CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,306)

page 880 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2022-0285	Pimcore Pimcore	—	0.01	Jan 20, 2022	Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.9.
CVE-2022-0282	Microweber Microweber	—	0.02	Jan 20, 2022	Cross-site Scripting in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0278	Microweber Microweber	—	0.01	Jan 20, 2022	Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0274	Orchardproject Orchardcore	—	0.01	Jan 19, 2022	Cross-site Scripting (XSS) - Stored in NuGet OrchardCore.Application.Cms.Targets prior to 1.2.2.
CVE-2022-21690	Onionshare Onionshare	—	0.01	Jan 18, 2022	OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions The path parameter of the requested URL is not sanitized before being passed to the QT frontend. This path is…
CVE-2022-0262	Pimcore Pimcore	—	0.02	Jan 18, 2022	Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.7.
CVE-2021-44217	Ericsson Codechecker	—	0.02	Jan 18, 2022	In Ericsson CodeChecker through 6.18.0, a Stored Cross-site scripting (XSS) vulnerability in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API.
CVE-2022-0260	Pimcore Pimcore	—	0.01	Jan 18, 2022	Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.2.7.
CVE-2021-45394	—	—	0.02	Jan 18, 2022	An issue was discovered in Spipu HTML2PDF before 5.2.4. Attackers can trigger deserialization of arbitrary data via the injection of a malicious tag in the converted HTML document.
CVE-2021-42357	Apache Apache	—	0.03	Jan 17, 2022	When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This…
CVE-2021-33040	—	—	0.01	Jan 17, 2022	managers/views/iframe.js in FuturePress EPub.js before 0.3.89 allows XSS.
CVE-2022-0257	Pimcore Pimcore	—	0.01	Jan 17, 2022	pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-0256	Pimcore Pimcore	—	0.01	Jan 17, 2022	pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-3862	Nicecoder Icecoder/icecoder	—	0.01	Jan 17, 2022	icecoder is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-0253	Livehelperchat Livehelperchat	—	0.01	Jan 17, 2022	livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-4170	Janeczku Calibre Web	—	0.01	Jan 16, 2022	calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-23110	Jenkins Project Publish Over SSH Plugin	—	0.01	Jan 12, 2022	Jenkins Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.
CVE-2022-23108	Jenkins Project Badge Plugin	—	0.01	Jan 12, 2022	Jenkins Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE-2022-20615	Jenkins Project Matrix Project Plugin	—	0.82	Jan 12, 2022	Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
CVE-2021-44649	—	—	0.01	Jan 12, 2022	Django CMS 3.7.3 does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the…

CVE-2022-0285Jan 20, 2022
Pimcore
Pimcore
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.9.
CVE-2022-0282Jan 20, 2022
Microweber
Microweber
risk 0.00cvss —epss 0.02
Cross-site Scripting in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0278Jan 20, 2022
Microweber
Microweber
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0274Jan 19, 2022
Orchardproject
Orchardcore
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in NuGet OrchardCore.Application.Cms.Targets prior to 1.2.2.
CVE-2022-21690Jan 18, 2022
Onionshare
Onionshare
risk 0.00cvss —epss 0.01
OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions The path parameter of the requested URL is not sanitized before being passed to the QT frontend. This path is…
CVE-2022-0262Jan 18, 2022
Pimcore
Pimcore
risk 0.00cvss —epss 0.02
Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.7.
CVE-2021-44217Jan 18, 2022
Ericsson
Codechecker
risk 0.00cvss —epss 0.02
In Ericsson CodeChecker through 6.18.0, a Stored Cross-site scripting (XSS) vulnerability in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API.
CVE-2022-0260Jan 18, 2022
Pimcore
Pimcore
risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.2.7.
CVE-2021-45394Jan 18, 2022
risk 0.00cvss —epss 0.02
An issue was discovered in Spipu HTML2PDF before 5.2.4. Attackers can trigger deserialization of arbitrary data via the injection of a malicious tag in the converted HTML document.
CVE-2021-42357Jan 17, 2022
Apache
Apache
risk 0.00cvss —epss 0.03
When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This…
CVE-2021-33040Jan 17, 2022
risk 0.00cvss —epss 0.01
managers/views/iframe.js in FuturePress EPub.js before 0.3.89 allows XSS.
CVE-2022-0257Jan 17, 2022
Pimcore
Pimcore
risk 0.00cvss —epss 0.01
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-0256Jan 17, 2022
Pimcore
Pimcore
risk 0.00cvss —epss 0.01
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-3862Jan 17, 2022
Nicecoder
Icecoder/icecoder
risk 0.00cvss —epss 0.01
icecoder is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-0253Jan 17, 2022
Livehelperchat
Livehelperchat
risk 0.00cvss —epss 0.01
livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-4170Jan 16, 2022
Janeczku
Calibre Web
risk 0.00cvss —epss 0.01
calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-23110Jan 12, 2022
Jenkins Project
Publish Over SSH Plugin
risk 0.00cvss —epss 0.01
Jenkins Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.
CVE-2022-23108Jan 12, 2022
Jenkins Project
Badge Plugin
risk 0.00cvss —epss 0.01
Jenkins Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE-2022-20615Jan 12, 2022
Jenkins Project
Matrix Project Plugin
risk 0.00cvss —epss 0.82
Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
CVE-2021-44649Jan 12, 2022
risk 0.00cvss —epss 0.01
Django CMS 3.7.3 does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the…