CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,317)

page 826 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2023-47324	—	—	0.01	Dec 13, 2023	Silverpeas Core 6.3.1 is vulnerable to Cross Site Scripting (XSS) via the message/notification feature.
CVE-2023-47322	—	—	0.00	Dec 13, 2023	The "userModify" feature of Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) leading to privilege escalation. If an administrator goes to a malicious URL while being authenticated to the Silverpeas application, the CSRF with execute making the attacker an…
CVE-2023-49279	Umbraco Umbraco CMS	—	0.00	Dec 12, 2023	Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the…
CVE-2023-48313	Umbraco Umbraco CMS	—	0.00	Dec 12, 2023	Umbraco is an ASP.NET content management system (CMS). Starting in 10.0.0 and prior to versions 10.8.1 and 12.3.4, Umbraco contains a cross-site scripting (XSS) vulnerability enabling attackers to bring malicious content into a website or application. Versions 10.8.1 and 12.3.4…
CVE-2023-38694	Umbraco Umbraco CMS	—	0.00	Dec 12, 2023	Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0,…
CVE-2023-28604	—	—	0.01	Dec 12, 2023	The fluid_components (aka Fluid Components) extension before 3.5.0 for TYPO3 allows XSS via a component argument parameter, for certain {content} use cases that may be edge cases.
CVE-2022-48614	—	—	0.00	Dec 10, 2023	Special:Ask in Semantic MediaWiki before 4.0.2 allows Reflected XSS.
CVE-2023-49485	—	—	0.00	Dec 8, 2023	JFinalCMS v5.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the column management department.
CVE-2023-49487	—	—	0.00	Dec 8, 2023	JFinalCMS v5.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the navigation management department.
CVE-2023-49486	—	—	0.00	Dec 8, 2023	JFinalCMS v5.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the model management department.
CVE-2023-46494	Evershopcommerce Evershop	—	0.00	Dec 8, 2023	Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted request to the ProductGrid function in admin/productGrid/Grid.jsx.
CVE-2023-46499	Evershopcommerce Evershop	—	0.00	Dec 8, 2023	Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted scripts to the Admin Panel.
CVE-2023-46495	Evershopcommerce Evershop	—	0.00	Dec 8, 2023	Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the sortBy parameter.
CVE-2023-6568	Mlflow Mlflow	—	0.02	Dec 7, 2023	A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly…
CVE-2023-49289	—	—	0.01	Dec 4, 2023	Ajax.NET Professional (AjaxPro) is an AJAX framework for Microsoft ASP.NET which will create proxy JavaScript classes that are used on client-side to invoke methods on the web server. Affected versions of this package are vulnerable cross site scripting attacks. Releases before…
CVE-2023-49276	Louislam Uptime Kuma	—	0.01	Dec 1, 2023	Uptime Kuma is an open source self-hosted monitoring tool. In affected versions the Google Analytics element in vulnerable to Attribute Injection leading to Cross-Site-Scripting (XSS). Since the custom status interface can set an independent Google Analytics ID and the template…
CVE-2023-49277	Darrenofficial Dpaste	—	0.01	Dec 1, 2023	dpaste is an open source pastebin application written in Python using the Django framework. A security vulnerability has been identified in the expires parameter of the dpaste API, allowing for a POST Reflected XSS attack. This vulnerability can be exploited by an attacker to…
CVE-2023-6027	—	—	0.00	Nov 30, 2023	A critical flaw has been identified in elijaa/phpmemcachedadmin affecting version 1.3.0, specifically related to a stored XSS vulnerability. This vulnerability allows malicious actors to insert a carefully crafted JavaScript payload. The issue arises from improper encoding of…
CVE-2023-44383	Octobercms October	—	0.00	Nov 29, 2023	October is a Content Management System (CMS) and web platform to assist with development workflow. A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files…
CVE-2023-49090	Carrierwaveuploader Carrierwave	—	0.01	Nov 29, 2023	CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a…

CVE-2023-47324Dec 13, 2023
risk 0.00cvss —epss 0.01
Silverpeas Core 6.3.1 is vulnerable to Cross Site Scripting (XSS) via the message/notification feature.
CVE-2023-47322Dec 13, 2023
risk 0.00cvss —epss 0.00
The "userModify" feature of Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) leading to privilege escalation. If an administrator goes to a malicious URL while being authenticated to the Silverpeas application, the CSRF with execute making the attacker an…
CVE-2023-49279Dec 12, 2023
Umbraco
Umbraco CMS
risk 0.00cvss —epss 0.00
Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the…
CVE-2023-48313Dec 12, 2023
Umbraco
Umbraco CMS
risk 0.00cvss —epss 0.00
Umbraco is an ASP.NET content management system (CMS). Starting in 10.0.0 and prior to versions 10.8.1 and 12.3.4, Umbraco contains a cross-site scripting (XSS) vulnerability enabling attackers to bring malicious content into a website or application. Versions 10.8.1 and 12.3.4…
CVE-2023-38694Dec 12, 2023
Umbraco
Umbraco CMS
risk 0.00cvss —epss 0.00
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0,…
CVE-2023-28604Dec 12, 2023
risk 0.00cvss —epss 0.01
The fluid_components (aka Fluid Components) extension before 3.5.0 for TYPO3 allows XSS via a component argument parameter, for certain {content} use cases that may be edge cases.
CVE-2022-48614Dec 10, 2023
risk 0.00cvss —epss 0.00
Special:Ask in Semantic MediaWiki before 4.0.2 allows Reflected XSS.
CVE-2023-49485Dec 8, 2023
risk 0.00cvss —epss 0.00
JFinalCMS v5.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the column management department.
CVE-2023-49487Dec 8, 2023
risk 0.00cvss —epss 0.00
JFinalCMS v5.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the navigation management department.
CVE-2023-49486Dec 8, 2023
risk 0.00cvss —epss 0.00
JFinalCMS v5.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the model management department.
CVE-2023-46494Dec 8, 2023
Evershopcommerce
Evershop
risk 0.00cvss —epss 0.00
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted request to the ProductGrid function in admin/productGrid/Grid.jsx.
CVE-2023-46499Dec 8, 2023
Evershopcommerce
Evershop
risk 0.00cvss —epss 0.00
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted scripts to the Admin Panel.
CVE-2023-46495Dec 8, 2023
Evershopcommerce
Evershop
risk 0.00cvss —epss 0.00
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the sortBy parameter.
CVE-2023-6568Dec 7, 2023
Mlflow
Mlflow
risk 0.00cvss —epss 0.02
A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly…
CVE-2023-49289Dec 4, 2023
risk 0.00cvss —epss 0.01
Ajax.NET Professional (AjaxPro) is an AJAX framework for Microsoft ASP.NET which will create proxy JavaScript classes that are used on client-side to invoke methods on the web server. Affected versions of this package are vulnerable cross site scripting attacks. Releases before…
CVE-2023-49276Dec 1, 2023
Louislam
Uptime Kuma
risk 0.00cvss —epss 0.01
Uptime Kuma is an open source self-hosted monitoring tool. In affected versions the Google Analytics element in vulnerable to Attribute Injection leading to Cross-Site-Scripting (XSS). Since the custom status interface can set an independent Google Analytics ID and the template…
CVE-2023-49277Dec 1, 2023
Darrenofficial
Dpaste
risk 0.00cvss —epss 0.01
dpaste is an open source pastebin application written in Python using the Django framework. A security vulnerability has been identified in the expires parameter of the dpaste API, allowing for a POST Reflected XSS attack. This vulnerability can be exploited by an attacker to…
CVE-2023-6027Nov 30, 2023
risk 0.00cvss —epss 0.00
A critical flaw has been identified in elijaa/phpmemcachedadmin affecting version 1.3.0, specifically related to a stored XSS vulnerability. This vulnerability allows malicious actors to insert a carefully crafted JavaScript payload. The issue arises from improper encoding of…
CVE-2023-44383Nov 29, 2023
Octobercms
October
risk 0.00cvss —epss 0.00
October is a Content Management System (CMS) and web platform to assist with development workflow. A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files…
CVE-2023-49090Nov 29, 2023
Carrierwaveuploader
Carrierwave
risk 0.00cvss —epss 0.01
CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a…