CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,319)

page 806 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2025-23200	Librenms Librenms	—	0.31	Jan 16, 2025	librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to a stored XSS on the parameter: `ajax_form.php` -> param: state. Librenms versions up to 24.10.1 allow remote attackers to inject malicious scripts. When a user views or…
CVE-2025-23201	Librenms Librenms	—	0.00	Jan 16, 2025	librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to Cross-site Scripting (XSS) on the parameters:`/addhost` -> param: community. Librenms versions up to 24.10.1 allow remote attackers to inject malicious scripts. When a user…
CVE-2024-53277	Silverstripe Silverstripe Framework	—	0.00	Jan 14, 2025	Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the…
CVE-2025-23366	Hal Console	—	0.00	Jan 14, 2025	A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to…
CVE-2024-33299	Microweber Microweber	—	0.01	Jan 10, 2025	Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint /admin/module/view?type=users
CVE-2024-33297	Microweber Microweber	—	0.01	Jan 10, 2025	Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) field in the Add new campaign function
CVE-2024-33298	Microweber Microweber	—	0.01	Jan 10, 2025	Microweber Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the create new backup function in the endpoint /admin/module/view?type=admin__backup
CVE-2024-13209	—	—	0.00	Jan 9, 2025	A vulnerability was found in Redaxo CMS 5.18.1. It has been classified as problematic. Affected is an unknown function of the file /index.php?page=structure&category_id=1&article_id=1&clang=1&function=edit_art&artstart=0 of the component Structure Management Page. The…
CVE-2024-55224	—	—	0.01	Jan 9, 2025	An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload into the username field of an e-mail message.
CVE-2024-55226	—	—	0.00	Jan 9, 2025	Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting (XSS) vulnerability via the component /api/core/mod.rs.
CVE-2024-35498	Grav CMS GravCMS	—	0.00	Jan 6, 2025	A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2024-46209	—	—	0.00	Jan 6, 2025	A stored cross-site scripting (XSS) vulnerability in the component /media/test.html of REDAXO CMS v5.17.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the password parameter.
CVE-2024-56412	PHPOffice Phpspreadsheet	—	0.00	Jan 3, 2025	PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special…
CVE-2024-56411	PHPOffice Phpspreadsheet	—	0.00	Jan 3, 2025	PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability of the hyperlink base in the HTML page header. The HTML page is formed without sanitizing the hyperlink…
CVE-2024-56410	PHPOffice Phpspreadsheet	—	0.00	Jan 3, 2025	PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability in custom properties. The HTML page is generated without clearing custom properties. Versions 3.7.0,…
CVE-2024-56409	PHPOffice Phpspreadsheet	—	0.00	Jan 3, 2025	PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Currency.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/Numbe…
CVE-2024-56366	PHPOffice Phpspreadsheet	—	0.00	Jan 3, 2025	PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Accounting.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/Num…
CVE-2024-56365	PHPOffice Phpspreadsheet	—	0.00	Jan 3, 2025	PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the `Downloader` class. Using the…
CVE-2024-56408	PHPOffice Phpspreadsheet	—	0.00	Jan 3, 2025	PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file, which leads to the possibility of a cross-site…
CVE-2024-56199	Thorsten Phpmyfaq	—	0.00	Jan 2, 2025	phpMyFAQ is an open source FAQ web application. Starting no later than version 3.2.10 and prior to version 4.0.2, an attacker can inject malicious HTML content into the FAQ editor at `http[:]//localhost/admin/index[.]php?action=editentry`, resulting in a complete disruption of…

CVE-2025-23200Jan 16, 2025
Librenms
Librenms
risk 0.00cvss —epss 0.31
librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to a stored XSS on the parameter: `ajax_form.php` -> param: state. Librenms versions up to 24.10.1 allow remote attackers to inject malicious scripts. When a user views or…
CVE-2025-23201Jan 16, 2025
Librenms
Librenms
risk 0.00cvss —epss 0.00
librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to Cross-site Scripting (XSS) on the parameters:`/addhost` -> param: community. Librenms versions up to 24.10.1 allow remote attackers to inject malicious scripts. When a user…
CVE-2024-53277Jan 14, 2025
Silverstripe
Silverstripe Framework
risk 0.00cvss —epss 0.00
Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the…
CVE-2025-23366Jan 14, 2025
Hal
Console
risk 0.00cvss —epss 0.00
A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to…
CVE-2024-33299Jan 10, 2025
Microweber
Microweber
risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint /admin/module/view?type=users
CVE-2024-33297Jan 10, 2025
Microweber
Microweber
risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) field in the Add new campaign function
CVE-2024-33298Jan 10, 2025
Microweber
Microweber
risk 0.00cvss —epss 0.01
Microweber Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the create new backup function in the endpoint /admin/module/view?type=admin__backup
CVE-2024-13209Jan 9, 2025
risk 0.00cvss —epss 0.00
A vulnerability was found in Redaxo CMS 5.18.1. It has been classified as problematic. Affected is an unknown function of the file /index.php?page=structure&category_id=1&article_id=1&clang=1&function=edit_art&artstart=0 of the component Structure Management Page. The…
CVE-2024-55224Jan 9, 2025
risk 0.00cvss —epss 0.01
An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload into the username field of an e-mail message.
CVE-2024-55226Jan 9, 2025
risk 0.00cvss —epss 0.00
Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting (XSS) vulnerability via the component /api/core/mod.rs.
CVE-2024-35498Jan 6, 2025
Grav CMS
GravCMS
risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2024-46209Jan 6, 2025
risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in the component /media/test.html of REDAXO CMS v5.17.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the password parameter.
CVE-2024-56412Jan 3, 2025
PHPOffice
Phpspreadsheet
risk 0.00cvss —epss 0.00
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special…
CVE-2024-56411Jan 3, 2025
PHPOffice
Phpspreadsheet
risk 0.00cvss —epss 0.00
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability of the hyperlink base in the HTML page header. The HTML page is formed without sanitizing the hyperlink…
CVE-2024-56410Jan 3, 2025
PHPOffice
Phpspreadsheet
risk 0.00cvss —epss 0.00
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability in custom properties. The HTML page is generated without clearing custom properties. Versions 3.7.0,…
CVE-2024-56409Jan 3, 2025
PHPOffice
Phpspreadsheet
risk 0.00cvss —epss 0.00
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Currency.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/Numbe…
CVE-2024-56366Jan 3, 2025
PHPOffice
Phpspreadsheet
risk 0.00cvss —epss 0.00
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Accounting.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/Num…
CVE-2024-56365Jan 3, 2025
PHPOffice
Phpspreadsheet
risk 0.00cvss —epss 0.00
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the `Downloader` class. Using the…
CVE-2024-56408Jan 3, 2025
PHPOffice
Phpspreadsheet
risk 0.00cvss —epss 0.00
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file, which leads to the possibility of a cross-site…
CVE-2024-56199Jan 2, 2025
Thorsten
Phpmyfaq
risk 0.00cvss —epss 0.00
phpMyFAQ is an open source FAQ web application. Starting no later than version 3.2.10 and prior to version 4.0.2, an attacker can inject malicious HTML content into the FAQ editor at `http[:]//localhost/admin/index[.]php?action=editentry`, resulting in a complete disruption of…