CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,317)

page 835 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2023-37692	—	—	0.00	Jul 26, 2023	An arbitrary file upload vulnerability in October CMS v3.4.4 allows attackers to execute arbitrary code via a crafted file.
CVE-2023-38501	9001 Copyparty	—	0.06	Jul 25, 2023	copyparty is file server software. Prior to version 1.8.7, the application contains a reflected cross-site scripting via URL-parameter `?k304=...` and `?setck=...`. The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files,…
CVE-2023-38500	—	—	0.00	Jul 25, 2023	TYPO3 HTML Sanitizer is an HTML sanitizer, written in PHP, aiming to provide cross-site-scripting-safe markup based on explicitly allowed tags, attributes and values. Starting in version 1.0.0 and prior to versions 1.5.1 and 2.1.2, due to an encoding issue in the serialization…
CVE-2023-36806	Contao Contao CMS	—	0.01	Jul 25, 2023	Contao is an open source content management system. Starting in version 4.0.0 and prior to versions 4.9.42, 4.13.28, and 5.1.10, it is possible for untrusted backend users to inject malicious code into headline fields in the back end, which will be executed both in the element…
CVE-2023-38435	Apache Felix Healthcheck Webconsole Plugin	—	0.02	Jul 25, 2023	An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Apache Felix Healthcheck Webconsole Plugin version 2.0.2 and prior may allow an attacker to perform a reflected cross-site scripting (XSS) attack. Upgrade to Apache…
CVE-2023-37905	—	—	0.00	Jul 21, 2023	ckeditor-wordcount-plugin is an open source WordCount Plugin for CKEditor. It has been discovered that the `ckeditor-wordcount-plugin` plugin for CKEditor4 is susceptible to cross-site scripting when switching to the source code mode. This issue has been addressed in version…
CVE-2023-37901	Ingenico Indico	—	0.00	Jul 21, 2023	Indico is an open source a general-purpose, web based event management tool. There is a Cross-Site-Scripting vulnerability in confirmation prompts commonly used when deleting content from Indico. Exploitation requires someone with at least submission privileges (such as a…
CVE-2023-3822	Pimcore Pimcore	—	0.00	Jul 21, 2023	Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.4.
CVE-2023-3821	Pimcore Pimcore	—	0.00	Jul 21, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.6.4.
CVE-2023-3815	y_project Ruoyi	—	0.01	Jul 21, 2023	A vulnerability, which was classified as problematic, has been found in y_project RuoYi up to 4.7.7. Affected by this issue is the function uploadFilesPath of the component File Upload. The manipulation of the argument originalFilenames leads to cross site scripting. The attack…
CVE-2023-37602	Alkacon Opencms	—	0.01	Jul 20, 2023	An arbitrary file upload vulnerability in the component /workplace#!explorer of Alkacon OpenCMS v15.0 allows attackers to execute arbitrary code via uploading a crafted PNG file.
CVE-2023-37259	Matrix Org Matrix React SDK	—	0.00	Jul 18, 2023	matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored Cross site scripting (XSS). Since the…
CVE-2023-3691	Layui Layui	—	0.00	Jul 16, 2023	A vulnerability, which was classified as problematic, was found in layui up to v2.8.0-rc.16. This affects an unknown part of the component HTML Attribute Handler. The manipulation of the argument title leads to cross site scripting. It is possible to initiate the attack…
CVE-2023-2507	CleverTap CleverTap Cordova Plugin	—	0.01	Jul 15, 2023	CleverTap Cordova Plugin version 2.6.2 allows a remote attacker to execute JavaScript code in any application that is opened via a specially constructed deeplink by an attacker. This is possible because the plugin does not correctly validate the data coming from the deeplinks…
CVE-2023-3672	plaidweb webmention.js	—	0.00	Jul 14, 2023	Cross-site Scripting (XSS) - DOM in GitHub repository plaidweb/webmention.js prior to 0.5.5.
CVE-2023-37785	Impresscms Impresscms	—	0.00	Jul 13, 2023	A cross-site scripting (XSS) vulnerability in ImpressCMS v1.4.5 and before allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the smile_code parameter of the component /editprofile.php.
CVE-2023-37280	Pimcore Admin UI Classic Bundle	—	0.01	Jul 11, 2023	Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework. An admin who has not setup two factor authentication before is vulnerable for this attack, without need for any form of privilege, causing the application to execute arbitrary…
CVE-2023-34089	Decidim Decidim	—	0.01	Jul 11, 2023	Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to…
CVE-2023-32693	Decidim Decidim	—	0.01	Jul 11, 2023	Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute…
CVE-2023-3620	Amauric Amauric/tarteaucitron.js	—	0.00	Jul 11, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository amauric/tarteaucitron.js prior to v1.13.1.

CVE-2023-37692Jul 26, 2023
risk 0.00cvss —epss 0.00
An arbitrary file upload vulnerability in October CMS v3.4.4 allows attackers to execute arbitrary code via a crafted file.
CVE-2023-38501Jul 25, 2023
9001
Copyparty
risk 0.00cvss —epss 0.06
copyparty is file server software. Prior to version 1.8.7, the application contains a reflected cross-site scripting via URL-parameter `?k304=...` and `?setck=...`. The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files,…
CVE-2023-38500Jul 25, 2023
risk 0.00cvss —epss 0.00
TYPO3 HTML Sanitizer is an HTML sanitizer, written in PHP, aiming to provide cross-site-scripting-safe markup based on explicitly allowed tags, attributes and values. Starting in version 1.0.0 and prior to versions 1.5.1 and 2.1.2, due to an encoding issue in the serialization…
CVE-2023-36806Jul 25, 2023
Contao
Contao CMS
risk 0.00cvss —epss 0.01
Contao is an open source content management system. Starting in version 4.0.0 and prior to versions 4.9.42, 4.13.28, and 5.1.10, it is possible for untrusted backend users to inject malicious code into headline fields in the back end, which will be executed both in the element…
CVE-2023-38435Jul 25, 2023
Apache
Felix Healthcheck Webconsole Plugin
risk 0.00cvss —epss 0.02
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Apache Felix Healthcheck Webconsole Plugin version 2.0.2 and prior may allow an attacker to perform a reflected cross-site scripting (XSS) attack. Upgrade to Apache…
CVE-2023-37905Jul 21, 2023
risk 0.00cvss —epss 0.00
ckeditor-wordcount-plugin is an open source WordCount Plugin for CKEditor. It has been discovered that the `ckeditor-wordcount-plugin` plugin for CKEditor4 is susceptible to cross-site scripting when switching to the source code mode. This issue has been addressed in version…
CVE-2023-37901Jul 21, 2023
Ingenico
Indico
risk 0.00cvss —epss 0.00
Indico is an open source a general-purpose, web based event management tool. There is a Cross-Site-Scripting vulnerability in confirmation prompts commonly used when deleting content from Indico. Exploitation requires someone with at least submission privileges (such as a…
CVE-2023-3822Jul 21, 2023
Pimcore
Pimcore
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.4.
CVE-2023-3821Jul 21, 2023
Pimcore
Pimcore
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.6.4.
CVE-2023-3815Jul 21, 2023
y_project
Ruoyi
risk 0.00cvss —epss 0.01
A vulnerability, which was classified as problematic, has been found in y_project RuoYi up to 4.7.7. Affected by this issue is the function uploadFilesPath of the component File Upload. The manipulation of the argument originalFilenames leads to cross site scripting. The attack…
CVE-2023-37602Jul 20, 2023
Alkacon
Opencms
risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in the component /workplace#!explorer of Alkacon OpenCMS v15.0 allows attackers to execute arbitrary code via uploading a crafted PNG file.
CVE-2023-37259Jul 18, 2023
Matrix Org
Matrix React SDK
risk 0.00cvss —epss 0.00
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored Cross site scripting (XSS). Since the…
CVE-2023-3691Jul 16, 2023
Layui
Layui
risk 0.00cvss —epss 0.00
A vulnerability, which was classified as problematic, was found in layui up to v2.8.0-rc.16. This affects an unknown part of the component HTML Attribute Handler. The manipulation of the argument title leads to cross site scripting. It is possible to initiate the attack…
CVE-2023-2507Jul 15, 2023
CleverTap
CleverTap Cordova Plugin
risk 0.00cvss —epss 0.01
CleverTap Cordova Plugin version 2.6.2 allows a remote attacker to execute JavaScript code in any application that is opened via a specially constructed deeplink by an attacker. This is possible because the plugin does not correctly validate the data coming from the deeplinks…
CVE-2023-3672Jul 14, 2023
plaidweb
webmention.js
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - DOM in GitHub repository plaidweb/webmention.js prior to 0.5.5.
CVE-2023-37785Jul 13, 2023
Impresscms
Impresscms
risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in ImpressCMS v1.4.5 and before allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the smile_code parameter of the component /editprofile.php.
CVE-2023-37280Jul 11, 2023
Pimcore
Admin UI Classic Bundle
risk 0.00cvss —epss 0.01
Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework. An admin who has not setup two factor authentication before is vulnerable for this attack, without need for any form of privilege, causing the application to execute arbitrary…
CVE-2023-34089Jul 11, 2023
Decidim
Decidim
risk 0.00cvss —epss 0.01
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to…
CVE-2023-32693Jul 11, 2023
Decidim
Decidim
risk 0.00cvss —epss 0.01
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute…
CVE-2023-3620Jul 11, 2023
Amauric
Amauric/tarteaucitron.js
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository amauric/tarteaucitron.js prior to v1.13.1.