CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,312)

page 863 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2022-38664	Jenkins Project Job Configuration History Plugin	—	0.01	Aug 23, 2022	Jenkins Job Configuration History Plugin 1165.v8cc9fd1f4597 and earlier does not escape the job name on the System Configuration History page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure job names.
CVE-2022-2796	Pimcore Pimcore	—	0.01	Aug 23, 2022	Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.4.
CVE-2022-2890	Yetiforcecompany Yetiforcecompany/yetiforcecrm	—	0.01	Aug 22, 2022	Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.
CVE-2022-2932	—	—	0.01	Aug 22, 2022	Cross-site Scripting (XSS) - Reflected in GitHub repository bustle/mobiledoc-kit prior to 0.14.2.
CVE-2022-1340	Yetiforcecompany Yetiforcecompany/yetiforcecrm	—	0.00	Aug 22, 2022	Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.
CVE-2022-2885	Yetiforcecompany Yetiforcecompany/yetiforcecrm	—	0.00	Aug 21, 2022	Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.
CVE-2022-35909	Jellyfin Jellyfin	—	0.01	Aug 19, 2022	In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality.
CVE-2022-35174	—	—	0.01	Aug 18, 2022	A stored cross-site scripting (XSS) vulnerability in Kirby's Starterkit v3.7.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Tags field.
CVE-2021-32862	Jupyter Nbconvert	—	0.01	Aug 18, 2022	The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS)…
CVE-2022-2871	Notrinos Notrinos/notrinoserp	—	0.01	Aug 17, 2022	Cross-site Scripting (XSS) - Stored in GitHub repository notrinos/notrinoserp prior to 0.7.
CVE-2022-34257	Adobe Inc. Magento Commerce	—	0.01	Aug 16, 2022	Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may…
CVE-2022-34258	Adobe Inc. Magento Commerce	—	0.68	Aug 16, 2022	Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker with admin privileges to inject malicious scripts into vulnerable form fields.…
CVE-2020-14320	Moodle Moodle	—	0.01	Aug 16, 2022	In Moodle before 3.9.1, 3.8.4 and 3.7.7, the filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.
CVE-2022-35585	—	—	0.01	Aug 12, 2022	A stored cross-site scripting (XSS) issue in the ForkCMS version 5.9.3 allows remote attackers to inject JavaScript via the "start_date" Parameter
CVE-2022-35587	—	—	0.01	Aug 12, 2022	A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "publish_on_date" Parameter
CVE-2022-35589	—	—	0.01	Aug 12, 2022	A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "publish_on_time" Parameter.
CVE-2022-35590	—	—	0.01	Aug 12, 2022	A cross-site scripting (XSS) issue in the ForkCMS version 5.9.3 allows remote attackers to inject JavaScript via the "end_date" Parameter
CVE-2022-2777	Microweber Microweber	—	0.00	Aug 11, 2022	Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.1.
CVE-2022-35697	Adobe Inc. Experience Manager	—	0.01	Aug 9, 2022	Adobe Experience Manager Core Components version 2.20.6 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed…
CVE-2020-1691	Moodle Moodle	—	0.01	Aug 5, 2022	In Moodle 3.8, messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored cross-site scripting.

CVE-2022-38664Aug 23, 2022
Jenkins Project
Job Configuration History Plugin
risk 0.00cvss —epss 0.01
Jenkins Job Configuration History Plugin 1165.v8cc9fd1f4597 and earlier does not escape the job name on the System Configuration History page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure job names.
CVE-2022-2796Aug 23, 2022
Pimcore
Pimcore
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.4.
CVE-2022-2890Aug 22, 2022
Yetiforcecompany
Yetiforcecompany/yetiforcecrm
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.
CVE-2022-2932Aug 22, 2022
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Reflected in GitHub repository bustle/mobiledoc-kit prior to 0.14.2.
CVE-2022-1340Aug 22, 2022
Yetiforcecompany
Yetiforcecompany/yetiforcecrm
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.
CVE-2022-2885Aug 21, 2022
Yetiforcecompany
Yetiforcecompany/yetiforcecrm
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.
CVE-2022-35909Aug 19, 2022
Jellyfin
Jellyfin
risk 0.00cvss —epss 0.01
In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality.
CVE-2022-35174Aug 18, 2022
risk 0.00cvss —epss 0.01
A stored cross-site scripting (XSS) vulnerability in Kirby's Starterkit v3.7.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Tags field.
CVE-2021-32862Aug 18, 2022
Jupyter
Nbconvert
risk 0.00cvss —epss 0.01
The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS)…
CVE-2022-2871Aug 17, 2022
Notrinos
Notrinos/notrinoserp
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository notrinos/notrinoserp prior to 0.7.
CVE-2022-34257Aug 16, 2022
Adobe Inc.
Magento Commerce
risk 0.00cvss —epss 0.01
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may…
CVE-2022-34258Aug 16, 2022
Adobe Inc.
Magento Commerce
risk 0.00cvss —epss 0.68
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker with admin privileges to inject malicious scripts into vulnerable form fields.…
CVE-2020-14320Aug 16, 2022
Moodle
Moodle
risk 0.00cvss —epss 0.01
In Moodle before 3.9.1, 3.8.4 and 3.7.7, the filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.
CVE-2022-35585Aug 12, 2022
risk 0.00cvss —epss 0.01
A stored cross-site scripting (XSS) issue in the ForkCMS version 5.9.3 allows remote attackers to inject JavaScript via the "start_date" Parameter
CVE-2022-35587Aug 12, 2022
risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "publish_on_date" Parameter
CVE-2022-35589Aug 12, 2022
risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "publish_on_time" Parameter.
CVE-2022-35590Aug 12, 2022
risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) issue in the ForkCMS version 5.9.3 allows remote attackers to inject JavaScript via the "end_date" Parameter
CVE-2022-2777Aug 11, 2022
Microweber
Microweber
risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.1.
CVE-2022-35697Aug 9, 2022
Adobe Inc.
Experience Manager
risk 0.00cvss —epss 0.01
Adobe Experience Manager Core Components version 2.20.6 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed…
CVE-2020-1691Aug 5, 2022
Moodle
Moodle
risk 0.00cvss —epss 0.01
In Moodle 3.8, messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored cross-site scripting.