CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,315)

page 842 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2023-1875	—	—	0.00	Apr 22, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
CVE-2022-48150	Shopware Shopware	—	0.01	Apr 21, 2023	Shopware v5.5.10 was discovered to contain a cross-site scripting (XSS) vulnerability via the recovery/install/ URI.
CVE-2023-29528	Cryptpad Xwiki Commons	—	0.01	Apr 20, 2023	XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus…
CVE-2022-4942	Mportuga Eslint Detailed Reporter	—	0.01	Apr 20, 2023	A vulnerability was found in mportuga eslint-detailed-reporter up to 0.9.0 and classified as problematic. Affected by this issue is the function renderIssue in the library lib/template-generator.js. The manipulation of the argument message leads to cross site scripting. The…
CVE-2023-2191	AzuraCast Azuracast	—	0.01	Apr 20, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository azuracast/azuracast prior to 0.18.
CVE-2023-30614	Pay Rails Pay	—	0.00	Apr 19, 2023	Pay is a payments engine for Ruby on Rails 6.0 and higher. In versions prior to 6.3.2 a payments info page of Pay is susceptible to reflected Cross-site scripting. An attacker could create a working URL that renders a javascript link to a user on a Rails application that…
CVE-2023-29515	Cryptpad Xwiki Platform	—	0.01	Apr 18, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can create a space can become admin of that space through App Within Minutes. The admin right implies the script right and thus allows JavaScript injection. The…
CVE-2023-29508	Cryptpad Xwiki Platform	—	0.00	Apr 16, 2023	XWiki Commons are technical libraries common to several other top level XWiki projects. A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights. This has been patched in XWiki 14.10,…
CVE-2023-29506	Cryptpad Xwiki Platform	—	0.02	Apr 16, 2023	XWiki Commons are technical libraries common to several other top level XWiki projects. It was possible to inject some code using the URL of authenticated endpoints. This problem has been patched on XWiki 13.10.11, 14.4.7 and 14.10.
CVE-2023-29207	Cryptpad Xwiki Platform	—	0.01	Apr 15, 2023	XWiki Commons are technical libraries common to several other top level XWiki projects. The Livetable Macro wasn't properly sanitizing column names, thus allowing the insertion of raw HTML code including JavaScript. This vulnerability was also exploitable via the Documents…
CVE-2023-29206	Cryptpad Xwiki Platform	—	0.01	Apr 15, 2023	XWiki Commons are technical libraries common to several other top level XWiki projects. There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object…
CVE-2023-29205	Cryptpad Xwiki Platform	—	0.01	Apr 15, 2023	XWiki Commons are technical libraries common to several other top level XWiki projects. The HTML macro does not systematically perform a proper neutralization of script-related html tags. As a result, any user able to use the html macro in XWiki, is able to introduce an XSS…
CVE-2023-29202	Cryptpad Xwiki Platform	—	0.01	Apr 15, 2023	XWiki Commons are technical libraries common to several other top level XWiki projects. The RSS macro that is bundled in XWiki included the content of the feed items without any cleaning in the HTML output when the parameter `content` was set to `true`. This allowed arbitrary…
CVE-2023-29201	Cryptpad Xwiki Commons	—	0.01	Apr 15, 2023	XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped `` and ``-tags but neither attributes that can be used to inject scripts…
CVE-2023-2103	—	—	0.00	Apr 15, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
CVE-2023-2102	—	—	0.01	Apr 15, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
CVE-2022-45064	Apache Sling	—	0.01	Apr 13, 2023	The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specific…
CVE-2023-2014	Microweber Microweber	—	0.00	Apr 13, 2023	Cross-site Scripting (XSS) - Generic in GitHub repository microweber/microweber prior to 1.3.3.
CVE-2023-2021	Nilsteampassnet Nilsteampassnet/teampass	—	0.00	Apr 13, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.3.
CVE-2023-26120	Xuxueli Xxl Job	—	0.00	Apr 10, 2023	This affects all versions of the package com.xuxueli:xxl-job. HTML uploaded payload executed successfully through /xxl-job-admin/user/add and /xxl-job-admin/user/update.

CVE-2023-1875Apr 22, 2023
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
CVE-2022-48150Apr 21, 2023
Shopware
Shopware
risk 0.00cvss —epss 0.01
Shopware v5.5.10 was discovered to contain a cross-site scripting (XSS) vulnerability via the recovery/install/ URI.
CVE-2023-29528Apr 20, 2023
Cryptpad
Xwiki Commons
risk 0.00cvss —epss 0.01
XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus…
CVE-2022-4942Apr 20, 2023
Mportuga
Eslint Detailed Reporter
risk 0.00cvss —epss 0.01
A vulnerability was found in mportuga eslint-detailed-reporter up to 0.9.0 and classified as problematic. Affected by this issue is the function renderIssue in the library lib/template-generator.js. The manipulation of the argument message leads to cross site scripting. The…
CVE-2023-2191Apr 20, 2023
AzuraCast
Azuracast
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository azuracast/azuracast prior to 0.18.
CVE-2023-30614Apr 19, 2023
Pay Rails
Pay
risk 0.00cvss —epss 0.00
Pay is a payments engine for Ruby on Rails 6.0 and higher. In versions prior to 6.3.2 a payments info page of Pay is susceptible to reflected Cross-site scripting. An attacker could create a working URL that renders a javascript link to a user on a Rails application that…
CVE-2023-29515Apr 18, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can create a space can become admin of that space through App Within Minutes. The admin right implies the script right and thus allows JavaScript injection. The…
CVE-2023-29508Apr 16, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.00
XWiki Commons are technical libraries common to several other top level XWiki projects. A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights. This has been patched in XWiki 14.10,…
CVE-2023-29506Apr 16, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.02
XWiki Commons are technical libraries common to several other top level XWiki projects. It was possible to inject some code using the URL of authenticated endpoints. This problem has been patched on XWiki 13.10.11, 14.4.7 and 14.10.
CVE-2023-29207Apr 15, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.01
XWiki Commons are technical libraries common to several other top level XWiki projects. The Livetable Macro wasn't properly sanitizing column names, thus allowing the insertion of raw HTML code including JavaScript. This vulnerability was also exploitable via the Documents…
CVE-2023-29206Apr 15, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.01
XWiki Commons are technical libraries common to several other top level XWiki projects. There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object…
CVE-2023-29205Apr 15, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.01
XWiki Commons are technical libraries common to several other top level XWiki projects. The HTML macro does not systematically perform a proper neutralization of script-related html tags. As a result, any user able to use the html macro in XWiki, is able to introduce an XSS…
CVE-2023-29202Apr 15, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.01
XWiki Commons are technical libraries common to several other top level XWiki projects. The RSS macro that is bundled in XWiki included the content of the feed items without any cleaning in the HTML output when the parameter `content` was set to `true`. This allowed arbitrary…
CVE-2023-29201Apr 15, 2023
Cryptpad
Xwiki Commons
risk 0.00cvss —epss 0.01
XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped `` and ``-tags but neither attributes that can be used to inject scripts…
CVE-2023-2103Apr 15, 2023
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
CVE-2023-2102Apr 15, 2023
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
CVE-2022-45064Apr 13, 2023
Apache
Sling
risk 0.00cvss —epss 0.01
The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specific…
CVE-2023-2014Apr 13, 2023
Microweber
Microweber
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Generic in GitHub repository microweber/microweber prior to 1.3.3.
CVE-2023-2021Apr 13, 2023
Nilsteampassnet
Nilsteampassnet/teampass
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.3.
CVE-2023-26120Apr 10, 2023
Xuxueli
Xxl Job
risk 0.00cvss —epss 0.00
This affects all versions of the package com.xuxueli:xxl-job. HTML uploaded payload executed successfully through /xxl-job-admin/user/add and /xxl-job-admin/user/update.