CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,319)

page 804 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2024-53382	Prismjs Prism	—	0.00	Mar 3, 2025	Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
CVE-2024-53384	tsup tsup	—	0.00	Mar 3, 2025	A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
CVE-2024-53386	—	—	0.00	Mar 3, 2025	Stage.js through 0.8.10 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
CVE-2024-53388	mavo mavo	—	0.01	Mar 3, 2025	A DOM Clobbering vulnerability in mavo v0.3.2 allows attackers to execute arbitrary code via supplying a crafted HTML element.
CVE-2025-27145	9001 Copyparty	—	0.00	Feb 25, 2025	copyparty, a portable file server, has a DOM-based cross-site scripting vulnerability in versions prior to 1.16.15. The vulnerability is considered low-risk. By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an…
CVE-2025-26530	Moodle Moodle	—	0.00	Feb 24, 2025	The question bank filter required additional sanitizing to prevent a reflected XSS risk.
CVE-2025-26529	Moodle Moodle	—	0.00	Feb 24, 2025	Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk.
CVE-2025-26528	Moodle Moodle	—	0.00	Feb 24, 2025	The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk.
CVE-2025-27108	—	—	0.00	Feb 21, 2025	dom-expressions is a Fine-Grained Runtime for Performant DOM Rendering. In affected versions the use of javascript's `.replace()` opens up to potential Cross-site Scripting (XSS) vulnerabilities with the special replacement patterns beginning with `$`. Particularly, when the…
CVE-2025-27088	Oxyno Zeta S3 Proxy	—	0.00	Feb 20, 2025	oxyno-zeta/s3-proxy is an aws s3 proxy written in go. In affected versions a Reflected Cross-site Scripting (XSS) vulnerability enables attackers to create malicious URLs that, when visited, inject scripts into the web application. This can lead to session hijacking or phishing…
CVE-2025-25296	Humansignal Label Studio	—	0.02	Feb 14, 2025	Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's `/projects/upload-example` endpoint allows injection of arbitrary HTML through a `GET` request with an appropriately crafted `label_config` query parameter. By crafting a specially…
CVE-2025-26791	Cure53 Dompurify	—	0.01	Feb 14, 2025	DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).
CVE-2024-57601	Alextselegidis Easyappointments	—	0.00	Feb 12, 2025	Cross Site Scripting vulnerability in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to execute arbitrary code via the legal_settings parameter.
CVE-2025-24414	Adobe Inc. Commerce	—	0.01	Feb 11, 2025	Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious…
CVE-2025-24415	Adobe Inc. Commerce	—	0.01	Feb 11, 2025	Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious…
CVE-2025-24416	Adobe Inc. Commerce	—	0.01	Feb 11, 2025	Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious…
CVE-2025-24413	Adobe Inc. Commerce	—	0.01	Feb 11, 2025	Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious…
CVE-2025-24438	Adobe Inc. Commerce	—	0.01	Feb 11, 2025	Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious…
CVE-2025-24417	Adobe Inc. Commerce	—	0.01	Feb 11, 2025	Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious…
CVE-2025-24412	Adobe Inc. Commerce	—	0.01	Feb 11, 2025	Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious…

CVE-2024-53382Mar 3, 2025
Prismjs
Prism
risk 0.00cvss —epss 0.00
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
CVE-2024-53384Mar 3, 2025
tsup
tsup
risk 0.00cvss —epss 0.00
A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
CVE-2024-53386Mar 3, 2025
risk 0.00cvss —epss 0.00
Stage.js through 0.8.10 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
CVE-2024-53388Mar 3, 2025
mavo
mavo
risk 0.00cvss —epss 0.01
A DOM Clobbering vulnerability in mavo v0.3.2 allows attackers to execute arbitrary code via supplying a crafted HTML element.
CVE-2025-27145Feb 25, 2025
9001
Copyparty
risk 0.00cvss —epss 0.00
copyparty, a portable file server, has a DOM-based cross-site scripting vulnerability in versions prior to 1.16.15. The vulnerability is considered low-risk. By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an…
CVE-2025-26530Feb 24, 2025
Moodle
Moodle
risk 0.00cvss —epss 0.00
The question bank filter required additional sanitizing to prevent a reflected XSS risk.
CVE-2025-26529Feb 24, 2025
Moodle
Moodle
risk 0.00cvss —epss 0.00
Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk.
CVE-2025-26528Feb 24, 2025
Moodle
Moodle
risk 0.00cvss —epss 0.00
The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk.
CVE-2025-27108Feb 21, 2025
risk 0.00cvss —epss 0.00
dom-expressions is a Fine-Grained Runtime for Performant DOM Rendering. In affected versions the use of javascript's `.replace()` opens up to potential Cross-site Scripting (XSS) vulnerabilities with the special replacement patterns beginning with `$`. Particularly, when the…
CVE-2025-27088Feb 20, 2025
Oxyno Zeta
S3 Proxy
risk 0.00cvss —epss 0.00
oxyno-zeta/s3-proxy is an aws s3 proxy written in go. In affected versions a Reflected Cross-site Scripting (XSS) vulnerability enables attackers to create malicious URLs that, when visited, inject scripts into the web application. This can lead to session hijacking or phishing…
CVE-2025-25296Feb 14, 2025
Humansignal
Label Studio
risk 0.00cvss —epss 0.02
Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's `/projects/upload-example` endpoint allows injection of arbitrary HTML through a `GET` request with an appropriately crafted `label_config` query parameter. By crafting a specially…
CVE-2025-26791Feb 14, 2025
Cure53
Dompurify
risk 0.00cvss —epss 0.01
DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).
CVE-2024-57601Feb 12, 2025
Alextselegidis
Easyappointments
risk 0.00cvss —epss 0.00
Cross Site Scripting vulnerability in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to execute arbitrary code via the legal_settings parameter.
CVE-2025-24414Feb 11, 2025
Adobe Inc.
Commerce
risk 0.00cvss —epss 0.01
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious…
CVE-2025-24415Feb 11, 2025
Adobe Inc.
Commerce
risk 0.00cvss —epss 0.01
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious…
CVE-2025-24416Feb 11, 2025
Adobe Inc.
Commerce
risk 0.00cvss —epss 0.01
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious…
CVE-2025-24413Feb 11, 2025
Adobe Inc.
Commerce
risk 0.00cvss —epss 0.01
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious…
CVE-2025-24438Feb 11, 2025
Adobe Inc.
Commerce
risk 0.00cvss —epss 0.01
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious…
CVE-2025-24417Feb 11, 2025
Adobe Inc.
Commerce
risk 0.00cvss —epss 0.01
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious…
CVE-2025-24412Feb 11, 2025
Adobe Inc.
Commerce
risk 0.00cvss —epss 0.01
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious…