CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (23,306)
page 881 of 1,166| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-0159 | 0.00 | — | 0.01 | Jan 12, 2022 | orchardcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||
| CVE-2022-0087 | 0.00 | — | 0.03 | Jan 11, 2022 | keystone is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||
| CVE-2021-36739 | — | 0.00 | — | 0.02 | Jan 6, 2022 | The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks. | ||
| CVE-2021-36738 | — | 0.00 | — | 0.02 | Jan 6, 2022 | The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact | ||
| CVE-2021-36737 | — | 0.00 | — | 0.02 | Jan 6, 2022 | The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the v3-demo-portlet.war artifact | ||
| CVE-2020-27428 | — | 0.00 | — | 0.01 | Jan 5, 2022 | A DOM-based cross-site scripting (XSS) vulnerability in Scratch-Svg-Renderer v0.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted sb3 file. | ||
| CVE-2022-22109 | 0.00 | — | 0.01 | Jan 5, 2022 | In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks. These scripts are executed in a victim’s browser when they open the… | |||
| CVE-2022-21648 | 0.00 | — | 0.01 | Jan 4, 2022 | Latte is an open source template engine for PHP. Versions since 2.8.0 Latte has included a template sandbox and in affected versions it has been found that a sandbox escape exists allowing for injection into web pages generated from Latte. This may lead to XSS attacks. The issue… | |||
| CVE-2021-41236 | — | 0.00 | — | 0.01 | Jan 4, 2022 | OroPlatform is a PHP Business Application Platform. In affected versions the email template preview is vulnerable to XSS payload added to email template content. An attacker must have permission to create or edit an email template. For successful payload, execution the attacked… | ||
| CVE-2022-22293 | — | 0.00 | — | 0.01 | Jan 1, 2022 | admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter. | ||
| CVE-2021-43862 | 0.00 | — | 0.01 | Dec 30, 2021 | jQuery Terminal Emulator is a plugin for creating command line interpreters in your applications. Versions prior to 2.31.1 contain a low impact and limited cross-site scripting (XSS) vulnerability. The code for XSS payload is always visible, but an attacker can use other… | |||
| CVE-2021-43861 | 0.00 | — | 0.01 | Dec 30, 2021 | Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. Prior to version 8.13.8, malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade… | |||
| CVE-2021-45895 | — | 0.00 | — | 0.01 | Dec 27, 2021 | Netgen Tags Bundle 3.4.x before 3.4.11 and 4.0.x before 4.0.15 allows XSS in the Tags Admin interface. | ||
| CVE-2021-3977 | 0.00 | — | 0.01 | Dec 24, 2021 | invoiceninja is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||
| CVE-2021-4072 | 0.00 | — | 0.01 | Dec 24, 2021 | elgg is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||
| CVE-2021-43853 | — | 0.00 | — | 0.01 | Dec 22, 2021 | Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to… | ||
| CVE-2012-20001 | — | 0.00 | — | 0.01 | Dec 21, 2021 | PrestaShop before 1.5.2 allows XSS via the "<object data='data:text/html" substring in the message field. | ||
| CVE-2021-4139 | 0.00 | — | 0.01 | Dec 21, 2021 | pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||
| CVE-2021-43678 | — | 0.00 | — | 0.01 | Dec 17, 2021 | Wechat-php-sdk v1.10.2 is affected by a Cross Site Scripting (XSS) vulnerability in Wechat.php. | ||
| CVE-2021-4132 | 0.00 | — | 0.01 | Dec 17, 2021 | livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
- CVE-2022-0159Jan 12, 2022risk 0.00cvss —epss 0.01
orchardcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2022-0087Jan 11, 2022risk 0.00cvss —epss 0.03
keystone is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2021-36739Jan 6, 2022risk 0.00cvss —epss 0.02
The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks.
- CVE-2021-36738Jan 6, 2022risk 0.00cvss —epss 0.02
The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact
- CVE-2021-36737Jan 6, 2022risk 0.00cvss —epss 0.02
The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the v3-demo-portlet.war artifact
- CVE-2020-27428Jan 5, 2022risk 0.00cvss —epss 0.01
A DOM-based cross-site scripting (XSS) vulnerability in Scratch-Svg-Renderer v0.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted sb3 file.
- CVE-2022-22109Jan 5, 2022risk 0.00cvss —epss 0.01
In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks. These scripts are executed in a victim’s browser when they open the…
- CVE-2022-21648Jan 4, 2022risk 0.00cvss —epss 0.01
Latte is an open source template engine for PHP. Versions since 2.8.0 Latte has included a template sandbox and in affected versions it has been found that a sandbox escape exists allowing for injection into web pages generated from Latte. This may lead to XSS attacks. The issue…
- CVE-2021-41236Jan 4, 2022risk 0.00cvss —epss 0.01
OroPlatform is a PHP Business Application Platform. In affected versions the email template preview is vulnerable to XSS payload added to email template content. An attacker must have permission to create or edit an email template. For successful payload, execution the attacked…
- CVE-2022-22293Jan 1, 2022risk 0.00cvss —epss 0.01
admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter.
- CVE-2021-43862Dec 30, 2021risk 0.00cvss —epss 0.01
jQuery Terminal Emulator is a plugin for creating command line interpreters in your applications. Versions prior to 2.31.1 contain a low impact and limited cross-site scripting (XSS) vulnerability. The code for XSS payload is always visible, but an attacker can use other…
- CVE-2021-43861Dec 30, 2021risk 0.00cvss —epss 0.01
Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. Prior to version 8.13.8, malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade…
- CVE-2021-45895Dec 27, 2021risk 0.00cvss —epss 0.01
Netgen Tags Bundle 3.4.x before 3.4.11 and 4.0.x before 4.0.15 allows XSS in the Tags Admin interface.
- CVE-2021-3977Dec 24, 2021risk 0.00cvss —epss 0.01
invoiceninja is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2021-4072Dec 24, 2021risk 0.00cvss —epss 0.01
elgg is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2021-43853Dec 22, 2021risk 0.00cvss —epss 0.01
Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to…
- CVE-2012-20001Dec 21, 2021risk 0.00cvss —epss 0.01
PrestaShop before 1.5.2 allows XSS via the "<object data='data:text/html" substring in the message field.
- CVE-2021-4139Dec 21, 2021risk 0.00cvss —epss 0.01
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2021-43678Dec 17, 2021risk 0.00cvss —epss 0.01
Wechat-php-sdk v1.10.2 is affected by a Cross Site Scripting (XSS) vulnerability in Wechat.php.
- CVE-2021-4132Dec 17, 2021risk 0.00cvss —epss 0.01
livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')