CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,306)

page 878 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2022-0576	Librenms Librenms	—	0.01	Feb 13, 2022	Cross-site Scripting (XSS) - Generic in Packagist librenms/librenms prior to 22.1.0.
CVE-2022-0565	Pimcore Pimcore	—	0.01	Feb 12, 2022	Cross-site Scripting in Packagist pimcore/pimcore prior to 10.3.1.
CVE-2020-13672	—	—	0.01	Feb 11, 2022	Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14;…
CVE-2020-13669	—	—	0.01	Feb 11, 2022	Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
CVE-2020-13668	—	—	0.01	Feb 11, 2022	Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions…
CVE-2022-0558	Microweber Microweber	—	0.01	Feb 10, 2022	Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-23622	Cryptpad Xwiki Platform	—	0.01	Feb 9, 2022	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions there is a cross site scripting (XSS) vector in the `registerinline.vm` template related to the `xredirect` hidden field. This template is only used in…
CVE-2022-0539	Ptrofimov Ptrofimov/beanstalk Console	—	0.01	Feb 9, 2022	Cross-site Scripting (XSS) - Stored in Packagist ptrofimov/beanstalk_console prior to 1.7.14.
CVE-2021-45919	Studio 42 Elfinder	—	0.01	Feb 8, 2022	Studio 42 elFinder through 2.1.31 allows XSS via an SVG document.
CVE-2021-45329	Go Gitea Gitea	—	0.01	Feb 8, 2022	Cross Site Scripting (XSS) vulnerability exists in Gitea before 1.5.1 via the repository settings inside the external wiki/issue tracker URL field.
CVE-2022-21702	Grafana Grafana	—	0.02	Feb 8, 2022	Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting…
CVE-2022-0510	Pimcore Pimcore	—	0.01	Feb 8, 2022	Cross-site Scripting (XSS) - Reflected in Packagist pimcore/pimcore prior to 10.3.1.
CVE-2022-0509	Pimcore Pimcore	—	0.01	Feb 8, 2022	Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.3.1.
CVE-2022-0506	Microweber Microweber	—	0.01	Feb 8, 2022	Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0502	Livehelperchat Livehelperchat	—	0.01	Feb 6, 2022	Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.
CVE-2022-0501	Ptrofimov Ptrofimov/beanstalk Console	—	0.01	Feb 5, 2022	Cross-site Scripting (XSS) - Reflected in Packagist ptrofimov/beanstalk_console prior to 1.7.12.
CVE-2022-0437	—	—	0.15	Feb 5, 2022	Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14.
CVE-2022-0472	—	—	0.01	Feb 4, 2022	Unrestricted Upload of File with Dangerous Type in Packagist jsdecena/laracom prior to v2.0.9.
CVE-2021-43841	Cryptpad Xwiki Platform	—	0.01	Feb 4, 2022	XWiki is a generic wiki platform offering runtime services for applications built on top of it. When using default XWiki configuration, it's possible for an attacker to upload an SVG containing a script executed when executing the download action on the file. This problem has…
CVE-2022-22818	Djangoproject Django	—	0.03	Feb 3, 2022	The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.

CVE-2022-0576Feb 13, 2022
Librenms
Librenms
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Generic in Packagist librenms/librenms prior to 22.1.0.
CVE-2022-0565Feb 12, 2022
Pimcore
Pimcore
risk 0.00cvss —epss 0.01
Cross-site Scripting in Packagist pimcore/pimcore prior to 10.3.1.
CVE-2020-13672Feb 11, 2022
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14;…
CVE-2020-13669Feb 11, 2022
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
CVE-2020-13668Feb 11, 2022
risk 0.00cvss —epss 0.01
Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions…
CVE-2022-0558Feb 10, 2022
Microweber
Microweber
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-23622Feb 9, 2022
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions there is a cross site scripting (XSS) vector in the `registerinline.vm` template related to the `xredirect` hidden field. This template is only used in…
CVE-2022-0539Feb 9, 2022
Ptrofimov
Ptrofimov/beanstalk Console
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in Packagist ptrofimov/beanstalk_console prior to 1.7.14.
CVE-2021-45919Feb 8, 2022
Studio 42
Elfinder
risk 0.00cvss —epss 0.01
Studio 42 elFinder through 2.1.31 allows XSS via an SVG document.
CVE-2021-45329Feb 8, 2022
Go Gitea
Gitea
risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability exists in Gitea before 1.5.1 via the repository settings inside the external wiki/issue tracker URL field.
CVE-2022-21702Feb 8, 2022
Grafana
Grafana
risk 0.00cvss —epss 0.02
Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting…
CVE-2022-0510Feb 8, 2022
Pimcore
Pimcore
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Reflected in Packagist pimcore/pimcore prior to 10.3.1.
CVE-2022-0509Feb 8, 2022
Pimcore
Pimcore
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.3.1.
CVE-2022-0506Feb 8, 2022
Microweber
Microweber
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0502Feb 6, 2022
Livehelperchat
Livehelperchat
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.
CVE-2022-0501Feb 5, 2022
Ptrofimov
Ptrofimov/beanstalk Console
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Reflected in Packagist ptrofimov/beanstalk_console prior to 1.7.12.
CVE-2022-0437Feb 5, 2022
risk 0.00cvss —epss 0.15
Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14.
CVE-2022-0472Feb 4, 2022
risk 0.00cvss —epss 0.01
Unrestricted Upload of File with Dangerous Type in Packagist jsdecena/laracom prior to v2.0.9.
CVE-2021-43841Feb 4, 2022
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.01
XWiki is a generic wiki platform offering runtime services for applications built on top of it. When using default XWiki configuration, it's possible for an attacker to upload an SVG containing a script executed when executing the download action on the file. This problem has…
CVE-2022-22818Feb 3, 2022
Djangoproject
Django
risk 0.00cvss —epss 0.03
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.