CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (23,317)
page 827 of 1,166| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-49145 | 0.00 | — | 0.01 | Nov 27, 2023 | Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits… | |||
| CVE-2023-43701 | 0.00 | — | 0.01 | Nov 27, 2023 | Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue… | |||
| CVE-2023-48705 | 0.00 | — | 0.01 | Nov 22, 2023 | Nautobot is a Network Source of Truth and Network Automation Platform built as a web application All users of Nautobot versions earlier than 1.6.6 or 2.0.5 are potentially affected by a cross-site scripting vulnerability. Due to incorrect usage of Django's `mark_safe()` API when… | |||
| CVE-2023-49146 | 0.00 | — | 0.00 | Nov 22, 2023 | DOMSanitizer (aka dom-sanitizer) before 1.0.7 allows XSS via an SVG document because of mishandling of comments and greedy regular expressions. | |||
| CVE-2023-47380 | 0.00 | — | 0.01 | Nov 22, 2023 | Admidio v4.2.12 and below is vulnerable to Cross Site Scripting (XSS). | |||
| CVE-2023-48701 | 0.00 | — | 0.01 | Nov 21, 2023 | Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an… | |||
| CVE-2023-40816 | — | 0.00 | — | 0.00 | Nov 18, 2023 | OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Milestone Name Field. | ||
| CVE-2023-40809 | — | 0.00 | — | 0.00 | Nov 18, 2023 | OpenCRX version 5.2.0 is vulnerable to HTML injection via the Activity Search Criteria-Activity Number. | ||
| CVE-2023-40810 | — | 0.00 | — | 0.00 | Nov 18, 2023 | OpenCRX version 5.2.0 is vulnerable to HTML injection via Product Name Field. | ||
| CVE-2023-40812 | — | 0.00 | — | 0.00 | Nov 18, 2023 | OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Group Name Field. | ||
| CVE-2023-40813 | — | 0.00 | — | 0.00 | Nov 18, 2023 | OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Saved Search Creation. | ||
| CVE-2023-40814 | — | 0.00 | — | 0.00 | Nov 18, 2023 | OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Name Field. | ||
| CVE-2023-40815 | — | 0.00 | — | 0.00 | Nov 18, 2023 | OpenCRX version 5.2.0 is vulnerable to HTML injection via the Category Creation Name Field. | ||
| CVE-2023-40817 | — | 0.00 | — | 0.00 | Nov 18, 2023 | OpenCRX version 5.2.0 is vulnerable to HTML injection via the Product Configuration Name Field. | ||
| CVE-2023-48295 | 0.00 | — | 0.01 | Nov 17, 2023 | LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. Affected versions are subject to a cross site scripting (XSS) vulnerability in the device group popups. This issue has been… | |||
| CVE-2023-47797 | 0.00 | — | 0.01 | Nov 17, 2023 | Reflected cross-site scripting (XSS) vulnerability on a content page’s edit page in Liferay Portal 7.4.3.94 through 7.4.3.95 allows remote attackers to inject arbitrary web script or HTML via the `p_l_back_url_title` parameter. | |||
| CVE-2023-48649 | — | 0.00 | — | 0.01 | Nov 17, 2023 | Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name. | ||
| CVE-2023-40314 | — | 0.00 | — | 0.00 | Nov 16, 2023 | Cross-site scripting in bootstrap.jsp in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Horizon 32.0.5 or newer and Meridian 2023.1.9 or newer Meridian and Horizon… | ||
| CVE-2023-4771 | — | 0.00 | — | 0.01 | Nov 16, 2023 | A Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. An attacker could send malicious javascript code through the /ckeditor/samples/old/ajax.html file and retrieve an authorized user's information. | ||
| CVE-2023-48219 | 0.00 | — | 0.01 | Nov 15, 2023 | TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML… |
- CVE-2023-49145Nov 27, 2023risk 0.00cvss —epss 0.01
Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits…
- CVE-2023-43701Nov 27, 2023risk 0.00cvss —epss 0.01
Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue…
- CVE-2023-48705Nov 22, 2023risk 0.00cvss —epss 0.01
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application All users of Nautobot versions earlier than 1.6.6 or 2.0.5 are potentially affected by a cross-site scripting vulnerability. Due to incorrect usage of Django's `mark_safe()` API when…
- CVE-2023-49146Nov 22, 2023risk 0.00cvss —epss 0.00
DOMSanitizer (aka dom-sanitizer) before 1.0.7 allows XSS via an SVG document because of mishandling of comments and greedy regular expressions.
- CVE-2023-47380Nov 22, 2023risk 0.00cvss —epss 0.01
Admidio v4.2.12 and below is vulnerable to Cross Site Scripting (XSS).
- CVE-2023-48701Nov 21, 2023risk 0.00cvss —epss 0.01
Statamic CMS is a Laravel and Git powered content management system (CMS). Prior to versions 3.4.15 an 4.36.0, HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an…
- CVE-2023-40816Nov 18, 2023risk 0.00cvss —epss 0.00
OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Milestone Name Field.
- CVE-2023-40809Nov 18, 2023risk 0.00cvss —epss 0.00
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Activity Search Criteria-Activity Number.
- CVE-2023-40810Nov 18, 2023risk 0.00cvss —epss 0.00
OpenCRX version 5.2.0 is vulnerable to HTML injection via Product Name Field.
- CVE-2023-40812Nov 18, 2023risk 0.00cvss —epss 0.00
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Group Name Field.
- CVE-2023-40813Nov 18, 2023risk 0.00cvss —epss 0.00
OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Saved Search Creation.
- CVE-2023-40814Nov 18, 2023risk 0.00cvss —epss 0.00
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Name Field.
- CVE-2023-40815Nov 18, 2023risk 0.00cvss —epss 0.00
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Category Creation Name Field.
- CVE-2023-40817Nov 18, 2023risk 0.00cvss —epss 0.00
OpenCRX version 5.2.0 is vulnerable to HTML injection via the Product Configuration Name Field.
- CVE-2023-48295Nov 17, 2023risk 0.00cvss —epss 0.01
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. Affected versions are subject to a cross site scripting (XSS) vulnerability in the device group popups. This issue has been…
- CVE-2023-47797Nov 17, 2023risk 0.00cvss —epss 0.01
Reflected cross-site scripting (XSS) vulnerability on a content page’s edit page in Liferay Portal 7.4.3.94 through 7.4.3.95 allows remote attackers to inject arbitrary web script or HTML via the `p_l_back_url_title` parameter.
- CVE-2023-48649Nov 17, 2023risk 0.00cvss —epss 0.01
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name.
- CVE-2023-40314Nov 16, 2023risk 0.00cvss —epss 0.00
Cross-site scripting in bootstrap.jsp in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Horizon 32.0.5 or newer and Meridian 2023.1.9 or newer Meridian and Horizon…
- CVE-2023-4771Nov 16, 2023risk 0.00cvss —epss 0.01
A Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. An attacker could send malicious javascript code through the /ckeditor/samples/old/ajax.html file and retrieve an authorized user's information.
- CVE-2023-48219Nov 15, 2023risk 0.00cvss —epss 0.01
TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML…