CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,319)

page 816 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2024-5478	Lunary AI Lunary	—	0.00	Jun 6, 2024	A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.id}/metadata` of lunary-ai/lunary version 1.2.7. The vulnerability arises due to the application's failure to escape or validate the `orgId` parameter supplied by the user before…
CVE-2024-37156	—	—	0.00	Jun 6, 2024	The SuluFormBundle adds support for creating dynamic forms in Sulu Admin. The TokenController get parameter formName is not sanitized in the returned input field which leads to XSS. This vulnerability is fixed in 2.5.3.
CVE-2024-32464	Rubyonrails Rails	—	0.00	Jun 4, 2024	Action Text brings rich text content and editing to Rails. Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This vulnerability is fixed in 7.1.3.4 and 7.2.0.beta2.
CVE-2024-34000	Moodle Moodle	—	0.00	May 31, 2024	ID numbers displayed in the lesson overview report required additional sanitizing to prevent a stored XSS risk.
CVE-2024-33998	Moodle Moodle	—	0.00	May 31, 2024	Insufficient escaping of participants' names in the participants page table resulted in a stored XSS risk when interacting with some features.
CVE-2024-33997	Moodle Moodle	—	0.00	May 31, 2024	Additional sanitizing was required when opening the equation editor to prevent a stored XSS risk when editing another user's equation.
CVE-2024-32877	Yiisoft Yiisoft/yii2	—	0.00	May 30, 2024	Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting (XSS) vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 (2.0.49.3). This issue lies in the…
CVE-2024-5520	Alkacon Opencms	—	0.00	May 30, 2024	Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in…
CVE-2024-35239	—	—	0.00	May 28, 2024	Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after…
CVE-2024-5165	—	—	0.01	May 23, 2024	In Eclipse Ditto versions 3.0.0 to 3.5.5, the user input of several input fields of the Eclipse Ditto Explorer User Interface https://eclipse.dev/ditto/user-interface.html was not properly neutralized and thus vulnerable to both Reflected and Stored XSS (Cross Site Scripting).…
CVE-2024-29392	Silverpeas Silverpeas	—	0.00	May 22, 2024	Silverpeas Core 6.3 is vulnerable to Cross Site Scripting (XSS) via ClipboardSessionController.
CVE-2024-35218	Umbraco Umbraco CMS	—	0.00	May 21, 2024	Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stored Cross-site scripting (XSS) enable attackers that have access to backoffice to bring malicious content into a website or application. This vulnerability has been patched in version(s) 8.18.13, 10.8.4,…
CVE-2024-34716	Prestashop Prestashop	—	0.56	May 14, 2024	PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature…
CVE-2024-34243	—	—	0.00	May 14, 2024	Konga v0.14.9 is vulnerable to Cross Site Scripting (XSS) via the username parameter.
CVE-2024-34357	TYPO3 Typo3	—	0.01	May 14, 2024	TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, failing to properly encode user-controlled values in file entities, the `ShowImageController` (`_eID…
CVE-2024-34356	TYPO3 Typo3	—	0.01	May 14, 2024	TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the form manager backend module is vulnerable to cross-site scripting. Exploiting this vulnerability requires a…
CVE-2024-34355	TYPO3 Typo3	—	0.01	May 14, 2024	TYPO3 is an enterprise content management system. Starting in version 13.0.0 and prior to version 13.1.1, the history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject…
CVE-2024-32077	Apache Airflow	—	0.02	May 14, 2024	Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs. Users are recommended to upgrade to version 2.9.1, which fixes this issue.
CVE-2024-34707	Nautobot Nautobot	—	0.01	May 13, 2024	Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings via the `/admin/constance/config/` endpoint. Normally these settings are used to…
CVE-2023-49781	Nocodb Nocodb	—	0.01	May 13, 2024	NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls"…

CVE-2024-5478Jun 6, 2024
Lunary AI
Lunary
risk 0.00cvss —epss 0.00
A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.id}/metadata` of lunary-ai/lunary version 1.2.7. The vulnerability arises due to the application's failure to escape or validate the `orgId` parameter supplied by the user before…
CVE-2024-37156Jun 6, 2024
risk 0.00cvss —epss 0.00
The SuluFormBundle adds support for creating dynamic forms in Sulu Admin. The TokenController get parameter formName is not sanitized in the returned input field which leads to XSS. This vulnerability is fixed in 2.5.3.
CVE-2024-32464Jun 4, 2024
Rubyonrails
Rails
risk 0.00cvss —epss 0.00
Action Text brings rich text content and editing to Rails. Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This vulnerability is fixed in 7.1.3.4 and 7.2.0.beta2.
CVE-2024-34000May 31, 2024
Moodle
Moodle
risk 0.00cvss —epss 0.00
ID numbers displayed in the lesson overview report required additional sanitizing to prevent a stored XSS risk.
CVE-2024-33998May 31, 2024
Moodle
Moodle
risk 0.00cvss —epss 0.00
Insufficient escaping of participants' names in the participants page table resulted in a stored XSS risk when interacting with some features.
CVE-2024-33997May 31, 2024
Moodle
Moodle
risk 0.00cvss —epss 0.00
Additional sanitizing was required when opening the equation editor to prevent a stored XSS risk when editing another user's equation.
CVE-2024-32877May 30, 2024
Yiisoft
Yiisoft/yii2
risk 0.00cvss —epss 0.00
Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting (XSS) vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 (2.0.49.3). This issue lies in the…
CVE-2024-5520May 30, 2024
Alkacon
Opencms
risk 0.00cvss —epss 0.00
Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in…
CVE-2024-35239May 28, 2024
risk 0.00cvss —epss 0.00
Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after…
CVE-2024-5165May 23, 2024
risk 0.00cvss —epss 0.01
In Eclipse Ditto versions 3.0.0 to 3.5.5, the user input of several input fields of the Eclipse Ditto Explorer User Interface https://eclipse.dev/ditto/user-interface.html was not properly neutralized and thus vulnerable to both Reflected and Stored XSS (Cross Site Scripting).…
CVE-2024-29392May 22, 2024
Silverpeas
Silverpeas
risk 0.00cvss —epss 0.00
Silverpeas Core 6.3 is vulnerable to Cross Site Scripting (XSS) via ClipboardSessionController.
CVE-2024-35218May 21, 2024
Umbraco
Umbraco CMS
risk 0.00cvss —epss 0.00
Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stored Cross-site scripting (XSS) enable attackers that have access to backoffice to bring malicious content into a website or application. This vulnerability has been patched in version(s) 8.18.13, 10.8.4,…
CVE-2024-34716May 14, 2024
Prestashop
Prestashop
risk 0.00cvss —epss 0.56
PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature…
CVE-2024-34243May 14, 2024
risk 0.00cvss —epss 0.00
Konga v0.14.9 is vulnerable to Cross Site Scripting (XSS) via the username parameter.
CVE-2024-34357May 14, 2024
TYPO3
Typo3
risk 0.00cvss —epss 0.01
TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, failing to properly encode user-controlled values in file entities, the `ShowImageController` (`_eID…
CVE-2024-34356May 14, 2024
TYPO3
Typo3
risk 0.00cvss —epss 0.01
TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the form manager backend module is vulnerable to cross-site scripting. Exploiting this vulnerability requires a…
CVE-2024-34355May 14, 2024
TYPO3
Typo3
risk 0.00cvss —epss 0.01
TYPO3 is an enterprise content management system. Starting in version 13.0.0 and prior to version 13.1.1, the history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject…
CVE-2024-32077May 14, 2024
Apache
Airflow
risk 0.00cvss —epss 0.02
Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs. Users are recommended to upgrade to version 2.9.1, which fixes this issue.
CVE-2024-34707May 13, 2024
Nautobot
Nautobot
risk 0.00cvss —epss 0.01
Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings via the `/admin/constance/config/` endpoint. Normally these settings are used to…
CVE-2023-49781May 13, 2024
Nocodb
Nocodb
risk 0.00cvss —epss 0.01
NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls"…