CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (23,315)
page 846 of 1,166| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-1240 | — | 0.00 | — | 0.01 | Mar 7, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6. | ||
| CVE-2023-1242 | — | 0.00 | — | 0.01 | Mar 7, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6. | ||
| CVE-2023-1238 | — | 0.00 | — | 0.01 | Mar 7, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6. | ||
| CVE-2023-1239 | — | 0.00 | — | 0.01 | Mar 7, 2023 | Cross-site Scripting (XSS) - Reflected in GitHub repository answerdev/answer prior to 1.0.6. | ||
| CVE-2023-1241 | — | 0.00 | — | 0.01 | Mar 7, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6. | ||
| CVE-2023-1237 | — | 0.00 | — | 0.00 | Mar 7, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6. | ||
| CVE-2023-1243 | — | 0.00 | — | 0.01 | Mar 7, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6. | ||
| CVE-2023-1245 | — | 0.00 | — | 0.01 | Mar 7, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6. | ||
| CVE-2023-1244 | — | 0.00 | — | 0.01 | Mar 7, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6. | ||
| CVE-2023-27474 | 0.00 | — | 0.01 | Mar 6, 2023 | Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. An attacker could exploit this to email users urls to… | |||
| CVE-2021-36398 | 0.00 | — | 0.01 | Mar 6, 2023 | In moodle, ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk. | |||
| CVE-2021-36401 | 0.00 | — | 0.01 | Mar 6, 2023 | In Moodle, ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk. | |||
| CVE-2021-36399 | 0.00 | — | 0.01 | Mar 6, 2023 | In Moodle, ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk. | |||
| CVE-2023-1197 | 0.00 | — | 0.00 | Mar 6, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository uvdesk/community-skeleton prior to 1.1.0. | |||
| CVE-2023-26486 | 0.00 | — | 0.01 | Mar 3, 2023 | Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega `scale` expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a… | |||
| CVE-2023-26487 | 0.00 | — | 0.01 | Mar 3, 2023 | Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs.`lassoAppend' function accepts 3 arguments and internally invokes `push` function on the 1st argument specifying array consisting of 2nd and 3rd arguments as… | |||
| CVE-2023-26047 | 0.00 | — | 0.01 | Mar 3, 2023 | teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks. In teler-waf prior to version v0.2.0 is vulnerable to a bypass attack when a specific case-sensitive hex entities payload with special characters such as CR/LF and… | |||
| CVE-2023-26491 | 0.00 | — | 0.00 | Mar 3, 2023 | RSSHub is an open source and extensible RSS feed generator. When the URL parameters contain certain special characters, it returns an error page that does not properly handle XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code. Users who access the… | |||
| CVE-2023-23927 | 0.00 | — | 0.01 | Mar 3, 2023 | Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7. | |||
| CVE-2023-26480 | 0.00 | — | 0.01 | Mar 2, 2023 | XWiki Platform is a generic wiki platform. Starting in version 12.10, a user without script rights can introduce a stored cross-site scripting by using the Live Data macro. This has been patched in XWiki 14.9, 14.4.7, and 13.10.10. There are no known workarounds. |
- CVE-2023-1240Mar 7, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6.
- CVE-2023-1242Mar 7, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6.
- CVE-2023-1238Mar 7, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6.
- CVE-2023-1239Mar 7, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Reflected in GitHub repository answerdev/answer prior to 1.0.6.
- CVE-2023-1241Mar 7, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6.
- CVE-2023-1237Mar 7, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6.
- CVE-2023-1243Mar 7, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6.
- CVE-2023-1245Mar 7, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6.
- CVE-2023-1244Mar 7, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.6.
- CVE-2023-27474Mar 6, 2023risk 0.00cvss —epss 0.01
Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. An attacker could exploit this to email users urls to…
- CVE-2021-36398Mar 6, 2023risk 0.00cvss —epss 0.01
In moodle, ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk.
- CVE-2021-36401Mar 6, 2023risk 0.00cvss —epss 0.01
In Moodle, ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk.
- CVE-2021-36399Mar 6, 2023risk 0.00cvss —epss 0.01
In Moodle, ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk.
- CVE-2023-1197Mar 6, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository uvdesk/community-skeleton prior to 1.1.0.
- CVE-2023-26486Mar 3, 2023risk 0.00cvss —epss 0.01
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega `scale` expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a…
- CVE-2023-26487Mar 3, 2023risk 0.00cvss —epss 0.01
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs.`lassoAppend' function accepts 3 arguments and internally invokes `push` function on the 1st argument specifying array consisting of 2nd and 3rd arguments as…
- CVE-2023-26047Mar 3, 2023risk 0.00cvss —epss 0.01
teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks. In teler-waf prior to version v0.2.0 is vulnerable to a bypass attack when a specific case-sensitive hex entities payload with special characters such as CR/LF and…
- CVE-2023-26491Mar 3, 2023risk 0.00cvss —epss 0.00
RSSHub is an open source and extensible RSS feed generator. When the URL parameters contain certain special characters, it returns an error page that does not properly handle XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code. Users who access the…
- CVE-2023-23927Mar 3, 2023risk 0.00cvss —epss 0.01
Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7.
- CVE-2023-26480Mar 2, 2023risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform. Starting in version 12.10, a user without script rights can introduce a stored cross-site scripting by using the Live Data macro. This has been patched in XWiki 14.9, 14.4.7, and 13.10.10. There are no known workarounds.