CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (23,315)
page 844 of 1,166| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-28850 | — | 0.00 | — | 0.01 | Apr 3, 2023 | Pimcore Perspective Editor provides an editor for Pimcore that allows users to add/remove/edit custom views and perspectives. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect… | ||
| CVE-2023-28836 | 0.00 | — | 0.01 | Apr 3, 2023 | Wagtail is an open source content management system built on Django. Starting in version 1.5 and prior to versions 4.1.4 and 4.2.2, a stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface. A user with a limited-permission… | |||
| CVE-2023-1776 | 0.00 | — | 0.00 | Mar 31, 2023 | Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file. | |||
| CVE-2023-1759 | — | 0.00 | — | 0.00 | Mar 31, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12. | ||
| CVE-2023-1760 | — | 0.00 | — | 0.01 | Mar 31, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12. | ||
| CVE-2023-1761 | — | 0.00 | — | 0.00 | Mar 31, 2023 | Cross-site Scripting in GitHub repository thorsten/phpmyfaq prior to 3.1.12. | ||
| CVE-2023-1754 | — | 0.00 | — | 0.01 | Mar 31, 2023 | Improper Neutralization of Input During Web Page Generation in GitHub repository thorsten/phpmyfaq prior to 3.1.12. | ||
| CVE-2023-1755 | — | 0.00 | — | 0.01 | Mar 31, 2023 | Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.12. | ||
| CVE-2023-27489 | 0.00 | — | 0.00 | Mar 29, 2023 | Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS accepts SVG files uploaded by users which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code… | |||
| CVE-2023-28158 | 0.00 | — | 0.01 | Mar 29, 2023 | Privilege escalation via stored XSS using the file upload service to upload malicious content. The issue can be exploited only by authenticated users which can create directory name to inject some XSS content and gain some privileges such admin user. | |||
| CVE-2023-1701 | 0.00 | — | 0.00 | Mar 29, 2023 | Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.20. | |||
| CVE-2023-1703 | 0.00 | — | 0.00 | Mar 29, 2023 | Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.20. | |||
| CVE-2023-1704 | 0.00 | — | 0.00 | Mar 29, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.20. | |||
| CVE-2023-1702 | 0.00 | — | 0.00 | Mar 29, 2023 | Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.20. | |||
| CVE-2022-1274 | 0.00 | — | 0.01 | Mar 29, 2023 | A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. | |||
| CVE-2023-28447 | 0.00 | — | 0.01 | Mar 28, 2023 | Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to… | |||
| CVE-2023-1069 | 0.00 | — | 0.01 | Mar 27, 2023 | The Complianz WordPress plugin before 6.4.2, Complianz Premium WordPress plugin before 6.4.2 do not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and… | |||
| CVE-2023-22249 | 0.00 | — | 0.57 | Mar 27, 2023 | Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be… | |||
| CVE-2023-28669 | 0.00 | — | 0.01 | Mar 23, 2023 | Jenkins JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action. | |||
| CVE-2023-1410 | 0.00 | — | 0.01 | Mar 23, 2023 | Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An… |
- CVE-2023-28850Apr 3, 2023risk 0.00cvss —epss 0.01
Pimcore Perspective Editor provides an editor for Pimcore that allows users to add/remove/edit custom views and perspectives. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect…
- CVE-2023-28836Apr 3, 2023risk 0.00cvss —epss 0.01
Wagtail is an open source content management system built on Django. Starting in version 1.5 and prior to versions 4.1.4 and 4.2.2, a stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface. A user with a limited-permission…
- CVE-2023-1776Mar 31, 2023risk 0.00cvss —epss 0.00
Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.
- CVE-2023-1759Mar 31, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
- CVE-2023-1760Mar 31, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
- CVE-2023-1761Mar 31, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
- CVE-2023-1754Mar 31, 2023risk 0.00cvss —epss 0.01
Improper Neutralization of Input During Web Page Generation in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
- CVE-2023-1755Mar 31, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
- CVE-2023-27489Mar 29, 2023risk 0.00cvss —epss 0.00
Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS accepts SVG files uploaded by users which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code…
- CVE-2023-28158Mar 29, 2023risk 0.00cvss —epss 0.01
Privilege escalation via stored XSS using the file upload service to upload malicious content. The issue can be exploited only by authenticated users which can create directory name to inject some XSS content and gain some privileges such admin user.
- CVE-2023-1701Mar 29, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.20.
- CVE-2023-1703Mar 29, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.20.
- CVE-2023-1704Mar 29, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.20.
- CVE-2023-1702Mar 29, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.20.
- CVE-2022-1274Mar 29, 2023risk 0.00cvss —epss 0.01
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.
- CVE-2023-28447Mar 28, 2023risk 0.00cvss —epss 0.01
Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to…
- CVE-2023-1069Mar 27, 2023risk 0.00cvss —epss 0.01
The Complianz WordPress plugin before 6.4.2, Complianz Premium WordPress plugin before 6.4.2 do not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and…
- CVE-2023-22249Mar 27, 2023risk 0.00cvss —epss 0.57
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be…
- CVE-2023-28669Mar 23, 2023risk 0.00cvss —epss 0.01
Jenkins JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action.
- CVE-2023-1410Mar 23, 2023risk 0.00cvss —epss 0.01
Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An…