CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,315)

page 849 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2023-0794	—	—	0.01	Feb 12, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.11.
CVE-2023-0787	—	—	0.01	Feb 12, 2023	Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.11.
CVE-2023-0786	—	—	0.01	Feb 12, 2023	Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.11.
CVE-2023-0791	—	—	0.01	Feb 12, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.11.
CVE-2023-24230	Formwork Formwork	—	0.01	Feb 10, 2023	A stored cross-site scripting (XSS) vulnerability in the component /formwork/panel/dashboard of Formwork v1.12.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page title parameter.
CVE-2023-0740	—	—	0.01	Feb 8, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.4.
CVE-2023-0742	—	—	0.01	Feb 8, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.4.
CVE-2023-0743	—	—	0.01	Feb 8, 2023	Cross-site Scripting (XSS) - Generic in GitHub repository answerdev/answer prior to 1.0.4.
CVE-2023-0741	—	—	0.01	Feb 8, 2023	Cross-site Scripting (XSS) - DOM in GitHub repository answerdev/answer prior to 1.0.4.
CVE-2022-47419	Mayan Edms EDMS	—	0.01	Feb 7, 2023	An XSS vulnerability was discovered in the Mayan EDMS DMS. Successful XSS exploitation was observed in the in-product tagging system.
CVE-2023-24814	TYPO3 Typo3	—	0.01	Feb 7, 2023	TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject…
CVE-2023-0736	Walla Telesite Wallabag/wallabag	—	0.00	Feb 7, 2023	Cross-site Scripting (XSS) - Stored in GitHub repository wallabag/wallabag prior to 2.5.4.
CVE-2015-10073	—	—	0.01	Feb 6, 2023	A vulnerability, which was classified as problematic, was found in tinymighty WikiSEO 1.2.1 on MediaWiki. This affects the function modifyHTML of the file WikiSEO.body.php of the component Meta Property Tag Handler. The manipulation of the argument content leads to cross site…
CVE-2017-20175	—	—	0.01	Feb 5, 2023	A vulnerability classified as problematic has been found in DaSchTour matomo-mediawiki-extension up to 2.4.2 on MediaWiki. This affects an unknown part of the file Piwik.hooks.php of the component Username Handler. The manipulation leads to cross site scripting. It is possible…
CVE-2023-22849	Apache Sling App CMS	—	0.01	Feb 4, 2023	An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features. …
CVE-2018-25080	—	—	0.03	Feb 4, 2023	A vulnerability, which was classified as problematic, has been found in MobileDetect 2.8.31. This issue affects the function initLayoutType of the file examples/session_example.php of the component Example. The manipulation of the argument $_SERVER['PHP_SELF'] leads to cross…
CVE-2021-37502	Automad Automad	—	0.01	Feb 3, 2023	Cross Site Scripting (XSS) vulnerability in automad 1.7.5 allows remote attackers to run arbitrary code via the user name field when adding a user.
CVE-2023-23635	Jellyfin Jellyfin	—	0.01	Feb 3, 2023	In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.
CVE-2023-23636	Jellyfin Jellyfin	—	0.01	Feb 3, 2023	In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.
CVE-2023-23630	—	—	0.01	Feb 1, 2023	Eta is an embedded JS templating engine that works inside Node, Deno, and the browser. XSS attack - anyone using the Express API is impacted. The problem has been resolved. Users should upgrade to version 2.0.0. As a workaround, don't pass user supplied things directly to…

CVE-2023-0794Feb 12, 2023
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.11.
CVE-2023-0787Feb 12, 2023
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.11.
CVE-2023-0786Feb 12, 2023
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.11.
CVE-2023-0791Feb 12, 2023
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.11.
CVE-2023-24230Feb 10, 2023
Formwork
Formwork
risk 0.00cvss —epss 0.01
A stored cross-site scripting (XSS) vulnerability in the component /formwork/panel/dashboard of Formwork v1.12.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page title parameter.
CVE-2023-0740Feb 8, 2023
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.4.
CVE-2023-0742Feb 8, 2023
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.4.
CVE-2023-0743Feb 8, 2023
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Generic in GitHub repository answerdev/answer prior to 1.0.4.
CVE-2023-0741Feb 8, 2023
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - DOM in GitHub repository answerdev/answer prior to 1.0.4.
CVE-2022-47419Feb 7, 2023
Mayan Edms
EDMS
risk 0.00cvss —epss 0.01
An XSS vulnerability was discovered in the Mayan EDMS DMS. Successful XSS exploitation was observed in the in-product tagging system.
CVE-2023-24814Feb 7, 2023
TYPO3
Typo3
risk 0.00cvss —epss 0.01
TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject…
CVE-2023-0736Feb 7, 2023
Walla Telesite
Wallabag/wallabag
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository wallabag/wallabag prior to 2.5.4.
CVE-2015-10073Feb 6, 2023
risk 0.00cvss —epss 0.01
A vulnerability, which was classified as problematic, was found in tinymighty WikiSEO 1.2.1 on MediaWiki. This affects the function modifyHTML of the file WikiSEO.body.php of the component Meta Property Tag Handler. The manipulation of the argument content leads to cross site…
CVE-2017-20175Feb 5, 2023
risk 0.00cvss —epss 0.01
A vulnerability classified as problematic has been found in DaSchTour matomo-mediawiki-extension up to 2.4.2 on MediaWiki. This affects an unknown part of the file Piwik.hooks.php of the component Username Handler. The manipulation leads to cross site scripting. It is possible…
CVE-2023-22849Feb 4, 2023
Apache
Sling App CMS
risk 0.00cvss —epss 0.01
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features. …
CVE-2018-25080Feb 4, 2023
risk 0.00cvss —epss 0.03
A vulnerability, which was classified as problematic, has been found in MobileDetect 2.8.31. This issue affects the function initLayoutType of the file examples/session_example.php of the component Example. The manipulation of the argument $_SERVER['PHP_SELF'] leads to cross…
CVE-2021-37502Feb 3, 2023
Automad
Automad
risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in automad 1.7.5 allows remote attackers to run arbitrary code via the user name field when adding a user.
CVE-2023-23635Feb 3, 2023
Jellyfin
Jellyfin
risk 0.00cvss —epss 0.01
In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.
CVE-2023-23636Feb 3, 2023
Jellyfin
Jellyfin
risk 0.00cvss —epss 0.01
In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.
CVE-2023-23630Feb 1, 2023
risk 0.00cvss —epss 0.01
Eta is an embedded JS templating engine that works inside Node, Deno, and the browser. XSS attack - anyone using the Express API is impacted. The problem has been resolved. Users should upgrade to version 2.0.0. As a workaround, don't pass user supplied things directly to…