CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,319)

page 807 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2024-11184	WordPress Wp Enable Webp	—	0.00	Jan 2, 2025	The wp-enable-svg WordPress plugin through 0.7 does not sanitize SVG files when uploaded, allowing for authors and above to upload SVGs containing malicious scripts
CVE-2024-54775	—	—	0.00	Dec 27, 2024	Dcat-Admin v2.2.0-beta and v2.2.2-beta contains a Cross-Site Scripting (XSS) vulnerability via /admin/auth/menu and /admin/auth/extensions.
CVE-2024-54774	—	—	0.00	Dec 27, 2024	Dcat Admin v2.2.0-beta contains a cross-site scripting (XSS) vulnerability in /admin/articles/create.
CVE-2024-56527	—	—	0.01	Dec 27, 2024	An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message.
CVE-2024-56519	—	—	0.01	Dec 27, 2024	An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute.
CVE-2024-55341	—	—	0.00	Dec 20, 2024	A stored cross-site scripting (XSS) vulnerability in Piranha CMS 11.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by creating a page via the /manager/pages and then adding a markdown content with the XSS payload.
CVE-2024-55342	—	—	0.00	Dec 20, 2024	A file upload functionality in Piranha CMS 11.1 allows authenticated remote attackers to upload a crafted PDF file to /manager/media. This PDF can contain malicious JavaScript code, which is executed when a victim user opens or interacts with the PDF in their web browser,…
CVE-2023-37940	Liferay Portal	—	0.00	Dec 17, 2024	Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or…
CVE-2024-11993	Liferay Portal	—	0.00	Dec 17, 2024	Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field
CVE-2024-12393	Drupal Drupal Core	—	0.00	Dec 9, 2024	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
CVE-2024-53457	Librenms Librenms	—	0.42	Dec 5, 2024	A stored cross-site scripting (XSS) vulnerability in the Device Settings section of LibreNMS v24.9.0 to v24.10.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name parameter.
CVE-2024-53999	Mobsf Mobile Security Framework Mobsf	—	0.01	Dec 3, 2024	Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The application allows users to upload files with scripts in the filename parameter. As a result, a malicious user can upload…
CVE-2024-53985	Rubyonrails HTML Sanitizer	—	0.01	Dec 2, 2024	rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8. The XSS…
CVE-2024-53987	Rubyonrails HTML Sanitizer	—	0.00	Dec 2, 2024	rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of…
CVE-2024-53986	Rubyonrails HTML Sanitizer	—	0.00	Dec 2, 2024	rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of…
CVE-2024-53988	Rubyonrails HTML Sanitizer	—	0.00	Dec 2, 2024	rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of…
CVE-2024-53989	Rubyonrails HTML Sanitizer	—	0.00	Dec 2, 2024	rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of…
CVE-2023-2142	Mozilla Corporation Nunjucks	—	0.00	Nov 26, 2024	In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads…
CVE-2024-53261	Sveltejs Kit	—	0.00	Nov 25, 2024	SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. "Unsanitized input from the request URL flows into `end`, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)."…
CVE-2024-53262	Sveltejs Kit	—	0.00	Nov 25, 2024	SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else…

CVE-2024-11184Jan 2, 2025
WordPress
Wp Enable Webp
risk 0.00cvss —epss 0.00
The wp-enable-svg WordPress plugin through 0.7 does not sanitize SVG files when uploaded, allowing for authors and above to upload SVGs containing malicious scripts
CVE-2024-54775Dec 27, 2024
risk 0.00cvss —epss 0.00
Dcat-Admin v2.2.0-beta and v2.2.2-beta contains a Cross-Site Scripting (XSS) vulnerability via /admin/auth/menu and /admin/auth/extensions.
CVE-2024-54774Dec 27, 2024
risk 0.00cvss —epss 0.00
Dcat Admin v2.2.0-beta contains a cross-site scripting (XSS) vulnerability in /admin/articles/create.
CVE-2024-56527Dec 27, 2024
risk 0.00cvss —epss 0.01
An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message.
CVE-2024-56519Dec 27, 2024
risk 0.00cvss —epss 0.01
An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute.
CVE-2024-55341Dec 20, 2024
risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in Piranha CMS 11.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by creating a page via the /manager/pages and then adding a markdown content with the XSS payload.
CVE-2024-55342Dec 20, 2024
risk 0.00cvss —epss 0.00
A file upload functionality in Piranha CMS 11.1 allows authenticated remote attackers to upload a crafted PDF file to /manager/media. This PDF can contain malicious JavaScript code, which is executed when a victim user opens or interacts with the PDF in their web browser,…
CVE-2023-37940Dec 17, 2024
Liferay
Portal
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or…
CVE-2024-11993Dec 17, 2024
Liferay
Portal
risk 0.00cvss —epss 0.00
Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field
CVE-2024-12393Dec 9, 2024
Drupal
Drupal Core
risk 0.00cvss —epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
CVE-2024-53457Dec 5, 2024
Librenms
Librenms
risk 0.00cvss —epss 0.42
A stored cross-site scripting (XSS) vulnerability in the Device Settings section of LibreNMS v24.9.0 to v24.10.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name parameter.
CVE-2024-53999Dec 3, 2024
Mobsf
Mobile Security Framework Mobsf
risk 0.00cvss —epss 0.01
Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The application allows users to upload files with scripts in the filename parameter. As a result, a malicious user can upload…
CVE-2024-53985Dec 2, 2024
Rubyonrails
HTML Sanitizer
risk 0.00cvss —epss 0.01
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8. The XSS…
CVE-2024-53987Dec 2, 2024
Rubyonrails
HTML Sanitizer
risk 0.00cvss —epss 0.00
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of…
CVE-2024-53986Dec 2, 2024
Rubyonrails
HTML Sanitizer
risk 0.00cvss —epss 0.00
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of…
CVE-2024-53988Dec 2, 2024
Rubyonrails
HTML Sanitizer
risk 0.00cvss —epss 0.00
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of…
CVE-2024-53989Dec 2, 2024
Rubyonrails
HTML Sanitizer
risk 0.00cvss —epss 0.00
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of…
CVE-2023-2142Nov 26, 2024
Mozilla Corporation
Nunjucks
risk 0.00cvss —epss 0.00
In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads…
CVE-2024-53261Nov 25, 2024
Sveltejs
Kit
risk 0.00cvss —epss 0.00
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. "Unsanitized input from *the request URL* flows into `end`, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)."…
CVE-2024-53262Nov 25, 2024
Sveltejs
Kit
risk 0.00cvss —epss 0.00
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else…