CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (19,270)

page 725 of 964

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2007-3694	Getmiro Broadcast Machine	0.03	—	0.02	Nov 14, 2007	Cross-site scripting (XSS) vulnerability in login.php in Miro Project Broadcast Machine 0.9.9.9 allows remote attackers to inject arbitrary web script or HTML via the username parameter.
CVE-2007-5944	IBM Websphere Application Server	0.03	—	0.03	Nov 14, 2007	Cross-site scripting (XSS) vulnerability in Servlet Engine / Web Container in IBM WebSphere Application Server (WAS) 5.1.1.4 through 5.1.1.16 allows remote attackers to inject arbitrary web script or HTML via the Expect HTTP header. NOTE: this might be the same issue as CVE-2006-3918, but there are insufficient details to be sure.
CVE-2007-5952	Helioscalendar Helios Calendar	0.03	—	0.02	Nov 14, 2007	Cross-site scripting (XSS) vulnerability in admin/index.php in Helios Calendar 1.2.1 Beta allows remote attackers to inject arbitrary web script or HTML via the username parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2007-5923	Broadcom Corporation Etrust Siteminder	0.03	—	0.01	Nov 10, 2007	Cross-site scripting (XSS) vulnerability in forms/smpwservices.fcc in CA (formerly Computer Associates) eTrust SiteMinder Agent allows remote attackers to inject arbitrary web script or HTML via the SMAUTHREASON parameter, a different vector than CVE-2005-2204.
CVE-2007-5796	Symantec Proxysg Firmware	0.03	—	0.00	Nov 3, 2007	Cross-site scripting (XSS) vulnerability in the management console in Blue Coat ProxySG before 4.2.6.1, and 5.x before 5.2.2.5, allows remote attackers to inject arbitrary web script or HTML by modifying the URL that is used for loading Certificate Revocation Lists.
CVE-2007-4862	Quirm Saxon	0.03	—	0.03	Oct 30, 2007	Cross-site scripting (XSS) vulnerability in admin/menu.php in SAXON 5.4 allows remote attackers to inject arbitrary web script or HTML via the config[news_url] parameter.
CVE-2007-5728	Phppgadmin Phppgadmin	0.03	—	0.01	Oct 30, 2007	Cross-site scripting (XSS) vulnerability in phpPgAdmin 3.5 to 4.1.1, and possibly 4.1.2, allows remote attackers to inject arbitrary web script or HTML via certain input available in PHP_SELF in (1) redirect.php, possibly related to (2) login.php, different vectors than CVE-2007-2865.
CVE-2007-5725	Smart Shop Smart Shop	0.03	—	0.01	Oct 30, 2007	Multiple cross-site scripting (XSS) vulnerabilities in Smart-Shop allow remote attackers to inject arbitrary web script or HTML via (1) the email parameter to index.php; or the command parameter to index.php in (2) the default action for the home page, (3) a currencies action, or (4) a basket action.
CVE-2007-5724	Omnistar Interactive Omnistar Live	0.03	—	0.03	Oct 30, 2007	Multiple cross-site scripting (XSS) vulnerabilities in Omnistar Live allow remote attackers to inject arbitrary web script or HTML via (1) the category_id parameter to users/kb.php, and possibly (3) the Email Box field in profile.php.
CVE-2007-5710	WordPress WordPress	0.03	—	0.03	Oct 30, 2007	Cross-site scripting (XSS) vulnerability in wp-admin/edit-post-rows.php in WordPress 2.3 allows remote attackers to inject arbitrary web script or HTML via the posts_columns array parameter.
CVE-2007-5692	Sitebar Sitebar	0.03	—	0.06	Oct 29, 2007	Multiple cross-site scripting (XSS) vulnerabilities in SiteBar 3.3.8 allow remote attackers to inject arbitrary web script or HTML via (1) the lang parameter to integrator.php; (2) the token parameter in a New Password action, (3) the nid_acl parameter in a Folder Properties action, or (4) the uid parameter in a Modify User action to command.php; or (5) the target parameter to index.php, different vectors than CVE-2006-3320.
CVE-2007-5677	Hackish Hackish	0.03	—	0.01	Oct 24, 2007	Cross-site scripting (XSS) vulnerability in shoutbox/blocco.php in Hackish BETA 1.1 allows remote attackers to inject arbitrary web script or HTML via the go_shout parameter.
CVE-2007-5648	Rnote Rnote	0.03	—	0.01	Oct 23, 2007	Multiple cross-site scripting (XSS) vulnerabilities in rnote.php in rNote 0.9.7.5 allow remote attackers to inject arbitrary web script or HTML via the (1) d or the (2) u parameter.
CVE-2007-5647	Socketkb Socketkb	0.03	—	0.02	Oct 23, 2007	Multiple cross-site scripting (XSS) vulnerabilities in SocketKB 1.1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) art_id or (2) node parameter in an article action to the default URI.
CVE-2007-5649	Socketmail Socketmail	0.03	—	0.02	Oct 23, 2007	Cross-site scripting (XSS) vulnerability in lostpwd.php in Creative Digital Resources SocketMail 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the lost_id parameter.
CVE-2007-5625	Simongibson Asp Site Search Searchsimon Lite	0.03	—	0.06	Oct 23, 2007	Cross-site scripting (XSS) vulnerability in filename.asp in ASP Site Search SearchSimon Lite 1.0 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter.
CVE-2007-5190	Alcatel Lucent Omnivista	0.03	—	0.05	Oct 22, 2007	Multiple cross-site scripting (XSS) vulnerabilities in Alcatel OmniVista 4760 R4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the action parameter to php-bin/Webclient.php or (2) the Langue parameter to the default URI.
CVE-2007-5562	Netgear Ssl312	0.03	—	0.03	Oct 18, 2007	Cross-site scripting (XSS) vulnerability in cgi-bin/welcome (aka the login page) in Netgear SSL312 PROSAFE SSL VPN-Concentrator 25 allows remote attackers to inject arbitrary web script or HTML via the err parameter in the context of an error page.
CVE-2007-5478	Nabh Information Systems Stringbeans Portal	0.03	—	0.03	Oct 16, 2007	Cross-site scripting (XSS) vulnerability in projects in Nabh Stringbeans Portal (sbportal) 3.2 allows remote attackers to inject arbitrary web script or HTML via the project_name parameter.
CVE-2007-5480	Innovaage Innovashop	0.03	—	0.04	Oct 16, 2007	Multiple cross-site scripting (XSS) vulnerabilities in InnovaAge InnovaShop allow remote attackers to inject arbitrary web script or HTML via the (1) msg parameter to msg.jsp, and the (2) contentid parameter to tc/contents/home001.jsp.

CVE-2007-3694Nov 14, 2007
Getmiro
Broadcast Machine
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in login.php in Miro Project Broadcast Machine 0.9.9.9 allows remote attackers to inject arbitrary web script or HTML via the username parameter.
CVE-2007-5944Nov 14, 2007
IBM
Websphere Application Server
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in Servlet Engine / Web Container in IBM WebSphere Application Server (WAS) 5.1.1.4 through 5.1.1.16 allows remote attackers to inject arbitrary web script or HTML via the Expect HTTP header. NOTE: this might be the same issue as CVE-2006-3918, but there are insufficient details to be sure.
CVE-2007-5952Nov 14, 2007
Helioscalendar
Helios Calendar
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in admin/index.php in Helios Calendar 1.2.1 Beta allows remote attackers to inject arbitrary web script or HTML via the username parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2007-5923Nov 10, 2007
Broadcom Corporation
Etrust Siteminder
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in forms/smpwservices.fcc in CA (formerly Computer Associates) eTrust SiteMinder Agent allows remote attackers to inject arbitrary web script or HTML via the SMAUTHREASON parameter, a different vector than CVE-2005-2204.
CVE-2007-5796Nov 3, 2007
Symantec
Proxysg Firmware
risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the management console in Blue Coat ProxySG before 4.2.6.1, and 5.x before 5.2.2.5, allows remote attackers to inject arbitrary web script or HTML by modifying the URL that is used for loading Certificate Revocation Lists.
CVE-2007-4862Oct 30, 2007
Quirm
Saxon
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in admin/menu.php in SAXON 5.4 allows remote attackers to inject arbitrary web script or HTML via the config[news_url] parameter.
CVE-2007-5728Oct 30, 2007
Phppgadmin
Phppgadmin
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in phpPgAdmin 3.5 to 4.1.1, and possibly 4.1.2, allows remote attackers to inject arbitrary web script or HTML via certain input available in PHP_SELF in (1) redirect.php, possibly related to (2) login.php, different vectors than CVE-2007-2865.
CVE-2007-5725Oct 30, 2007
Smart Shop
Smart Shop
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Smart-Shop allow remote attackers to inject arbitrary web script or HTML via (1) the email parameter to index.php; or the command parameter to index.php in (2) the default action for the home page, (3) a currencies action, or (4) a basket action.
CVE-2007-5724Oct 30, 2007
Omnistar Interactive
Omnistar Live
risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in Omnistar Live allow remote attackers to inject arbitrary web script or HTML via (1) the category_id parameter to users/kb.php, and possibly (3) the Email Box field in profile.php.
CVE-2007-5710Oct 30, 2007
WordPress
WordPress
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in wp-admin/edit-post-rows.php in WordPress 2.3 allows remote attackers to inject arbitrary web script or HTML via the posts_columns array parameter.
CVE-2007-5692Oct 29, 2007
Sitebar
Sitebar
risk 0.03cvss —epss 0.06
Multiple cross-site scripting (XSS) vulnerabilities in SiteBar 3.3.8 allow remote attackers to inject arbitrary web script or HTML via (1) the lang parameter to integrator.php; (2) the token parameter in a New Password action, (3) the nid_acl parameter in a Folder Properties action, or (4) the uid parameter in a Modify User action to command.php; or (5) the target parameter to index.php, different vectors than CVE-2006-3320.
CVE-2007-5677Oct 24, 2007
Hackish
Hackish
risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in shoutbox/blocco.php in Hackish BETA 1.1 allows remote attackers to inject arbitrary web script or HTML via the go_shout parameter.
CVE-2007-5648Oct 23, 2007
Rnote
Rnote
risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in rnote.php in rNote 0.9.7.5 allow remote attackers to inject arbitrary web script or HTML via the (1) d or the (2) u parameter.
CVE-2007-5647Oct 23, 2007
Socketkb
Socketkb
risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in SocketKB 1.1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) art_id or (2) node parameter in an article action to the default URI.
CVE-2007-5649Oct 23, 2007
Socketmail
Socketmail
risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in lostpwd.php in Creative Digital Resources SocketMail 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the lost_id parameter.
CVE-2007-5625Oct 23, 2007
Simongibson
Asp Site Search Searchsimon Lite
risk 0.03cvss —epss 0.06
Cross-site scripting (XSS) vulnerability in filename.asp in ASP Site Search SearchSimon Lite 1.0 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter.
CVE-2007-5190Oct 22, 2007
Alcatel Lucent
Omnivista
risk 0.03cvss —epss 0.05
Multiple cross-site scripting (XSS) vulnerabilities in Alcatel OmniVista 4760 R4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the action parameter to php-bin/Webclient.php or (2) the Langue parameter to the default URI.
CVE-2007-5562Oct 18, 2007
Netgear
Ssl312
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in cgi-bin/welcome (aka the login page) in Netgear SSL312 PROSAFE SSL VPN-Concentrator 25 allows remote attackers to inject arbitrary web script or HTML via the err parameter in the context of an error page.
CVE-2007-5478Oct 16, 2007
Nabh Information Systems
Stringbeans Portal
risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in projects in Nabh Stringbeans Portal (sbportal) 3.2 allows remote attackers to inject arbitrary web script or HTML via the project_name parameter.
CVE-2007-5480Oct 16, 2007
Innovaage
Innovashop
risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in InnovaAge InnovaShop allow remote attackers to inject arbitrary web script or HTML via the (1) msg parameter to msg.jsp, and the (2) contentid parameter to tc/contents/home001.jsp.