CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,317)

page 820 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2024-27140	Apache Archiva	—	0.01	Mar 1, 2024	UNSUPPORTED WHEN ASSIGNED Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Archiva. This issue affects Apache Archiva: from 2.0.0. As this project is retired, we do not plan to release a version that fixes this…
CVE-2023-50378	—	—	0.01	Mar 1, 2024	Lack of proper input validation and constraint enforcement in Apache Ambari prior to 2.7.8 Impact : As it will be stored XSS, Could be exploited to perform unauthorized actions, varying from data access to session hijacking and delivering malicious payloads. Users are…
CVE-2024-27499	Bagisto Bagisto	—	0.01	Mar 1, 2024	Bagisto v1.5.1 is vulnerable for Cross site scripting(XSS) via png file upload vulnerability in product review option.
CVE-2023-46950	—	—	0.01	Mar 1, 2024	Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8 allows a remote attacker to obtain sensitive information via a crafted URL to the filter functions.
CVE-2024-27290	jhpyle docassemble	—	0.00	Feb 29, 2024	Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, a user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The vulnerability has been patched in version…
CVE-2024-2001	—	—	0.00	Feb 29, 2024	A Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploaded.
CVE-2024-27285	Lsegal Yard	—	0.01	Feb 28, 2024	YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This…
CVE-2024-27083	Dpgaspar Flask Appbuilder	—	0.01	Feb 28, 2024	Flask-AppBuilder is an application development framework, built on top of Flask. A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page. This URL could…
CVE-2024-26143	Rubyonrails Rails	—	0.01	Feb 27, 2024	Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted…
CVE-2024-25399	—	—	0.00	Feb 27, 2024	Subrion CMS 4.2.1 is vulnerable to Cross Site Scripting (XSS) via adminer.php.
CVE-2024-27087	Getkirby Kirby	—	0.00	Feb 26, 2024	Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a "Custom" link type for advanced use cases that don't fit any of the pre-defined…
CVE-2024-27133	Mlflow Mlflow	—	0.01	Feb 23, 2024	Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.
CVE-2024-27132	Mlflow Mlflow	—	0.01	Feb 23, 2024	Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables.
CVE-2024-26152	Humansignal Label Studio	—	0.02	Feb 22, 2024	### Summary On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered within a [`Choices`](https://labelstud.io/tags/choices) or [`Labels`](https://labelstud.io/tags/labels) tag, resulting in an XSS…
CVE-2024-26151	—	—	0.01	Feb 22, 2024	The `mjml` PyPI package, found at the `FelixSchwarz/mjml-python` GitHub repo, is an unofficial Python port of MJML, a markup language created by Mailjet. All users of `FelixSchwarz/mjml-python` who insert untrusted data into mjml templates unless that data is checked in a very…
CVE-2024-26128	Basercms Basercms	—	0.01	Feb 22, 2024	baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the content management feature. Version 5.0.9 contains a fix for this vulnerability.
CVE-2023-44379	Basercms Basercms	—	0.00	Feb 22, 2024	baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the site search feature. Version 5.0.9 contains a fix for this vulnerability.
CVE-2024-23349	—	—	0.01	Feb 22, 2024	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. XSS attack when user enters summary. A logged-in user, when modifying their own submitted question, can input…
CVE-2024-25875	—	—	0.00	Feb 22, 2024	A cross-site scripting (XSS) vulnerability in the Header module of Enhavo CMS v0.13.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Undertitle text field.
CVE-2024-25874	—	—	0.00	Feb 22, 2024	A cross-site scripting (XSS) vulnerability in the New/Edit Article module of Enhavo CMS v0.13.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Create Tag text field.

CVE-2024-27140Mar 1, 2024
Apache
Archiva
risk 0.00cvss —epss 0.01
** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Archiva. This issue affects Apache Archiva: from 2.0.0. As this project is retired, we do not plan to release a version that fixes this…
CVE-2023-50378Mar 1, 2024
risk 0.00cvss —epss 0.01
Lack of proper input validation and constraint enforcement in Apache Ambari prior to 2.7.8 Impact : As it will be stored XSS, Could be exploited to perform unauthorized actions, varying from data access to session hijacking and delivering malicious payloads. Users are…
CVE-2024-27499Mar 1, 2024
Bagisto
Bagisto
risk 0.00cvss —epss 0.01
Bagisto v1.5.1 is vulnerable for Cross site scripting(XSS) via png file upload vulnerability in product review option.
CVE-2023-46950Mar 1, 2024
risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8 allows a remote attacker to obtain sensitive information via a crafted URL to the filter functions.
CVE-2024-27290Feb 29, 2024
jhpyle
docassemble
risk 0.00cvss —epss 0.00
Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, a user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The vulnerability has been patched in version…
CVE-2024-2001Feb 29, 2024
risk 0.00cvss —epss 0.00
A Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploaded.
CVE-2024-27285Feb 28, 2024
Lsegal
Yard
risk 0.00cvss —epss 0.01
YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This…
CVE-2024-27083Feb 28, 2024
Dpgaspar
Flask Appbuilder
risk 0.00cvss —epss 0.01
Flask-AppBuilder is an application development framework, built on top of Flask. A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page. This URL could…
CVE-2024-26143Feb 27, 2024
Rubyonrails
Rails
risk 0.00cvss —epss 0.01
Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted…
CVE-2024-25399Feb 27, 2024
risk 0.00cvss —epss 0.00
Subrion CMS 4.2.1 is vulnerable to Cross Site Scripting (XSS) via adminer.php.
CVE-2024-27087Feb 26, 2024
Getkirby
Kirby
risk 0.00cvss —epss 0.00
Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a "Custom" link type for advanced use cases that don't fit any of the pre-defined…
CVE-2024-27133Feb 23, 2024
Mlflow
Mlflow
risk 0.00cvss —epss 0.01
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.
CVE-2024-27132Feb 23, 2024
Mlflow
Mlflow
risk 0.00cvss —epss 0.01
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables.
CVE-2024-26152Feb 22, 2024
Humansignal
Label Studio
risk 0.00cvss —epss 0.02
### Summary On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered within a [`Choices`](https://labelstud.io/tags/choices) or [`Labels`](https://labelstud.io/tags/labels) tag, resulting in an XSS…
CVE-2024-26151Feb 22, 2024
risk 0.00cvss —epss 0.01
The `mjml` PyPI package, found at the `FelixSchwarz/mjml-python` GitHub repo, is an unofficial Python port of MJML, a markup language created by Mailjet. All users of `FelixSchwarz/mjml-python` who insert untrusted data into mjml templates unless that data is checked in a very…
CVE-2024-26128Feb 22, 2024
Basercms
Basercms
risk 0.00cvss —epss 0.01
baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the content management feature. Version 5.0.9 contains a fix for this vulnerability.
CVE-2023-44379Feb 22, 2024
Basercms
Basercms
risk 0.00cvss —epss 0.00
baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the site search feature. Version 5.0.9 contains a fix for this vulnerability.
CVE-2024-23349Feb 22, 2024
risk 0.00cvss —epss 0.01
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. XSS attack when user enters summary. A logged-in user, when modifying their own submitted question, can input…
CVE-2024-25875Feb 22, 2024
risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the Header module of Enhavo CMS v0.13.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Undertitle text field.
CVE-2024-25874Feb 22, 2024
risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the New/Edit Article module of Enhavo CMS v0.13.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Create Tag text field.