VYPR

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (24,712)

page 8 of 1,236
  • CVE-2025-51629HigAug 7, 2025
    risk 0.57cvss 8.8epss 0.00

    A cross-site scripting (XSS) vulnerability in the PdfViewer component of Agenzia Impresa Eccobook 2.81.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Temp parameter.

  • CVE-2025-52360HigJul 25, 2025
    risk 0.57cvss 8.8epss 0.00

    A Cross-Site Scripting (XSS) vulnerability exists in the OPAC search feature of Koha Library Management System v24.05. Unsanitized input entered in the search field is reflected in the search history interface, leading to the execution of arbitrary JavaScript in the browser…

  • CVE-2025-53890CriJul 15, 2025
    risk 0.57cvss 9.8epss 0.01

    pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server.…

  • CVE-2025-5015HigJun 25, 2025
    risk 0.57cvss 8.8epss 0.00

    A cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one.

  • CVE-2025-4987HigJun 16, 2025
    risk 0.57cvss 8.7epss 0.00

    A stored Cross-site Scripting (XSS) vulnerability affecting Opportunity Management in Project Portfolio Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

  • CVE-2025-4992HigMay 30, 2025
    risk 0.57cvss 8.7epss 0.00

    A stored Cross-site Scripting (XSS) vulnerability affecting Service Items Management in Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

  • CVE-2025-4991HigMay 30, 2025
    risk 0.57cvss 8.7epss 0.00

    A stored Cross-site Scripting (XSS) vulnerability affecting 3D Markup in Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

  • CVE-2025-4990HigMay 30, 2025
    risk 0.57cvss 8.7epss 0.00

    A stored Cross-site Scripting (XSS) vulnerability affecting Change Governance in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

  • CVE-2025-4989HigMay 30, 2025
    risk 0.57cvss 8.7epss 0.00

    A stored Cross-site Scripting (XSS) vulnerability affecting Requirements in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

  • CVE-2025-4988HigMay 30, 2025
    risk 0.57cvss 8.7epss 0.00

    A stored Cross-site Scripting (XSS) vulnerability affecting Results Analytics in Multidisciplinary Optimization Engineer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.

  • CVE-2025-4986HigMay 30, 2025
    risk 0.57cvss 8.7epss 0.00

    A stored Cross-site Scripting (XSS) vulnerability affecting Model Definition in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

  • CVE-2025-4985HigMay 30, 2025
    risk 0.57cvss 8.7epss 0.00

    A stored Cross-site Scripting (XSS) vulnerability affecting Risk Management in Project Portfolio Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

  • CVE-2025-4984HigMay 30, 2025
    risk 0.57cvss 8.7epss 0.00

    A stored Cross-site Scripting (XSS) vulnerability affecting City Discover in City Referential Manager on Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

  • CVE-2025-4983HigMay 30, 2025
    risk 0.57cvss 8.7epss 0.00

    A stored Cross-site Scripting (XSS) vulnerability affecting City Referential in City Referential Manager on Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

  • CVE-2025-0602HigMay 30, 2025
    risk 0.57cvss 8.7epss 0.00

    A stored Cross-site Scripting (XSS) vulnerability affecting Compare in Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

  • CVE-2025-22373HigApr 14, 2025
    risk 0.57cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SicommNet BASEC on SaaS allows Reflected XSS, XSS Through HTTP Query Strings, Rendering of Arbitrary HTML and alternation of CSS Styles This issue affects BASEC: from 14…

  • CVE-2025-0827HigMar 17, 2025
    risk 0.57cvss 8.7epss 0.00

    A stored Cross-site Scripting (XSS) vulnerability affecting 3DPlay in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.

  • CVE-2025-0595HigMar 17, 2025
    risk 0.57cvss 8.7epss 0.00

    A stored Cross-site Scripting (XSS) vulnerability affecting 3DDashboard in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.

  • CVE-2025-27434HigMar 11, 2025
    risk 0.57cvss 8.8epss 0.00

    Due to insufficient input validation, SAP Commerce (Swagger UI) allows an unauthenticated attacker to inject the malicious code from remote sources, which can be leveraged by an attacker to execute a cross-site scripting (XSS) attack. This could lead to a high impact on the…

  • CVE-2024-51735HigNov 5, 2024
    risk 0.57cvss epss 0.00

    Osmedeus is a Workflow Engine for Offensive Security. Cross-site Scripting (XSS) occurs on the Osmedues web server when viewing results from the workflow, allowing commands to be executed on the server. When using a workflow that contains the summary module, it generates reports…