CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,312)

page 871 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2022-29947	—	—	0.01	Apr 29, 2022	Woodpecker before 0.15.1 allows XSS via build logs because web/src/components/repo/build/BuildLog.vue lacks escaping.
CVE-2022-25854	—	—	0.01	Apr 29, 2022	This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the XSS payload.
CVE-2021-41948	—	—	0.00	Apr 29, 2022	A cross-site scripting (XSS) vulnerability exists in the "contact us" plugin for Subrion CMS <= 4.2.1 version via "List of subjects".
CVE-2022-1530	Livehelperchat Livehelperchat	—	0.01	Apr 29, 2022	Cross-site Scripting (XSS) in GitHub repository livehelperchat/livehelperchat prior to 3.99v. The attacker can execute malicious JavaScript on the application.
CVE-2022-1514	Neorazorx Facturascripts	—	0.01	Apr 28, 2022	Stored XSS via upload plugin functionality in zip format in GitHub repository neorazorx/facturascripts prior to 2022.06. Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the…
CVE-2022-24873	Shopware Shopware	—	0.01	Apr 28, 2022	Shopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site scripting in the storefront. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the…
CVE-2022-1504	Microweber Microweber	—	0.01	Apr 27, 2022	XSS in /demo/module/?module=HERE in GitHub repository microweber/microweber prior to 1.2.15. Typical impact of XSS attacks.
CVE-2022-24891	Esapi Esapi Java Legacy	—	0.02	Apr 27, 2022	ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the…
CVE-2022-1173	Getgrav Grav	—	0.01	Apr 26, 2022	stored xss in GitHub repository getgrav/grav prior to 1.7.33.
CVE-2022-26596	—	—	0.01	Apr 25, 2022	Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web…
CVE-2022-26597	Liferay Portal	—	0.01	Apr 25, 2022	Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name.
CVE-2022-27103	—	—	0.01	Apr 25, 2022	element-plus 2.0.5 is vulnerable to Cross Site Scripting (XSS) via el-table-column.
CVE-2022-1457	Neorazorx Facturascripts	—	0.01	Apr 25, 2022	Store XSS in title parameter executing at EditUser Page & EditProducto page in GitHub repository neorazorx/facturascripts prior to 2022.04. Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install…
CVE-2022-1445	Snipeitapp Snipe It	—	0.01	Apr 24, 2022	Stored Cross Site Scripting vulnerability in the checked_out_to parameter in GitHub repository snipe/snipe-it prior to 5.4.3. The vulnerability is capable of stolen the user Cookie.
CVE-2022-1439	Microweber Microweber	—	0.03	Apr 22, 2022	Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without…
CVE-2022-29577	—	—	0.01	Apr 21, 2022	OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367.
CVE-2022-28367	—	—	0.01	Apr 21, 2022	OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.
CVE-2022-28820	Adobe Inc. Experience Manager	—	0.01	Apr 21, 2022	ACS Commons version 5.1.x (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in /apps/acs-commons/content/page-compare.html endpoint via the a and b GET parameters. User input submitted via these parameters is not validated or sanitised. An attacker…
CVE-2022-26593	Liferay Portal	—	0.01	Apr 19, 2022	Cross-site scripting (XSS) vulnerability in the Asset module's asset categories selector in Liferay Portal 7.3.3 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the name of a asset category.
CVE-2022-1091	—	—	0.01	Apr 18, 2022	The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly…

CVE-2022-29947Apr 29, 2022
risk 0.00cvss —epss 0.01
Woodpecker before 0.15.1 allows XSS via build logs because web/src/components/repo/build/BuildLog.vue lacks escaping.
CVE-2022-25854Apr 29, 2022
risk 0.00cvss —epss 0.01
This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the XSS payload.
CVE-2021-41948Apr 29, 2022
risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability exists in the "contact us" plugin for Subrion CMS <= 4.2.1 version via "List of subjects".
CVE-2022-1530Apr 29, 2022
Livehelperchat
Livehelperchat
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) in GitHub repository livehelperchat/livehelperchat prior to 3.99v. The attacker can execute malicious JavaScript on the application.
CVE-2022-1514Apr 28, 2022
Neorazorx
Facturascripts
risk 0.00cvss —epss 0.01
Stored XSS via upload plugin functionality in zip format in GitHub repository neorazorx/facturascripts prior to 2022.06. Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the…
CVE-2022-24873Apr 28, 2022
Shopware
Shopware
risk 0.00cvss —epss 0.01
Shopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site scripting in the storefront. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the…
CVE-2022-1504Apr 27, 2022
Microweber
Microweber
risk 0.00cvss —epss 0.01
XSS in /demo/module/?module=HERE in GitHub repository microweber/microweber prior to 1.2.15. Typical impact of XSS attacks.
CVE-2022-24891Apr 27, 2022
Esapi
Esapi Java Legacy
risk 0.00cvss —epss 0.02
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the…
CVE-2022-1173Apr 26, 2022
Getgrav
Grav
risk 0.00cvss —epss 0.01
stored xss in GitHub repository getgrav/grav prior to 1.7.33.
CVE-2022-26596Apr 25, 2022
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web…
CVE-2022-26597Apr 25, 2022
Liferay
Portal
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name.
CVE-2022-27103Apr 25, 2022
risk 0.00cvss —epss 0.01
element-plus 2.0.5 is vulnerable to Cross Site Scripting (XSS) via el-table-column.
CVE-2022-1457Apr 25, 2022
Neorazorx
Facturascripts
risk 0.00cvss —epss 0.01
Store XSS in title parameter executing at EditUser Page & EditProducto page in GitHub repository neorazorx/facturascripts prior to 2022.04. Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install…
CVE-2022-1445Apr 24, 2022
Snipeitapp
Snipe It
risk 0.00cvss —epss 0.01
Stored Cross Site Scripting vulnerability in the checked_out_to parameter in GitHub repository snipe/snipe-it prior to 5.4.3. The vulnerability is capable of stolen the user Cookie.
CVE-2022-1439Apr 22, 2022
Microweber
Microweber
risk 0.00cvss —epss 0.03
Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without…
CVE-2022-29577Apr 21, 2022
risk 0.00cvss —epss 0.01
OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367.
CVE-2022-28367Apr 21, 2022
risk 0.00cvss —epss 0.01
OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.
CVE-2022-28820Apr 21, 2022
Adobe Inc.
Experience Manager
risk 0.00cvss —epss 0.01
ACS Commons version 5.1.x (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in /apps/acs-commons/content/page-compare.html endpoint via the a and b GET parameters. User input submitted via these parameters is not validated or sanitised. An attacker…
CVE-2022-26593Apr 19, 2022
Liferay
Portal
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Asset module's asset categories selector in Liferay Portal 7.3.3 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the name of a asset category.
CVE-2022-1091Apr 18, 2022
risk 0.00cvss —epss 0.01
The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly…