CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,317)

page 841 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2023-28475	—	—	0.01	Apr 28, 2023	Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized.
CVE-2023-28477	—	—	0.01	Apr 28, 2023	Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via the name parameter.
CVE-2023-2361	Pimcore Pimcore	—	0.00	Apr 28, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-28474	—	—	0.01	Apr 28, 2023	Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Saved Presets on search.
CVE-2023-28820	—	—	0.00	Apr 28, 2023	Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.
CVE-2023-28476	—	—	0.01	Apr 28, 2023	Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Tags on uploaded files.
CVE-2023-28471	—	—	0.01	Apr 28, 2023	Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS via a container name.
CVE-2023-2341	Pimcore Pimcore	—	0.01	Apr 27, 2023	Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2343	Pimcore Pimcore	—	0.00	Apr 27, 2023	Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2322	Pimcore Pimcore	—	0.01	Apr 27, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2323	Pimcore Pimcore	—	0.01	Apr 27, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2327	Pimcore Pimcore	—	0.00	Apr 27, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2342	Pimcore Pimcore	—	0.00	Apr 27, 2023	Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2328	Pimcore Pimcore	—	0.00	Apr 27, 2023	Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2339	Pimcore Pimcore	—	0.01	Apr 27, 2023	Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2340	Pimcore Pimcore	—	0.00	Apr 27, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-31285	—	—	0.01	Apr 27, 2023	An XSS issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. When users upload temporary files, some specific file endings are not allowed, but it is possible to upload .html or .htm files containing an XSS payload. The resulting link can be sent to an…
CVE-2022-25276	—	—	0.01	Apr 26, 2023	The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
CVE-2023-30609	Matrix Org Matrix React SDK	—	0.01	Apr 25, 2023	matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a…
CVE-2023-30838	Prestashop Prestashop	—	0.01	Apr 25, 2023	PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, the `ValidateCore::isCleanHTML()` method of Prestashop misses hijackable events which can lead to cross-site scripting (XSS) injection, allowed by the presence of pre-setup `@keyframes`…

CVE-2023-28475Apr 28, 2023
risk 0.00cvss —epss 0.01
Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized.
CVE-2023-28477Apr 28, 2023
risk 0.00cvss —epss 0.01
Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via the name parameter.
CVE-2023-2361Apr 28, 2023
Pimcore
Pimcore
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-28474Apr 28, 2023
risk 0.00cvss —epss 0.01
Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Saved Presets on search.
CVE-2023-28820Apr 28, 2023
risk 0.00cvss —epss 0.00
Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.
CVE-2023-28476Apr 28, 2023
risk 0.00cvss —epss 0.01
Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Tags on uploaded files.
CVE-2023-28471Apr 28, 2023
risk 0.00cvss —epss 0.01
Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS via a container name.
CVE-2023-2341Apr 27, 2023
Pimcore
Pimcore
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2343Apr 27, 2023
Pimcore
Pimcore
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2322Apr 27, 2023
Pimcore
Pimcore
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2323Apr 27, 2023
Pimcore
Pimcore
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2327Apr 27, 2023
Pimcore
Pimcore
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2342Apr 27, 2023
Pimcore
Pimcore
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2328Apr 27, 2023
Pimcore
Pimcore
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2339Apr 27, 2023
Pimcore
Pimcore
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2340Apr 27, 2023
Pimcore
Pimcore
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-31285Apr 27, 2023
risk 0.00cvss —epss 0.01
An XSS issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. When users upload temporary files, some specific file endings are not allowed, but it is possible to upload .html or .htm files containing an XSS payload. The resulting link can be sent to an…
CVE-2022-25276Apr 26, 2023
risk 0.00cvss —epss 0.01
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
CVE-2023-30609Apr 25, 2023
Matrix Org
Matrix React SDK
risk 0.00cvss —epss 0.01
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a…
CVE-2023-30838Apr 25, 2023
Prestashop
Prestashop
risk 0.00cvss —epss 0.01
PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, the `ValidateCore::isCleanHTML()` method of Prestashop misses hijackable events which can lead to cross-site scripting (XSS) injection, allowed by the presence of pre-setup `@keyframes`…