CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (23,317)
page 823 of 1,166| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-24570 | 0.00 | — | 0.01 | Feb 1, 2024 | Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the… | |||
| CVE-2024-24558 | — | 0.00 | — | 0.00 | Jan 30, 2024 | TanStack Query supplies asynchronous state management, server-state utilities and data fetching for the web. The `@tanstack/react-query-next-experimental` NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this, an attacker would need to either inject… | ||
| CVE-2024-24556 | — | 0.00 | — | 0.00 | Jan 30, 2024 | urql is a GraphQL client that exposes a set of helpers for several frameworks. The `@urql/next` package is vulnerable to XSS. To exploit this an attacker would need to ensure that the response returns `html` tags and that the web-application is using streamed responses… | ||
| CVE-2023-36259 | — | 0.00 | — | 0.00 | Jan 30, 2024 | Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attackers to execute arbitrary code during user creation. | ||
| CVE-2024-23817 | 0.00 | — | 0.01 | Jan 25, 2024 | Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and… | |||
| CVE-2024-23905 | 0.00 | — | 0.01 | Jan 24, 2024 | Jenkins Red Hat Dependency Analytics Plugin 0.7.1 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. | |||
| CVE-2024-23633 | 0.00 | — | 0.01 | Jan 23, 2024 | Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. Prior to version 1.10.1, this feature could had been abused to download a HTML file that… | |||
| CVE-2023-47115 | 0.00 | — | 0.01 | Jan 23, 2024 | Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.… | |||
| CVE-2024-23341 | — | 0.00 | — | 0.00 | Jan 23, 2024 | TuiTse-TsuSin is a package for organizing the comparative corpus of Taiwanese Chinese characters and Roman characters, and extracting sentences of the Taiwanese Chinese characters and the Roman characters. Prior to version 1.3.2, when using `tuitse_html` without quoting the… | ||
| CVE-2024-22417 | 0.00 | — | 0.01 | Jan 23, 2024 | Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the `element` method in `app/routes.py` does not validate the user-controlled `src_type` and `element_url` variables and passes them to the `send` method which sends a `GET` request on lines 339-343… | |||
| CVE-2023-49657 | 0.00 | — | 0.01 | Jan 23, 2024 | A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS. For 2.X versions,… | |||
| CVE-2024-22497 | — | 0.00 | — | 0.00 | Jan 23, 2024 | Cross Site Scripting (XSS) vulnerability in /admin/login password parameter in JFinalcms 5.0.0 allows attackers to run arbitrary code via crafted URL. | ||
| CVE-2024-22490 | — | 0.00 | — | 0.00 | Jan 23, 2024 | Cross Site Scripting (XSS) vulnerability in beetl-bbs 2.0 allows attackers to run arbitrary code via the /index keyword parameter. | ||
| CVE-2024-22496 | — | 0.00 | — | 0.00 | Jan 23, 2024 | Cross Site Scripting (XSS) vulnerability in JFinalcms 5.0.0 allows attackers to run arbitrary code via the /admin/login username parameter. | ||
| CVE-2024-23345 | 0.00 | — | 0.00 | Jan 22, 2024 | Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any… | |||
| CVE-2024-23725 | 0.00 | — | 0.00 | Jan 21, 2024 | Ghost before 5.76.0 allows XSS via a post excerpt in excerpt.js. An XSS payload can be rendered in post summaries. | |||
| CVE-2024-22420 | 0.00 | — | 0.01 | Jan 19, 2024 | JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. This vulnerability depends on user interaction by opening a malicious Markdown file using JupyterLab preview feature. A malicious user can access… | |||
| CVE-2024-0758 | 0.00 | — | 0.01 | Jan 19, 2024 | MolecularFaces before 0.3.0 is vulnerable to cross site scripting. A remote attacker can execute arbitrary JavaScript in the context of a victim browser via crafted molfiles. | |||
| CVE-2024-22411 | 0.00 | — | 0.01 | Jan 16, 2024 | Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on… | |||
| CVE-2024-22191 | 0.00 | — | 0.01 | Jan 16, 2024 | Avo is a framework to create admin panels for Ruby on Rails apps. A stored cross-site scripting (XSS) vulnerability was found in the key_value field of Avo v3.2.3 and v2.46.0. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's… |
- CVE-2024-24570Feb 1, 2024risk 0.00cvss —epss 0.01
Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the…
- CVE-2024-24558Jan 30, 2024risk 0.00cvss —epss 0.00
TanStack Query supplies asynchronous state management, server-state utilities and data fetching for the web. The `@tanstack/react-query-next-experimental` NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this, an attacker would need to either inject…
- CVE-2024-24556Jan 30, 2024risk 0.00cvss —epss 0.00
urql is a GraphQL client that exposes a set of helpers for several frameworks. The `@urql/next` package is vulnerable to XSS. To exploit this an attacker would need to ensure that the response returns `html` tags and that the web-application is using streamed responses…
- CVE-2023-36259Jan 30, 2024risk 0.00cvss —epss 0.00
Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attackers to execute arbitrary code during user creation.
- CVE-2024-23817Jan 25, 2024risk 0.00cvss —epss 0.01
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and…
- CVE-2024-23905Jan 24, 2024risk 0.00cvss —epss 0.01
Jenkins Red Hat Dependency Analytics Plugin 0.7.1 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
- CVE-2024-23633Jan 23, 2024risk 0.00cvss —epss 0.01
Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. Prior to version 1.10.1, this feature could had been abused to download a HTML file that…
- CVE-2023-47115Jan 23, 2024risk 0.00cvss —epss 0.01
Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website.…
- CVE-2024-23341Jan 23, 2024risk 0.00cvss —epss 0.00
TuiTse-TsuSin is a package for organizing the comparative corpus of Taiwanese Chinese characters and Roman characters, and extracting sentences of the Taiwanese Chinese characters and the Roman characters. Prior to version 1.3.2, when using `tuitse_html` without quoting the…
- CVE-2024-22417Jan 23, 2024risk 0.00cvss —epss 0.01
Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the `element` method in `app/routes.py` does not validate the user-controlled `src_type` and `element_url` variables and passes them to the `send` method which sends a `GET` request on lines 339-343…
- CVE-2023-49657Jan 23, 2024risk 0.00cvss —epss 0.01
A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS. For 2.X versions,…
- CVE-2024-22497Jan 23, 2024risk 0.00cvss —epss 0.00
Cross Site Scripting (XSS) vulnerability in /admin/login password parameter in JFinalcms 5.0.0 allows attackers to run arbitrary code via crafted URL.
- CVE-2024-22490Jan 23, 2024risk 0.00cvss —epss 0.00
Cross Site Scripting (XSS) vulnerability in beetl-bbs 2.0 allows attackers to run arbitrary code via the /index keyword parameter.
- CVE-2024-22496Jan 23, 2024risk 0.00cvss —epss 0.00
Cross Site Scripting (XSS) vulnerability in JFinalcms 5.0.0 allows attackers to run arbitrary code via the /admin/login username parameter.
- CVE-2024-23345Jan 22, 2024risk 0.00cvss —epss 0.00
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any…
- CVE-2024-23725Jan 21, 2024risk 0.00cvss —epss 0.00
Ghost before 5.76.0 allows XSS via a post excerpt in excerpt.js. An XSS payload can be rendered in post summaries.
- CVE-2024-22420Jan 19, 2024risk 0.00cvss —epss 0.01
JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. This vulnerability depends on user interaction by opening a malicious Markdown file using JupyterLab preview feature. A malicious user can access…
- CVE-2024-0758Jan 19, 2024risk 0.00cvss —epss 0.01
MolecularFaces before 0.3.0 is vulnerable to cross site scripting. A remote attacker can execute arbitrary JavaScript in the context of a victim browser via crafted molfiles.
- CVE-2024-22411Jan 16, 2024risk 0.00cvss —epss 0.01
Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on…
- CVE-2024-22191Jan 16, 2024risk 0.00cvss —epss 0.01
Avo is a framework to create admin panels for Ruby on Rails apps. A stored cross-site scripting (XSS) vulnerability was found in the key_value field of Avo v3.2.3 and v2.46.0. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's…