CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,317)

page 837 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2023-35157	Cryptpad Xwiki Platform	—	0.01	Jun 23, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to perform an XSS by forging a request to a delete attachment action with a specific attachment name. Now this XSS can be exploited only if the attacker knows…
CVE-2023-35156	Cryptpad Xwiki Platform	—	0.02	Jun 23, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the delete template to perform a XSS, e.g. by using…
CVE-2023-35155	Cryptpad Xwiki Platform	—	0.01	Jun 23, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). For instance, the following URL execute an `alter` on the browser:…
CVE-2023-35153	Cryptpad Xwiki Platform	—	0.01	Jun 23, 2023	XWiki Platform is a generic wiki platform. Starting in version 5.4.4 and prior to versions 14.4.8, 14.10.4, and 15.0, a stored cross-site scripting vulnerability can be exploited by users with edit rights by adding a `AppWithinMinutes.FormFieldCategoryClass` class on a page and…
CVE-2023-34464	Cryptpad Xwiki Platform	—	0.01	Jun 23, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.2.1 until versions 14.4.8, 14.10.5, and 15.1RC1 of org.xwiki.platform:xwiki-platform-web and any version prior to 14.4.8, 14.10.5, and 15.1.RC1 of…
CVE-2023-35131	Moodle Moodle	—	0.01	Jun 22, 2023	Content on the groups page required additional sanitizing to prevent an XSS risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14.
CVE-2023-33725	—	—	0.01	Jun 21, 2023	Broadleaf 5.x and 6.x (including 5.2.25-GA and 6.2.6-GA) was discovered to contain a cross-site scripting (XSS) vulnerability via a customer signup with a crafted email address. This is fixed in 6.2.6.1-GA.
CVE-2023-33495	—	—	0.01	Jun 20, 2023	Craft CMS through 4.4.9 is vulnerable to HTML Injection.
CVE-2020-21246	—	—	0.01	Jun 20, 2023	Cross Site Scripting vulnerability in YiiCMS v.1.0 allows a remote attacker to execute arbitrary code via the news function.
CVE-2020-21485	—	—	0.01	Jun 20, 2023	Cross Site Scripting vulnerability in Alluxio v.1.8.1 allows a remote attacker to executea arbitrary code via the path parameter in the browse board component.
CVE-2020-20697	—	—	0.01	Jun 20, 2023	Cross Site Scripting vulnerability in khodakhah NodCMS v.3.0 allows a remote attacker to execute arbitrary code and gain access to senstivie information via a crafted script to the address parameter.
CVE-2023-35783	—	—	0.00	Jun 16, 2023	The ke_search (aka Faceted Search) extension before 4.0.3, 4.1.x through 4.6.x before 4.6.6, and 5.x before 5.0.2 for TYPO3 allows XSS via indexed data.
CVE-2023-3193	Liferay Portal	—	0.00	Jun 15, 2023	Cross-site scripting (XSS) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.73, and Liferay DXP 7.4 update 70 through 73 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_layout_admin_web_portlet_Gr…
CVE-2023-35145	Jenkins Project Sonargraph Integration Plugin	—	0.01	Jun 14, 2023	Jenkins Sonargraph Integration Plugin 5.0.1 and earlier does not escape the file path and the project name for the Log file field form validation, resulting in a stored cross-site scripting vulnerability exploitable by attackers with Item/Configure permission.
CVE-2023-3191	Nilsteampassnet Nilsteampassnet/teampass	—	0.01	Jun 10, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
CVE-2023-34245	Udecode Plate	—	0.00	Jun 9, 2023	@udecode/plate-link is the link handler for the udecode/plate rich-text editor plugin system for Slate & React. Affected versions of the link plugin and link UI component do not sanitize URLs to prevent use of the `javascript:` scheme. As a result, links with JavaScript URLs can…
CVE-2023-2121	Hashicorp Vault	—	0.00	Jun 9, 2023	Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.
CVE-2023-3142	Microweber Microweber	—	0.00	Jun 7, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.
CVE-2023-33977	Kiwitcms Kiwi	—	0.01	Jun 6, 2023	Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files…
CVE-2022-46165	syncthing syncthing	—	0.01	Jun 6, 2023	Syncthing is an open source, continuous file synchronization program. In versions prior to 1.23.5 a compromised instance with shared folders could sync malicious files which contain arbitrary HTML and JavaScript in the name. If the owner of another device looks over the shared…

CVE-2023-35157Jun 23, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to perform an XSS by forging a request to a delete attachment action with a specific attachment name. Now this XSS can be exploited only if the attacker knows…
CVE-2023-35156Jun 23, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.02
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the delete template to perform a XSS, e.g. by using…
CVE-2023-35155Jun 23, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). For instance, the following URL execute an `alter` on the browser:…
CVE-2023-35153Jun 23, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform. Starting in version 5.4.4 and prior to versions 14.4.8, 14.10.4, and 15.0, a stored cross-site scripting vulnerability can be exploited by users with edit rights by adding a `AppWithinMinutes.FormFieldCategoryClass` class on a page and…
CVE-2023-34464Jun 23, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.2.1 until versions 14.4.8, 14.10.5, and 15.1RC1 of org.xwiki.platform:xwiki-platform-web and any version prior to 14.4.8, 14.10.5, and 15.1.RC1 of…
CVE-2023-35131Jun 22, 2023
Moodle
Moodle
risk 0.00cvss —epss 0.01
Content on the groups page required additional sanitizing to prevent an XSS risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14.
CVE-2023-33725Jun 21, 2023
risk 0.00cvss —epss 0.01
Broadleaf 5.x and 6.x (including 5.2.25-GA and 6.2.6-GA) was discovered to contain a cross-site scripting (XSS) vulnerability via a customer signup with a crafted email address. This is fixed in 6.2.6.1-GA.
CVE-2023-33495Jun 20, 2023
risk 0.00cvss —epss 0.01
Craft CMS through 4.4.9 is vulnerable to HTML Injection.
CVE-2020-21246Jun 20, 2023
risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in YiiCMS v.1.0 allows a remote attacker to execute arbitrary code via the news function.
CVE-2020-21485Jun 20, 2023
risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in Alluxio v.1.8.1 allows a remote attacker to executea arbitrary code via the path parameter in the browse board component.
CVE-2020-20697Jun 20, 2023
risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in khodakhah NodCMS v.3.0 allows a remote attacker to execute arbitrary code and gain access to senstivie information via a crafted script to the address parameter.
CVE-2023-35783Jun 16, 2023
risk 0.00cvss —epss 0.00
The ke_search (aka Faceted Search) extension before 4.0.3, 4.1.x through 4.6.x before 4.6.6, and 5.x before 5.0.2 for TYPO3 allows XSS via indexed data.
CVE-2023-3193Jun 15, 2023
Liferay
Portal
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.73, and Liferay DXP 7.4 update 70 through 73 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_layout_admin_web_portlet_Gr…
CVE-2023-35145Jun 14, 2023
Jenkins Project
Sonargraph Integration Plugin
risk 0.00cvss —epss 0.01
Jenkins Sonargraph Integration Plugin 5.0.1 and earlier does not escape the file path and the project name for the Log file field form validation, resulting in a stored cross-site scripting vulnerability exploitable by attackers with Item/Configure permission.
CVE-2023-3191Jun 10, 2023
Nilsteampassnet
Nilsteampassnet/teampass
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
CVE-2023-34245Jun 9, 2023
Udecode
Plate
risk 0.00cvss —epss 0.00
@udecode/plate-link is the link handler for the udecode/plate rich-text editor plugin system for Slate & React. Affected versions of the link plugin and link UI component do not sanitize URLs to prevent use of the `javascript:` scheme. As a result, links with JavaScript URLs can…
CVE-2023-2121Jun 9, 2023
Hashicorp
Vault
risk 0.00cvss —epss 0.00
Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.
CVE-2023-3142Jun 7, 2023
Microweber
Microweber
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.
CVE-2023-33977Jun 6, 2023
Kiwitcms
Kiwi
risk 0.00cvss —epss 0.01
Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files…
CVE-2022-46165Jun 6, 2023
syncthing
syncthing
risk 0.00cvss —epss 0.01
Syncthing is an open source, continuous file synchronization program. In versions prior to 1.23.5 a compromised instance with shared folders could sync malicious files which contain arbitrary HTML and JavaScript in the name. If the owner of another device looks over the shared…