CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,306)

page 882 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2021-4121	Yetiforcecompany Yetiforcecompany/yetiforcecrm	—	0.01	Dec 16, 2021	yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-44116	—	—	0.01	Dec 15, 2021	Cross Site Scripting (XSS) vulnerability exits in Anchor CMS <=0.12.7 in posts.php. Attackers can use the posts column to upload the title and content containing malicious code to achieve the purpose of obtaining the administrator cookie, thereby achieving other malicious…
CVE-2021-4116	Yetiforcecompany Yetiforcecompany/yetiforcecrm	—	0.00	Dec 15, 2021	yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-42220	—	—	0.01	Dec 15, 2021	A Cross Site Scripting (XSS) vulnerability exists in Dolibarr before 14.0.3 via the ticket creation flow. Exploitation requires that an admin copies the payload into a box.
CVE-2021-4108	Snipeitapp Snipe It	—	0.01	Dec 14, 2021	snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-39183	Owncast Owncast	—	0.01	Dec 14, 2021	Owncast is an open source, self-hosted live video streaming and chat server. In affected versions inline scripts are executed when Javascript is parsed via a paste action. This issue is patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the…
CVE-2021-4107	Yetiforcecompany Yetiforcecompany/yetiforcecrm	—	0.01	Dec 14, 2021	yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-43818	Lxml Lxml	—	0.02	Dec 13, 2021	lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a…
CVE-2021-4084	Pimcore Pimcore	—	0.02	Dec 10, 2021	pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-4081	Pimcore Pimcore	—	0.01	Dec 10, 2021	pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-4050	Livehelperchat Livehelperchat	—	0.01	Dec 8, 2021	livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-43808	Laravel Laravel Framework	—	0.01	Dec 7, 2021	Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser…
CVE-2021-42567	—	—	0.08	Dec 7, 2021	Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.
CVE-2021-25967	Ckan Ckan	—	0.00	Dec 1, 2021	In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when…
CVE-2021-44277	—	—	0.01	Dec 1, 2021	Librenms 21.11.0 is affected by a Cross Site Scripting (XSS) vulnerability in includes/html/common/alert-log.inc.php.
CVE-2021-44279	—	—	0.01	Dec 1, 2021	Librenms 21.11.0 is affected by a Cross Site Scripting (XSS) vulnerability in includes/html/forms/poller-groups.inc.php.
CVE-2021-3983	—	—	0.01	Dec 1, 2021	kimai2 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-3985	—	—	0.01	Dec 1, 2021	kimai2 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-3994	django-helpdesk django-helpdesk	—	0.01	Dec 1, 2021	django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-4018	Snipeitapp Snipe It	—	0.01	Dec 1, 2021	snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2021-4121Dec 16, 2021
Yetiforcecompany
Yetiforcecompany/yetiforcecrm
risk 0.00cvss —epss 0.01
yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-44116Dec 15, 2021
risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability exits in Anchor CMS <=0.12.7 in posts.php. Attackers can use the posts column to upload the title and content containing malicious code to achieve the purpose of obtaining the administrator cookie, thereby achieving other malicious…
CVE-2021-4116Dec 15, 2021
Yetiforcecompany
Yetiforcecompany/yetiforcecrm
risk 0.00cvss —epss 0.00
yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-42220Dec 15, 2021
risk 0.00cvss —epss 0.01
A Cross Site Scripting (XSS) vulnerability exists in Dolibarr before 14.0.3 via the ticket creation flow. Exploitation requires that an admin copies the payload into a box.
CVE-2021-4108Dec 14, 2021
Snipeitapp
Snipe It
risk 0.00cvss —epss 0.01
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-39183Dec 14, 2021
Owncast
Owncast
risk 0.00cvss —epss 0.01
Owncast is an open source, self-hosted live video streaming and chat server. In affected versions inline scripts are executed when Javascript is parsed via a paste action. This issue is patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the…
CVE-2021-4107Dec 14, 2021
Yetiforcecompany
Yetiforcecompany/yetiforcecrm
risk 0.00cvss —epss 0.01
yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-43818Dec 13, 2021
Lxml
Lxml
risk 0.00cvss —epss 0.02
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a…
CVE-2021-4084Dec 10, 2021
Pimcore
Pimcore
risk 0.00cvss —epss 0.02
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-4081Dec 10, 2021
Pimcore
Pimcore
risk 0.00cvss —epss 0.01
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-4050Dec 8, 2021
Livehelperchat
Livehelperchat
risk 0.00cvss —epss 0.01
livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-43808Dec 7, 2021
Laravel
Laravel Framework
risk 0.00cvss —epss 0.01
Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser…
CVE-2021-42567Dec 7, 2021
risk 0.00cvss —epss 0.08
Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.
CVE-2021-25967Dec 1, 2021
Ckan
Ckan
risk 0.00cvss —epss 0.00
In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when…
CVE-2021-44277Dec 1, 2021
risk 0.00cvss —epss 0.01
Librenms 21.11.0 is affected by a Cross Site Scripting (XSS) vulnerability in includes/html/common/alert-log.inc.php.
CVE-2021-44279Dec 1, 2021
risk 0.00cvss —epss 0.01
Librenms 21.11.0 is affected by a Cross Site Scripting (XSS) vulnerability in includes/html/forms/poller-groups.inc.php.
CVE-2021-3983Dec 1, 2021
risk 0.00cvss —epss 0.01
kimai2 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-3985Dec 1, 2021
risk 0.00cvss —epss 0.01
kimai2 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-3994Dec 1, 2021
django-helpdesk
django-helpdesk
risk 0.00cvss —epss 0.01
django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-4018Dec 1, 2021
Snipeitapp
Snipe It
risk 0.00cvss —epss 0.01
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')