CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,315)

page 847 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2023-26046	kitabisa teler-waf	—	0.01	Mar 2, 2023	teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks. In teler-waf prior to version 0.1.1 is vulnerable to bypassing common web attack rules when a specific HTML entities payload is used. This vulnerability allows an…
CVE-2023-22462	Grafana Grafana	—	0.02	Mar 2, 2023	Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user…
CVE-2023-1117	Pimcore Pimcore	—	0.00	Mar 1, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18.
CVE-2023-1115	Pimcore Pimcore	—	0.01	Mar 1, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18.
CVE-2023-1116	Pimcore Pimcore	—	0.01	Mar 1, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18.
CVE-2023-1081	Microweber Microweber	—	0.00	Feb 28, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.
CVE-2023-1067	Pimcore Pimcore	—	0.00	Feb 27, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18.
CVE-2023-26091	—	—	0.00	Feb 26, 2023	The frp_form_answers (aka Forms Export) extension before 3.1.2, and 4.x before 4.0.2, for TYPO3 allows XSS via saved emails.
CVE-2022-48345	—	—	0.01	Feb 24, 2023	sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via HTML entities.
CVE-2023-0867	—	—	0.00	Feb 23, 2023	Multiple stored and reflected cross-site scripting vulnerabilities in webapp jsp pages in multiple versions of OpenNMS Meridian and Horizon could allow an attacker access to confidential session information. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4.…
CVE-2023-0868	—	—	0.00	Feb 23, 2023	Reflected cross-site scripting in graph results in multiple versions of OpenNMS Meridian and Horizon could allow an attacker access to steal session cookies. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions…
CVE-2023-0869	—	—	0.00	Feb 23, 2023	Cross-site scripting in outage/list.htm in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4 or newer. Meridian and Horizon…
CVE-2023-0044	—	—	0.01	Feb 23, 2023	If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.
CVE-2023-0846	—	—	0.00	Feb 22, 2023	Unauthenticated, stored cross-site scripting in the display of alarm reduction keys in multiple versions of OpenNMS Horizon and Meridian could allow an attacker access to confidential session information. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4.…
CVE-2023-0949	Modoboa Modoboa	—	0.00	Feb 22, 2023	Cross-site Scripting (XSS) - Reflected in GitHub repository modoboa/modoboa prior to 2.0.5.
CVE-2023-0934	—	—	0.00	Feb 21, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.5.
CVE-2016-15025	—	—	0.01	Feb 20, 2023	A vulnerability, which was classified as problematic, was found in generator-hottowel 0.0.11. Affected is an unknown function of the file app/templates/src/server/_app.js of the component 404 Error Handler. The manipulation leads to cross site scripting. It is possible to launch…
CVE-2021-32851	—	—	0.01	Feb 20, 2023	Mind-elixir is a free, open source mind map core. Prior to version 0.18.1, mind-elixir is prone to cross-site scripting when handling untrusted menus. This issue is patched in version 0.18.1
CVE-2021-32856	Microweber Microweber	—	0.01	Feb 20, 2023	Microweber is a drag and drop website builder and content management system. Versions 1.2.12 and prior are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. A…
CVE-2021-32859	—	—	0.01	Feb 20, 2023	The Baremetrics date range picker is a solution for selecting both date ranges and single dates from a single calender view. Versions 1.0.14 and prior are prone to cross-site scripting (XSS) when handling untrusted `placeholder` entries. An attacker who is able to influence the…

CVE-2023-26046Mar 2, 2023
kitabisa
teler-waf
risk 0.00cvss —epss 0.01
teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks. In teler-waf prior to version 0.1.1 is vulnerable to bypassing common web attack rules when a specific HTML entities payload is used. This vulnerability allows an…
CVE-2023-22462Mar 2, 2023
Grafana
Grafana
risk 0.00cvss —epss 0.02
Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user…
CVE-2023-1117Mar 1, 2023
Pimcore
Pimcore
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18.
CVE-2023-1115Mar 1, 2023
Pimcore
Pimcore
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18.
CVE-2023-1116Mar 1, 2023
Pimcore
Pimcore
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18.
CVE-2023-1081Feb 28, 2023
Microweber
Microweber
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.
CVE-2023-1067Feb 27, 2023
Pimcore
Pimcore
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18.
CVE-2023-26091Feb 26, 2023
risk 0.00cvss —epss 0.00
The frp_form_answers (aka Forms Export) extension before 3.1.2, and 4.x before 4.0.2, for TYPO3 allows XSS via saved emails.
CVE-2022-48345Feb 24, 2023
risk 0.00cvss —epss 0.01
sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via HTML entities.
CVE-2023-0867Feb 23, 2023
risk 0.00cvss —epss 0.00
Multiple stored and reflected cross-site scripting vulnerabilities in webapp jsp pages in multiple versions of OpenNMS Meridian and Horizon could allow an attacker access to confidential session information. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4.…
CVE-2023-0868Feb 23, 2023
risk 0.00cvss —epss 0.00
Reflected cross-site scripting in graph results in multiple versions of OpenNMS Meridian and Horizon could allow an attacker access to steal session cookies. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions…
CVE-2023-0869Feb 23, 2023
risk 0.00cvss —epss 0.00
Cross-site scripting in outage/list.htm in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4 or newer. Meridian and Horizon…
CVE-2023-0044Feb 23, 2023
risk 0.00cvss —epss 0.01
If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.
CVE-2023-0846Feb 22, 2023
risk 0.00cvss —epss 0.00
Unauthenticated, stored cross-site scripting in the display of alarm reduction keys in multiple versions of OpenNMS Horizon and Meridian could allow an attacker access to confidential session information. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4.…
CVE-2023-0949Feb 22, 2023
Modoboa
Modoboa
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Reflected in GitHub repository modoboa/modoboa prior to 2.0.5.
CVE-2023-0934Feb 21, 2023
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.5.
CVE-2016-15025Feb 20, 2023
risk 0.00cvss —epss 0.01
A vulnerability, which was classified as problematic, was found in generator-hottowel 0.0.11. Affected is an unknown function of the file app/templates/src/server/_app.js of the component 404 Error Handler. The manipulation leads to cross site scripting. It is possible to launch…
CVE-2021-32851Feb 20, 2023
risk 0.00cvss —epss 0.01
Mind-elixir is a free, open source mind map core. Prior to version 0.18.1, mind-elixir is prone to cross-site scripting when handling untrusted menus. This issue is patched in version 0.18.1
CVE-2021-32856Feb 20, 2023
Microweber
Microweber
risk 0.00cvss —epss 0.01
Microweber is a drag and drop website builder and content management system. Versions 1.2.12 and prior are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. A…
CVE-2021-32859Feb 20, 2023
risk 0.00cvss —epss 0.01
The Baremetrics date range picker is a solution for selecting both date ranges and single dates from a single calender view. Versions 1.0.14 and prior are prone to cross-site scripting (XSS) when handling untrusted `placeholder` entries. An attacker who is able to influence the…