackers to inject arbitrary web script or HTML via a crafted SWF file, related to "pre-generated SWF files" and Adobe Dreamweaver CS3 or Adobe Acrobat Connect. NOTE: the asfunction: vector is already covered by CVE-2007-6244.1.
CVE-2007-6633	Netbizcity Faqmasterflexplus	0.03	—	0.03	Jan 4, 2008	Multiple cross-site scripting (XSS) vulnerabilities in FAQMasterFlexPlus, possibly 1.5 or 1.52, allow remote attackers to inject arbitrary web script or HTML via (1) the cat_name parameter to faq.php; and unspecified parameters to the (2) add categories, (3) edit categories, (4) delete categories, (5) add faq, (6) edit faq, and (7) delete faq Admin scripts.
CVE-2007-6608	Openbiblio Openbiblio	0.03	—	0.03	Dec 31, 2007	Multiple cross-site scripting (XSS) vulnerabilities in OpenBiblio 0.5.2-pre4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) LAST and (2) FIRST parameters to admin/staff_del_confirm.php, (3) the name parameter to admin/theme_del_confirm.php, or (4) the themeName parameter to admin/theme_preview.php.
CVE-2007-6597	Iportalx Iportalx	0.03	—	0.04	Dec 31, 2007	Multiple cross-site scripting (XSS) vulnerabilities in IPortalX before Build 033 allow remote attackers to inject arbitrary web script or HTML via the (1) KW and (2) SF parameters to forum/login_user.asp, and (3) the Date parameter to blogs.asp.
CVE-2007-6574	Dokeos Open Source Learning And Knowledge Management Tool	0.03	—	0.01	Dec 28, 2007	Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.4 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the origin parameter to work/work.php in a display_upload_form action, or the forum parameter to (2) forum/viewforum.php or (3) forum/viewthread.php.

CVE-2008-0258Jan 15, 2008
Php Running Management
Phprunman
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in PHP Running Management (phpRunMan) before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the message parameter.
CVE-2008-0123Jan 12, 2008
Moodle
Moodle
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in install.php for Moodle 1.8.3, and possibly other versions before 1.8.4, allows remote attackers to inject arbitrary web script or HTML via the dbname parameter. NOTE: this issue only exists until the installation is complete.
CVE-2008-0218Jan 10, 2008
Merak
Icewarp Mail Server
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in admin/index.html in Merak IceWarp Mail Server allows remote attackers to inject arbitrary web script or HTML via the message parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-0207Jan 10, 2008
Pro Search
Pro Search
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in PRO-Search 0.17 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) prot, (2) host, (3) path, (4) name, (5) ext, (6) size, (7) search_days, or (8) show_page parameter to the default URI.
CVE-2008-0192Jan 10, 2008
WordPress
WordPress
risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the popuptitle parameter to (1) wp-admin/post.php or (2) wp-admin/page-new.php.
CVE-2008-0190Jan 10, 2008
Awesometemplateengine
Awesometemplateengine
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in templates/example_template.php in AwesomeTemplateEngine allow remote attackers to inject arbitrary web script or HTML via the (1) data[title], (2) data[message], (3) data[table][1][item], (4) data[table][1][url], or (5) data[poweredby] parameter.
CVE-2008-0193Jan 10, 2008
WordPress
WordPress
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress 2.0.11 and earlier, and possibly 2.1.x through 2.3.x, allows remote attackers to inject arbitrary web script or HTML via the backup parameter in a wp-db-backup.php action to wp-admin/edit.php.
CVE-2008-0186Jan 9, 2008
Phprisk
Netrisk
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in index.php in NetRisk 1.9.7 and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter, possibly related to CVE-2008-0144.
CVE-2008-0155Jan 9, 2008
Evilboard
Evilboard
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in index.php in EvilBoard 0.1a (Alpha) allows remote attackers to inject arbitrary web script or HTML via the c parameter.
CVE-2008-0146Jan 8, 2008
Hughes Technologies
W3 Msql
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the error page in W3-mSQL allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the top-level URI.
CVE-2007-6673Jan 8, 2008
Makale Scripti
Makale Scripti
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Makale Scripti allows remote attackers to inject arbitrary web script or HTML via the ara parameter to the default URI under Ara/ in a search action.
CVE-2007-6669Jan 8, 2008
Phpcredo
Phcdownload
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in search.php in PHCDownload 1.1.0 allows remote attackers to inject arbitrary web script or HTML via the string parameter.
CVE-2008-0092Jan 4, 2008
Phpwebsite
Phpwebsite
risk 0.03cvss —epss 0.05
Cross-site scripting (XSS) vulnerability in index.php in the search module in Appalachian State University phpWebSite 1.4.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter.
CVE-2007-6646Jan 4, 2008
Integry Systems
Livecart
risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in LiveCart 1.0.1, and possibly other versions before 1.1.0, allow remote attackers to inject arbitrary web script or HTML via (1) the return parameter to user/remindPassword, (2) the q parameter to the category script, (3) the return parameter to the order script, or (4) the email parameter to user/remindComplete.
CVE-2007-6641Jan 4, 2008
Milliscripts
Milliscripts
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in dir.php in milliscripts Redirection allows remote attackers to inject arbitrary web script or HTML via the cat parameter in a browse action.
CVE-2007-6637Jan 4, 2008
Adobe Inc.
Flash Player
risk 0.03cvss —epss 0.38
Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash Player allow remote attackers to inject arbitrary web script or HTML via a crafted SWF file, related to "pre-generated SWF files" and Adobe Dreamweaver CS3 or Adobe Acrobat Connect. NOTE: the asfunction: vector is already covered by CVE-2007-6244.1.
CVE-2007-6633Jan 4, 2008
Netbizcity
Faqmasterflexplus
risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in FAQMasterFlexPlus, possibly 1.5 or 1.52, allow remote attackers to inject arbitrary web script or HTML via (1) the cat_name parameter to faq.php; and unspecified parameters to the (2) add categories, (3) edit categories, (4) delete categories, (5) add faq, (6) edit faq, and (7) delete faq Admin scripts.
CVE-2007-6608Dec 31, 2007
Openbiblio
Openbiblio
risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in OpenBiblio 0.5.2-pre4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) LAST and (2) FIRST parameters to admin/staff_del_confirm.php, (3) the name parameter to admin/theme_del_confirm.php, or (4) the themeName parameter to admin/theme_preview.php.
CVE-2007-6597Dec 31, 2007
Iportalx
Iportalx
risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in IPortalX before Build 033 allow remote attackers to inject arbitrary web script or HTML via the (1) KW and (2) SF parameters to forum/login_user.asp, and (3) the Date parameter to blogs.asp.
CVE-2007-6574Dec 28, 2007
Dokeos
Open Source Learning And Knowledge Management Tool
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.4 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the origin parameter to work/work.php in a display_upload_form action, or the forum parameter to (2) forum/viewforum.php or (3) forum/viewthread.php.