CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (19,231)
page 747 of 962| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2015-4220 | 0.00 | — | 0.00 | Jun 25, 2015 | Cross-site scripting (XSS) vulnerability in Cisco Unified Presence Server 9.1(1) allows remote attackers to inject arbitrary web script or HTML via an unspecified value, aka Bug ID CSCuq03773. | ||
| CVE-2015-5064 | 0.00 | — | 0.00 | Jun 24, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in MySql Lite Administrator (mysql-lite-administrator) beta-1 allow remote attackers to inject arbitrary web script or HTML via the table_name parameter to (1) tabella.php, (2) coloni.php, or (3) insert.php or (4) num_row parameter to coloni.php. | ||
| CVE-2015-5063 | 0.00 | — | 0.00 | Jun 24, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework 3.1.13 allow remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter to install.php. | ||
| CVE-2015-5061 | 0.00 | — | 0.00 | Jun 24, 2015 | Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 and earlier allows remote authenticated users with permissions to add new vendors to inject arbitrary web script or HTML via the organizationName parameter to VendorDef.do. | ||
| CVE-2015-4413 | 0.00 | — | 0.00 | Jun 24, 2015 | Cross-site scripting (XSS) vulnerability in the new_fb_sign_button function in nextend-facebook-connect.php in Nextend Facebook Connect plugin before 1.5.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirect_to parameter. | ||
| CVE-2015-4725 | 0.00 | — | 0.00 | Jun 23, 2015 | Cross-site scripting (XSS) vulnerability in forgot.php in AudioShare 2.0.2 allows remote attackers to inject arbitrary web script or HTML via the email parameter. | ||
| CVE-2015-4210 | 0.00 | — | 0.00 | Jun 23, 2015 | Cross-site scripting (XSS) vulnerability in Cisco WebEx Meeting Center allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCur03806. | ||
| CVE-2015-4714 | 0.00 | — | 0.00 | Jun 22, 2015 | Cross-site scripting (XSS) vulnerability in the DreamBox DM500-S allows remote attackers to inject arbitrary web script or HTML via the mode parameter to /body. | ||
| CVE-2015-0526 | 0.00 | — | 0.00 | Jun 22, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Validation Manager (RVM) 3.2 before build 201 allow remote attackers to inject arbitrary web script or HTML via the (1) displayMode or (2) wrapPreDisplayMode parameter. | ||
| CVE-2015-4198 | 0.00 | — | 0.00 | Jun 20, 2015 | Cross-site scripting (XSS) vulnerability in the web framework on Cisco Web Security Appliance (WSA) devices with software 8.5.0-497 allows remote attackers to inject arbitrary web script or HTML via an unspecified HTTP header, aka Bug ID CSCuu24409. | ||
| CVE-2015-4679 | 0.00 | — | 0.00 | Jun 19, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in the web interface in Airties RT-210 allow remote attackers to inject arbitrary web script or HTML via the (1) ddns_domainame or (2) ddns_account parameter to ddns.stm. | ||
| CVE-2015-4661 | 0.00 | — | 0.01 | Jun 18, 2015 | Cross-site scripting (XSS) vulnerability in Symphony CMS 2.6.2 allows remote attackers to inject arbitrary web script or HTML via the sort parameter to system/authors. | ||
| CVE-2015-4660 | 0.00 | — | 0.01 | Jun 18, 2015 | Cross-site scripting (XSS) vulnerability in Enhanced SQL Portal 5.0.7961 allows remote attackers to inject arbitrary web script or HTML via the id parameter to iframe.php. | ||
| CVE-2015-4657 | 0.00 | — | 0.00 | Jun 18, 2015 | Cross-site scripting (XSS) vulnerability in Mailbird 2.0.16.0 and earlier allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with a crafted URL. | ||
| CVE-2015-4656 | 0.00 | — | 0.00 | Jun 18, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php or (2) crafted URL parameters to index.php, as demonstrated by the t parameter to photo/. | ||
| CVE-2015-4655 | 0.00 | — | 0.00 | Jun 18, 2015 | Cross-site scripting (XSS) vulnerability in Synology DiskStation Manager (DSM) before 5.2-5565 Update 1 allows remote attackers to inject arbitrary web script or HTML via the "compound" parameter to entry.cgi. | ||
| CVE-2015-4587 | 0.00 | — | 0.00 | Jun 18, 2015 | Cross-site scripting (XSS) vulnerability in the Alcatel-Lucent CellPipe 7130 router with firmware 1.0.0.20h.HOL allows remote attackers to inject arbitrary web script or HTML via the "Custom application" field in the "port triggering" menu. | ||
| CVE-2015-4139 | 0.00 | — | 0.00 | Jun 18, 2015 | Cross-site scripting (XSS) vulnerability in smilies4wp.php in the WP Smiley plugin 1.4.1 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the s4w-more parameter to wp-admin/options-general.php. | ||
| CVE-2015-3422 | 0.00 | — | 0.00 | Jun 18, 2015 | Cross-site scripting (XSS) vulnerability in SearchBlox before 8.2.1 allows remote attackers to inject arbitrary web script or HTML via the menu2 parameter to admin/main.jsp. | ||
| CVE-2015-4337 | 0.00 | — | 0.00 | Jun 17, 2015 | Cross-site scripting (XSS) vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the excl_manual parameter in the xcloner_show page to wpadmin/plugins.php. |
- CVE-2015-4220Jun 25, 2015risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Cisco Unified Presence Server 9.1(1) allows remote attackers to inject arbitrary web script or HTML via an unspecified value, aka Bug ID CSCuq03773.
- CVE-2015-5064Jun 24, 2015risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in MySql Lite Administrator (mysql-lite-administrator) beta-1 allow remote attackers to inject arbitrary web script or HTML via the table_name parameter to (1) tabella.php, (2) coloni.php, or (3) insert.php or (4) num_row parameter to coloni.php.
- CVE-2015-5063Jun 24, 2015risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CMS & Framework 3.1.13 allow remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter to install.php.
- CVE-2015-5061Jun 24, 2015risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 and earlier allows remote authenticated users with permissions to add new vendors to inject arbitrary web script or HTML via the organizationName parameter to VendorDef.do.
- CVE-2015-4413Jun 24, 2015risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the new_fb_sign_button function in nextend-facebook-connect.php in Nextend Facebook Connect plugin before 1.5.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirect_to parameter.
- CVE-2015-4725Jun 23, 2015risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in forgot.php in AudioShare 2.0.2 allows remote attackers to inject arbitrary web script or HTML via the email parameter.
- CVE-2015-4210Jun 23, 2015risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Cisco WebEx Meeting Center allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCur03806.
- CVE-2015-4714Jun 22, 2015risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the DreamBox DM500-S allows remote attackers to inject arbitrary web script or HTML via the mode parameter to /body.
- CVE-2015-0526Jun 22, 2015risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Validation Manager (RVM) 3.2 before build 201 allow remote attackers to inject arbitrary web script or HTML via the (1) displayMode or (2) wrapPreDisplayMode parameter.
- CVE-2015-4198Jun 20, 2015risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the web framework on Cisco Web Security Appliance (WSA) devices with software 8.5.0-497 allows remote attackers to inject arbitrary web script or HTML via an unspecified HTTP header, aka Bug ID CSCuu24409.
- CVE-2015-4679Jun 19, 2015risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in the web interface in Airties RT-210 allow remote attackers to inject arbitrary web script or HTML via the (1) ddns_domainame or (2) ddns_account parameter to ddns.stm.
- CVE-2015-4661Jun 18, 2015risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Symphony CMS 2.6.2 allows remote attackers to inject arbitrary web script or HTML via the sort parameter to system/authors.
- CVE-2015-4660Jun 18, 2015risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Enhanced SQL Portal 5.0.7961 allows remote attackers to inject arbitrary web script or HTML via the id parameter to iframe.php.
- CVE-2015-4657Jun 18, 2015risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Mailbird 2.0.16.0 and earlier allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with a crafted URL.
- CVE-2015-4656Jun 18, 2015risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php or (2) crafted URL parameters to index.php, as demonstrated by the t parameter to photo/.
- CVE-2015-4655Jun 18, 2015risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Synology DiskStation Manager (DSM) before 5.2-5565 Update 1 allows remote attackers to inject arbitrary web script or HTML via the "compound" parameter to entry.cgi.
- CVE-2015-4587Jun 18, 2015risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Alcatel-Lucent CellPipe 7130 router with firmware 1.0.0.20h.HOL allows remote attackers to inject arbitrary web script or HTML via the "Custom application" field in the "port triggering" menu.
- CVE-2015-4139Jun 18, 2015risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in smilies4wp.php in the WP Smiley plugin 1.4.1 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the s4w-more parameter to wp-admin/options-general.php.
- CVE-2015-3422Jun 18, 2015risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in SearchBlox before 8.2.1 allows remote attackers to inject arbitrary web script or HTML via the menu2 parameter to admin/main.jsp.
- CVE-2015-4337Jun 17, 2015risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the excl_manual parameter in the xcloner_show page to wpadmin/plugins.php.