CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,317)

page 836 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2023-3565	Nilsteampassnet Nilsteampassnet/teampass	—	0.01	Jul 8, 2023	Cross-site Scripting (XSS) - Generic in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
CVE-2023-37269	Wintercms Winter	—	0.02	Jul 7, 2023	Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Users with the `backend.manage_branding` permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a…
CVE-2022-4361	Keycloak Keycloak	—	0.01	Jul 7, 2023	Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the…
CVE-2023-3531	Nilsteampassnet Nilsteampassnet/teampass	—	0.00	Jul 6, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
CVE-2023-36823	rgrove Sanitize	—	0.01	Jul 6, 2023	Sanitize is an allowlist-based HTML and CSS sanitizer. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize starting with version 3.0.0 and prior to version 6.0.2 when Sanitize is configured to use the built-in "relaxed" config…
CVE-2023-36828	Statamic CMS	—	0.01	Jul 5, 2023	Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the…
CVE-2023-36809	Kiwitcms Kiwi	—	0.01	Jul 5, 2023	Kiwi TCMS, an open source test management system allows users to upload attachments to test plans, test cases, etc. Versions of Kiwi TCMS prior to 12.5 had introduced changes which were meant to serve all uploaded files as plain text in order to prevent browsers from executing…
CVE-2023-36477	Cryptpad Xwiki Platform	—	0.01	Jun 30, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights can edit all pages in the `CKEditor' space. This makes it possible to perform a variety of harmful actions, such as removing technical documents,…
CVE-2023-3469	—	—	0.01	Jun 30, 2023	Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.2.0-beta.2.
CVE-2023-34840	—	—	0.01	Jun 30, 2023	angular-ui-notification v0.1.0, v0.2.0, and v0.3.6 was discovered to contain a cross-site scripting (XSS) vulnerability.
CVE-2023-37298	Joplin Joplin	—	0.00	Jun 30, 2023	Joplin before 2.11.5 allows XSS via a USE element in an SVG document.
CVE-2023-37299	Joplin Joplin	—	0.00	Jun 30, 2023	Joplin before 2.11.5 allows XSS via an AREA element of an image map.
CVE-2023-37302	—	—	0.01	Jun 30, 2023	An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki through 1.39.3. There is XSS via a crafted badge title attribute. This is also related to lack of escaping in wbTemplate (from resources/wikibase/templates.js) for quotes (which can be in a title attribute).
CVE-2023-36471	Cryptpad Xwiki Commons	—	0.01	Jun 29, 2023	Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can…
CVE-2023-36474	Projectdiscovery Interactsh	—	0.00	Jun 28, 2023	Interactsh is an open-source tool for detecting out-of-band interactions. Domains configured with interactsh server prior to version 1.0.0 were vulnerable to subdomain takeover for a specific subdomain, i.e `app.` Interactsh server used to create cname entries for `app` pointing…
CVE-2023-3445	—	—	0.00	Jun 28, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository spinacms/spina prior to 2.15.1.
CVE-2023-35162	Cryptpad Xwiki Platform	—	0.02	Jun 23, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the previewactions template to perform a XSS, e.g. by…
CVE-2023-35161	Cryptpad Xwiki Platform	—	0.02	Jun 23, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the DeleteApplication page to perform a XSS, e.g. by…
CVE-2023-35160	Cryptpad Xwiki Platform	—	0.02	Jun 23, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the resubmit template to perform a XSS, e.g. by using…
CVE-2023-35159	Cryptpad Xwiki Platform	—	0.02	Jun 23, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the deletespace template to perform a XSS, e.g. by…

CVE-2023-3565Jul 8, 2023
Nilsteampassnet
Nilsteampassnet/teampass
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Generic in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
CVE-2023-37269Jul 7, 2023
Wintercms
Winter
risk 0.00cvss —epss 0.02
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Users with the `backend.manage_branding` permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a…
CVE-2022-4361Jul 7, 2023
Keycloak
Keycloak
risk 0.00cvss —epss 0.01
Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the…
CVE-2023-3531Jul 6, 2023
Nilsteampassnet
Nilsteampassnet/teampass
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
CVE-2023-36823Jul 6, 2023
rgrove
Sanitize
risk 0.00cvss —epss 0.01
Sanitize is an allowlist-based HTML and CSS sanitizer. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize starting with version 3.0.0 and prior to version 6.0.2 when Sanitize is configured to use the built-in "relaxed" config…
CVE-2023-36828Jul 5, 2023
Statamic
CMS
risk 0.00cvss —epss 0.01
Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the…
CVE-2023-36809Jul 5, 2023
Kiwitcms
Kiwi
risk 0.00cvss —epss 0.01
Kiwi TCMS, an open source test management system allows users to upload attachments to test plans, test cases, etc. Versions of Kiwi TCMS prior to 12.5 had introduced changes which were meant to serve all uploaded files as plain text in order to prevent browsers from executing…
CVE-2023-36477Jun 30, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights can edit all pages in the `CKEditor' space. This makes it possible to perform a variety of harmful actions, such as removing technical documents,…
CVE-2023-3469Jun 30, 2023
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.2.0-beta.2.
CVE-2023-34840Jun 30, 2023
risk 0.00cvss —epss 0.01
angular-ui-notification v0.1.0, v0.2.0, and v0.3.6 was discovered to contain a cross-site scripting (XSS) vulnerability.
CVE-2023-37298Jun 30, 2023
Joplin
Joplin
risk 0.00cvss —epss 0.00
Joplin before 2.11.5 allows XSS via a USE element in an SVG document.
CVE-2023-37299Jun 30, 2023
Joplin
Joplin
risk 0.00cvss —epss 0.00
Joplin before 2.11.5 allows XSS via an AREA element of an image map.
CVE-2023-37302Jun 30, 2023
risk 0.00cvss —epss 0.01
An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki through 1.39.3. There is XSS via a crafted badge title attribute. This is also related to lack of escaping in wbTemplate (from resources/wikibase/templates.js) for quotes (which can be in a title attribute).
CVE-2023-36471Jun 29, 2023
Cryptpad
Xwiki Commons
risk 0.00cvss —epss 0.01
Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can…
CVE-2023-36474Jun 28, 2023
Projectdiscovery
Interactsh
risk 0.00cvss —epss 0.00
Interactsh is an open-source tool for detecting out-of-band interactions. Domains configured with interactsh server prior to version 1.0.0 were vulnerable to subdomain takeover for a specific subdomain, i.e `app.` Interactsh server used to create cname entries for `app` pointing…
CVE-2023-3445Jun 28, 2023
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository spinacms/spina prior to 2.15.1.
CVE-2023-35162Jun 23, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.02
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the previewactions template to perform a XSS, e.g. by…
CVE-2023-35161Jun 23, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.02
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the DeleteApplication page to perform a XSS, e.g. by…
CVE-2023-35160Jun 23, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.02
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the resubmit template to perform a XSS, e.g. by using…
CVE-2023-35159Jun 23, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.02
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the deletespace template to perform a XSS, e.g. by…