CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,317)

page 824 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2023-36236	—	—	0.01	Jan 16, 2024	Cross Site Scripting vulnerability in webkil Bagisto v.1.5.0 and before allows an attacker to execute arbitrary code via a crafted SVG file uplad.
CVE-2024-22491	—	—	0.00	Jan 16, 2024	A Stored Cross Site Scripting (XSS) vulnerability in beetl-bbs 2.0 allows attackers to run arbitrary code via the post/save content parameter.
CVE-2024-23173	MediaWiki Cargo	—	0.00	Jan 12, 2024	An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:Drilldown page allows XSS via artist, album, and position parameters because of applied filter values in…
CVE-2024-22492	—	—	0.01	Jan 12, 2024	A stored XSS vulnerability exists in JFinalcms 5.0.0 via the /gusetbook/save contact parameter, which allows remote attackers to inject arbitrary web script or HTML.
CVE-2024-22493	—	—	0.01	Jan 12, 2024	A stored XSS vulnerability exists in JFinalcms 5.0.0 via the /gusetbook/save content parameter, which allows remote attackers to inject arbitrary web script or HTML.
CVE-2024-22199	—	—	0.00	Jan 11, 2024	This package provides universal methods to use multiple template engines with the Fiber web framework using the Views interface. This vulnerability specifically impacts web applications that render user-supplied data through this template engine, potentially leading to the…
CVE-2024-22195	Pallets Jinja	—	0.01	Jan 11, 2024	Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr`…
CVE-2023-6148	—	—	0.00	Jan 9, 2024	Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access and…
CVE-2024-22075	Firefly Iii Firefly Iii/firefly Iii	—	0.00	Jan 5, 2024	Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Injection.
CVE-2024-22048	Alphagov Tech Docs Gem	—	0.01	Jan 4, 2024	govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to a cross-site scripting vulnerability. Malicious JavaScript may be executed in the user's browser if a malicious search result is displayed on the search page.
CVE-2024-21636	ViewComponent ViewComponent	—	0.01	Jan 4, 2024	view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller…
CVE-2024-21911	Tinymce Tinymce	—	0.01	Jan 3, 2024	TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.
CVE-2024-21910	Jazzband Django Tinymce	—	0.01	Jan 3, 2024	TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. A remote and unauthenticated attacker could introduce crafted image or link URLs that would result in the execution of arbitrary JavaScript in an editing user's browser.
CVE-2024-21908	Tinymce Tinymce	—	0.01	Jan 3, 2024	TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.
CVE-2024-21628	Prestashop Prestashop	—	0.00	Jan 2, 2024	PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to…
CVE-2024-21627	Prestashop Prestashop	—	0.01	Jan 2, 2024	PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11…
CVE-2023-51652	Spassarop Antisamy Dotnet	—	0.00	Jan 2, 2024	OWASP AntiSamy .NET is a library for performing cleansing of HTML coming from untrusted sources. Prior to version 1.2.0, there is a potential for a mutation cross-site scripting (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject…
CVE-2023-50550	Layui Layui	—	0.00	Dec 30, 2023	layui up to v2.74 was discovered to contain a cross-site scripting (XSS) vulnerability via the data-content parameter.
CVE-2023-7113	Mattermost Mattermost	—	0.00	Dec 29, 2023	Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.
CVE-2023-52084	Wintercms Winter	—	0.00	Dec 28, 2023	Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This…

CVE-2023-36236Jan 16, 2024
risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in webkil Bagisto v.1.5.0 and before allows an attacker to execute arbitrary code via a crafted SVG file uplad.
CVE-2024-22491Jan 16, 2024
risk 0.00cvss —epss 0.00
A Stored Cross Site Scripting (XSS) vulnerability in beetl-bbs 2.0 allows attackers to run arbitrary code via the post/save content parameter.
CVE-2024-23173Jan 12, 2024
MediaWiki
Cargo
risk 0.00cvss —epss 0.00
An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:Drilldown page allows XSS via artist, album, and position parameters because of applied filter values in…
CVE-2024-22492Jan 12, 2024
risk 0.00cvss —epss 0.01
A stored XSS vulnerability exists in JFinalcms 5.0.0 via the /gusetbook/save contact parameter, which allows remote attackers to inject arbitrary web script or HTML.
CVE-2024-22493Jan 12, 2024
risk 0.00cvss —epss 0.01
A stored XSS vulnerability exists in JFinalcms 5.0.0 via the /gusetbook/save content parameter, which allows remote attackers to inject arbitrary web script or HTML.
CVE-2024-22199Jan 11, 2024
risk 0.00cvss —epss 0.00
This package provides universal methods to use multiple template engines with the Fiber web framework using the Views interface. This vulnerability specifically impacts web applications that render user-supplied data through this template engine, potentially leading to the…
CVE-2024-22195Jan 11, 2024
Pallets
Jinja
risk 0.00cvss —epss 0.01
Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr`…
CVE-2023-6148Jan 9, 2024
risk 0.00cvss —epss 0.00
Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access and…
CVE-2024-22075Jan 5, 2024
Firefly Iii
Firefly Iii/firefly Iii
risk 0.00cvss —epss 0.00
Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Injection.
CVE-2024-22048Jan 4, 2024
Alphagov
Tech Docs Gem
risk 0.00cvss —epss 0.01
govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to a cross-site scripting vulnerability. Malicious JavaScript may be executed in the user's browser if a malicious search result is displayed on the search page.
CVE-2024-21636Jan 4, 2024
ViewComponent
ViewComponent
risk 0.00cvss —epss 0.01
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller…
CVE-2024-21911Jan 3, 2024
Tinymce
Tinymce
risk 0.00cvss —epss 0.01
TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.
CVE-2024-21910Jan 3, 2024
Jazzband
Django Tinymce
risk 0.00cvss —epss 0.01
TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. A remote and unauthenticated attacker could introduce crafted image or link URLs that would result in the execution of arbitrary JavaScript in an editing user's browser.
CVE-2024-21908Jan 3, 2024
Tinymce
Tinymce
risk 0.00cvss —epss 0.01
TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.
CVE-2024-21628Jan 2, 2024
Prestashop
Prestashop
risk 0.00cvss —epss 0.00
PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to…
CVE-2024-21627Jan 2, 2024
Prestashop
Prestashop
risk 0.00cvss —epss 0.01
PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11…
CVE-2023-51652Jan 2, 2024
Spassarop
Antisamy Dotnet
risk 0.00cvss —epss 0.00
OWASP AntiSamy .NET is a library for performing cleansing of HTML coming from untrusted sources. Prior to version 1.2.0, there is a potential for a mutation cross-site scripting (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject…
CVE-2023-50550Dec 30, 2023
Layui
Layui
risk 0.00cvss —epss 0.00
layui up to v2.74 was discovered to contain a cross-site scripting (XSS) vulnerability via the data-content parameter.
CVE-2023-7113Dec 29, 2023
Mattermost
Mattermost
risk 0.00cvss —epss 0.00
Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.
CVE-2023-52084Dec 28, 2023
Wintercms
Winter
risk 0.00cvss —epss 0.00
Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This…