CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (23,317)
page 829 of 1,166| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-5861 | 0.00 | — | 0.00 | Oct 31, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0. | |||
| CVE-2023-43647 | 0.00 | — | 0.01 | Oct 30, 2023 | baserCMS is a website development framework. Prior to version 4.8.0, there is a cross-site scripting vulnerability in the file upload feature of baserCMS. Version 4.8.0 contains a patch for this issue. | |||
| CVE-2023-5842 | 0.00 | — | 0.00 | Oct 30, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5. | |||
| CVE-2023-29009 | 0.00 | — | 0.00 | Oct 27, 2023 | baserCMS is a website development framework with WebAPI that runs on PHP8 and CakePHP4. There is a XSS Vulnerability in Favorites Feature to baserCMS. This issue has been patched in version 4.8.0. | |||
| CVE-2023-46134 | 0.00 | — | 0.01 | Oct 25, 2023 | D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has… | |||
| CVE-2023-45137 | 0.00 | — | 0.01 | Oct 25, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. `org.xwiki.platform:xwiki-platform-web` starting in version 3.1-milestone-2 and prior to version 13.4-rc-1, as well as `org.xwiki.platform:xwiki-platform-web-templates` prior… | |||
| CVE-2023-45136 | 0.00 | — | 0.05 | Oct 25, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When document names are validated according to a name strategy (disabled by default), XWiki starting in version 12.0-rc-1 and prior to versions 12.10.12 and 15.5-rc-1 is… | |||
| CVE-2023-45134 | 0.00 | — | 0.02 | Oct 25, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. `org.xwiki.platform:xwiki-platform-web` starting in version 3.1-milestone-1 and prior to 13.4-rc-1, `org.xwiki.platform:xwiki-platform-web-templates` prior to versions… | |||
| CVE-2023-37908 | 0.00 | — | 0.01 | Oct 25, 2023 | XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. The cleaning of attributes during XHTML rendering, introduced in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via… | |||
| CVE-2023-46659 | 0.00 | — | 0.00 | Oct 25, 2023 | Jenkins Edgewall Trac Plugin 1.13 and earlier does not escape the Trac website URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||
| CVE-2023-46650 | 0.00 | — | 0.01 | Oct 25, 2023 | Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||
| CVE-2023-46126 | 0.00 | — | 0.01 | Oct 24, 2023 | Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, helping enforce privacy regulations in code. The Fides web application allows users to edit consent and privacy notices such as cookie banners. The… | |||
| CVE-2023-44769 | — | 0.00 | — | 0.01 | Oct 24, 2023 | A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Spare aliases from Alias. | ||
| CVE-2023-44760 | — | 0.00 | — | 0.01 | Oct 23, 2023 | Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics. NOTE: the vendor disputes this because these header/footer changes can… | ||
| CVE-2023-5689 | 0.00 | — | 0.01 | Oct 20, 2023 | Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2. | |||
| CVE-2023-5688 | 0.00 | — | 0.01 | Oct 20, 2023 | Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2. | |||
| CVE-2023-45818 | 0.00 | — | 0.01 | Oct 19, 2023 | TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal… | |||
| CVE-2023-45819 | 0.00 | — | 0.01 | Oct 19, 2023 | TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit… | |||
| CVE-2023-45815 | 0.00 | — | 0.00 | Oct 19, 2023 | ArchiveBox is an open source self-hosted web archiving system. Any users who are using the `wget` extractor and view the content it outputs. The impact is potentially severe if you are logged in to the ArchiveBox admin site in the same browser session and view an archived… | |||
| CVE-2023-45279 | — | 0.00 | — | 0.00 | Oct 19, 2023 | Yamcs 5.8.6 allows XSS (issue 1 of 2). It comes with a Bucket as its primary storage mechanism. Buckets allow for the upload of any file. There's a way to upload a display referencing a malicious JavaScript file to the bucket. The user can then open the uploaded display by… |
- CVE-2023-5861Oct 31, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.
- CVE-2023-43647Oct 30, 2023risk 0.00cvss —epss 0.01
baserCMS is a website development framework. Prior to version 4.8.0, there is a cross-site scripting vulnerability in the file upload feature of baserCMS. Version 4.8.0 contains a patch for this issue.
- CVE-2023-5842Oct 30, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5.
- CVE-2023-29009Oct 27, 2023risk 0.00cvss —epss 0.00
baserCMS is a website development framework with WebAPI that runs on PHP8 and CakePHP4. There is a XSS Vulnerability in Favorites Feature to baserCMS. This issue has been patched in version 4.8.0.
- CVE-2023-46134Oct 25, 2023risk 0.00cvss —epss 0.01
D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has…
- CVE-2023-45137Oct 25, 2023risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. `org.xwiki.platform:xwiki-platform-web` starting in version 3.1-milestone-2 and prior to version 13.4-rc-1, as well as `org.xwiki.platform:xwiki-platform-web-templates` prior…
- CVE-2023-45136Oct 25, 2023risk 0.00cvss —epss 0.05
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When document names are validated according to a name strategy (disabled by default), XWiki starting in version 12.0-rc-1 and prior to versions 12.10.12 and 15.5-rc-1 is…
- CVE-2023-45134Oct 25, 2023risk 0.00cvss —epss 0.02
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. `org.xwiki.platform:xwiki-platform-web` starting in version 3.1-milestone-1 and prior to 13.4-rc-1, `org.xwiki.platform:xwiki-platform-web-templates` prior to versions…
- CVE-2023-37908Oct 25, 2023risk 0.00cvss —epss 0.01
XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. The cleaning of attributes during XHTML rendering, introduced in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via…
- CVE-2023-46659Oct 25, 2023risk 0.00cvss —epss 0.00
Jenkins Edgewall Trac Plugin 1.13 and earlier does not escape the Trac website URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
- CVE-2023-46650Oct 25, 2023risk 0.00cvss —epss 0.01
Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
- CVE-2023-46126Oct 24, 2023risk 0.00cvss —epss 0.01
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, helping enforce privacy regulations in code. The Fides web application allows users to edit consent and privacy notices such as cookie banners. The…
- CVE-2023-44769Oct 24, 2023risk 0.00cvss —epss 0.01
A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Spare aliases from Alias.
- CVE-2023-44760Oct 23, 2023risk 0.00cvss —epss 0.01
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics. NOTE: the vendor disputes this because these header/footer changes can…
- CVE-2023-5689Oct 20, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.
- CVE-2023-5688Oct 20, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.
- CVE-2023-45818Oct 19, 2023risk 0.00cvss —epss 0.01
TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal…
- CVE-2023-45819Oct 19, 2023risk 0.00cvss —epss 0.01
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit…
- CVE-2023-45815Oct 19, 2023risk 0.00cvss —epss 0.00
ArchiveBox is an open source self-hosted web archiving system. Any users who are using the `wget` extractor and view the content it outputs. The impact is potentially severe if you are logged in to the ArchiveBox admin site in the same browser session and view an archived…
- CVE-2023-45279Oct 19, 2023risk 0.00cvss —epss 0.00
Yamcs 5.8.6 allows XSS (issue 1 of 2). It comes with a Bucket as its primary storage mechanism. Buckets allow for the upload of any file. There's a way to upload a display referencing a malicious JavaScript file to the bucket. The user can then open the uploaded display by…