CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (23,314)
page 854 of 1,166| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-4520 | — | 0.00 | — | 0.01 | Dec 15, 2022 | A vulnerability was found in WSO2 carbon-registry up to 4.8.11. It has been rated as problematic. Affected by this issue is some unknown functionality of the file components/registry/org.wso2.carbon.registry.search.ui/src/main/resources/web/search/advancedSearchForm-ajaxprocessor… | ||
| CVE-2022-4521 | — | 0.00 | — | 0.01 | Dec 15, 2022 | A vulnerability classified as problematic has been found in WSO2 carbon-registry up to 4.8.6. This affects an unknown part of the component Request Parameter Handler. The manipulation of the argument parentPath/path/username/path/profile_menu leads to cross site scripting. It is… | ||
| CVE-2022-4524 | 0.00 | — | 0.01 | Dec 15, 2022 | A vulnerability, which was classified as problematic, was found in Roots soil Plugin up to 4.0.x. Affected is the function language_attributes of the file src/Modules/CleanUpModule.php. The manipulation of the argument language leads to cross site scripting. It is possible to… | |||
| CVE-2020-36607 | — | 0.00 | — | 0.01 | Dec 15, 2022 | Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.0.8 allows remote attackers to run arbitrary code via tha lang attribute of an html tag. | ||
| CVE-2022-4527 | — | 0.00 | — | 0.01 | Dec 15, 2022 | A vulnerability was found in collective.task up to 3.0.8. It has been classified as problematic. This affects the function renderCell/AssignedGroupColumn of the file src/collective/task/browser/table.py. The manipulation leads to cross site scripting. It is possible to initiate… | ||
| CVE-2020-20589 | — | 0.00 | — | 0.01 | Dec 15, 2022 | Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.0.8 allows remote attackers to run arbitrary code via tha lang attribute of an html tag. | ||
| CVE-2022-23520 | 0.00 | — | 0.01 | Dec 14, 2022 | rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, there is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer due to an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may… | |||
| CVE-2022-23519 | 0.00 | — | 0.01 | Dec 14, 2022 | rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden… | |||
| CVE-2022-23518 | 0.00 | — | 0.01 | Dec 14, 2022 | rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions >= 1.0.3, < 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah >= 2.1.0. This issue is patched in version 1.4.4. | |||
| CVE-2022-23515 | 0.00 | — | 0.01 | Dec 14, 2022 | Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs. This issue is patched in version 2.19.1. | |||
| CVE-2022-4495 | 0.00 | — | 0.00 | Dec 14, 2022 | A vulnerability, which was classified as problematic, has been found in collective.dms.basecontent up to 1.6. This issue affects the function renderCell of the file src/collective/dms/basecontent/browser/column.py. The manipulation leads to cross site scripting. The attack may… | |||
| CVE-2022-23499 | — | 0.00 | — | 0.00 | Dec 13, 2022 | HTML sanitizer is written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. In versions prior to 1.5.0 or 2.1.1, malicious markup used in a sequence with special HTML CDATA sections cannot be filtered and sanitized due to a… | ||
| CVE-2022-44303 | — | 0.00 | — | 0.01 | Dec 13, 2022 | Resque Scheduler version 1.27.4 is vulnerable to Cross-site scripting (XSS). A remote attacker could inject javascript code to the "{schedule_job}" or "args" parameter in /resque/delayed/jobs/{schedule_job}?args={args_id} to execute javascript at client side. | ||
| CVE-2022-43996 | — | 0.00 | — | 0.00 | Dec 13, 2022 | The csaf_provider package before 0.8.2 allows XSS via a crafted CSAF document uploaded as text/html. The endpoint upload allows valid CSAF advisories (JSON format) to be uploaded with Content-Type text/html and filenames ending in .html. When subsequently accessed via web… | ||
| CVE-2022-45970 | 0.00 | — | 0.00 | Dec 12, 2022 | Alist v3.5.1 is vulnerable to Cross Site Scripting (XSS) via the bulletin board. | |||
| CVE-2021-4244 | — | 0.00 | — | 0.01 | Dec 12, 2022 | A vulnerability classified as problematic has been found in yikes-inc-easy-mailchimp-extender Plugin up to 6.8.5. This affects an unknown part of the file admin/partials/ajax/add_field_to_form.php. The manipulation of the argument field_name/merge_tag/field_type/list_id leads to… | ||
| CVE-2022-4408 | — | 0.00 | — | 0.00 | Dec 11, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.9. | ||
| CVE-2022-4407 | — | 0.00 | — | 0.04 | Dec 11, 2022 | Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.9. | ||
| CVE-2022-4396 | — | 0.00 | — | 0.01 | Dec 10, 2022 | A vulnerability was found in RDFlib pyrdfa3 and classified as problematic. This issue affects the function _get_option of the file pyRdfa/__init__.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is… | ||
| CVE-2022-34297 | — | 0.00 | — | 0.01 | Dec 9, 2022 | Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field. |
- CVE-2022-4520Dec 15, 2022risk 0.00cvss —epss 0.01
A vulnerability was found in WSO2 carbon-registry up to 4.8.11. It has been rated as problematic. Affected by this issue is some unknown functionality of the file components/registry/org.wso2.carbon.registry.search.ui/src/main/resources/web/search/advancedSearchForm-ajaxprocessor…
- CVE-2022-4521Dec 15, 2022risk 0.00cvss —epss 0.01
A vulnerability classified as problematic has been found in WSO2 carbon-registry up to 4.8.6. This affects an unknown part of the component Request Parameter Handler. The manipulation of the argument parentPath/path/username/path/profile_menu leads to cross site scripting. It is…
- CVE-2022-4524Dec 15, 2022risk 0.00cvss —epss 0.01
A vulnerability, which was classified as problematic, was found in Roots soil Plugin up to 4.0.x. Affected is the function language_attributes of the file src/Modules/CleanUpModule.php. The manipulation of the argument language leads to cross site scripting. It is possible to…
- CVE-2020-36607Dec 15, 2022risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.0.8 allows remote attackers to run arbitrary code via tha lang attribute of an html tag.
- CVE-2022-4527Dec 15, 2022risk 0.00cvss —epss 0.01
A vulnerability was found in collective.task up to 3.0.8. It has been classified as problematic. This affects the function renderCell/AssignedGroupColumn of the file src/collective/task/browser/table.py. The manipulation leads to cross site scripting. It is possible to initiate…
- CVE-2020-20589Dec 15, 2022risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.0.8 allows remote attackers to run arbitrary code via tha lang attribute of an html tag.
- CVE-2022-23520Dec 14, 2022risk 0.00cvss —epss 0.01
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, there is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer due to an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may…
- CVE-2022-23519Dec 14, 2022risk 0.00cvss —epss 0.01
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden…
- CVE-2022-23518Dec 14, 2022risk 0.00cvss —epss 0.01
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions >= 1.0.3, < 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah >= 2.1.0. This issue is patched in version 1.4.4.
- CVE-2022-23515Dec 14, 2022risk 0.00cvss —epss 0.01
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs. This issue is patched in version 2.19.1.
- CVE-2022-4495Dec 14, 2022risk 0.00cvss —epss 0.00
A vulnerability, which was classified as problematic, has been found in collective.dms.basecontent up to 1.6. This issue affects the function renderCell of the file src/collective/dms/basecontent/browser/column.py. The manipulation leads to cross site scripting. The attack may…
- CVE-2022-23499Dec 13, 2022risk 0.00cvss —epss 0.00
HTML sanitizer is written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. In versions prior to 1.5.0 or 2.1.1, malicious markup used in a sequence with special HTML CDATA sections cannot be filtered and sanitized due to a…
- CVE-2022-44303Dec 13, 2022risk 0.00cvss —epss 0.01
Resque Scheduler version 1.27.4 is vulnerable to Cross-site scripting (XSS). A remote attacker could inject javascript code to the "{schedule_job}" or "args" parameter in /resque/delayed/jobs/{schedule_job}?args={args_id} to execute javascript at client side.
- CVE-2022-43996Dec 13, 2022risk 0.00cvss —epss 0.00
The csaf_provider package before 0.8.2 allows XSS via a crafted CSAF document uploaded as text/html. The endpoint upload allows valid CSAF advisories (JSON format) to be uploaded with Content-Type text/html and filenames ending in .html. When subsequently accessed via web…
- CVE-2022-45970Dec 12, 2022risk 0.00cvss —epss 0.00
Alist v3.5.1 is vulnerable to Cross Site Scripting (XSS) via the bulletin board.
- CVE-2021-4244Dec 12, 2022risk 0.00cvss —epss 0.01
A vulnerability classified as problematic has been found in yikes-inc-easy-mailchimp-extender Plugin up to 6.8.5. This affects an unknown part of the file admin/partials/ajax/add_field_to_form.php. The manipulation of the argument field_name/merge_tag/field_type/list_id leads to…
- CVE-2022-4408Dec 11, 2022risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.9.
- CVE-2022-4407Dec 11, 2022risk 0.00cvss —epss 0.04
Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.9.
- CVE-2022-4396Dec 10, 2022risk 0.00cvss —epss 0.01
A vulnerability was found in RDFlib pyrdfa3 and classified as problematic. This issue affects the function _get_option of the file pyRdfa/__init__.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is…
- CVE-2022-34297Dec 9, 2022risk 0.00cvss —epss 0.01
Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field.