CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,306)

page 886 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2021-23445	—	—	0.02	Sep 27, 2021	This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.
CVE-2021-37860	Mattermost Mattermost	—	0.01	Sep 22, 2021	Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP.
CVE-2021-41086	Jsuites Jsuites	—	0.01	Sep 21, 2021	jsuites is an open source collection of common required javascript web components. In affected versions users are subject to cross site scripting (XSS) attacks via clipboard content. jsuites is vulnerable to DOM based XSS if the user can be tricked into copying _anything_ from a…
CVE-2021-23443	—	—	0.01	Sep 21, 2021	This affects the package edge.js before 5.3.2. A type confusion vulnerability can be used to bypass input sanitization when the input to be rendered is an array (instead of a string or a SafeValue), even if {{ }} are used.
CVE-2021-3785	Yourls Yourls	—	0.01	Sep 15, 2021	yourls is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-3783	Yourls Yourls	—	0.01	Sep 15, 2021	yourls is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-3780	—	—	0.01	Sep 15, 2021	peertube is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-39391	—	—	0.01	Sep 14, 2021	Cross Site Scripting (XSS) vulnerability exists in the admin panel in Beego v2.0.1 via the URI path in an HTTP request, which is activated by administrators viewing the "Request Statistics" page.
CVE-2021-31274	—	—	0.01	Sep 8, 2021	In LibreNMS < 21.3.0, a stored XSS vulnerability was identified in the API Access page due to insufficient sanitization of the $api->description variable. As a result, arbitrary Javascript code can get executed.
CVE-2021-39199	remarkjs remark-html	—	0.01	Sep 7, 2021	remark-html is an open source nodejs library which compiles Markdown to HTML. In affected versions the documentation of remark-html has mentioned that it was safe by default. In practice the default was never safe and had to be opted into. That is, user input was not sanitized.…
CVE-2021-23439	—	—	0.01	Sep 5, 2021	This affects the package file-upload-with-preview before 4.2.0. A file containing malicious JavaScript code in the name can be uploaded (a user needs to be tricked into uploading such a file).
CVE-2021-27578	Apache Zeppelin	—	0.03	Sep 2, 2021	Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue affects Apache Zeppelin Apache Zeppelin versions prior to 0.9.0.
CVE-2021-36027	Adobe Inc. Magento Commerce	—	0.01	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be…
CVE-2021-36026	Adobe Inc. Magento Commerce	—	0.02	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that could be abused by an attacker to inject malicious scripts into vulnerable form…
CVE-2021-39170	Pimcore Pimcore	—	0.01	Sep 1, 2021	Pimcore is an open source data & experience management platform. Prior to version 10.1.2, an authenticated user could add XSS code as a value of custom metadata on assets. There is a patch for this issue in Pimcore version 10.1.2. As a workaround, users may apply the patch…
CVE-2021-39166	Pimcore Pimcore	—	0.01	Sep 1, 2021	Pimcore is an open source data & experience management platform. Prior to version 10.1.2, text-values were not properly escaped before printed in the version preview. This allowed XSS by authenticated users with access to the resources. This issue is patched in Pimcore version…
CVE-2021-39178	Vercel Next.js	—	0.01	Aug 30, 2021	Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned…
CVE-2021-27909	Mautic Mautic	—	0.04	Aug 30, 2021	For Mautic versions prior to 3.3.4/4.0.0, there is an XSS vulnerability on Mautic's password reset page where a vulnerable parameter, "bundle," in the URL could allow an attacker to execute Javascript code. The attacker would be required to convince or trick the target into…
CVE-2021-27912	Mautic Mautic	—	0.01	Aug 30, 2021	Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack when viewing Mautic assets by utilizing inline JS in the title and adding a broken image URL as a remote asset. This can only be leveraged by an authenticated user with permission to create or edit…
CVE-2021-27911	Mautic Mautic	—	0.01	Aug 30, 2021	Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack through the contact's first or last name and triggered when viewing a contact's details page then clicking on the action drop down and hovering over the Campaigns button. Contact first and last name can…

CVE-2021-23445Sep 27, 2021
risk 0.00cvss —epss 0.02
This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.
CVE-2021-37860Sep 22, 2021
Mattermost
Mattermost
risk 0.00cvss —epss 0.01
Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP.
CVE-2021-41086Sep 21, 2021
Jsuites
Jsuites
risk 0.00cvss —epss 0.01
jsuites is an open source collection of common required javascript web components. In affected versions users are subject to cross site scripting (XSS) attacks via clipboard content. jsuites is vulnerable to DOM based XSS if the user can be tricked into copying _anything_ from a…
CVE-2021-23443Sep 21, 2021
risk 0.00cvss —epss 0.01
This affects the package edge.js before 5.3.2. A type confusion vulnerability can be used to bypass input sanitization when the input to be rendered is an array (instead of a string or a SafeValue), even if {{ }} are used.
CVE-2021-3785Sep 15, 2021
Yourls
Yourls
risk 0.00cvss —epss 0.01
yourls is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-3783Sep 15, 2021
Yourls
Yourls
risk 0.00cvss —epss 0.01
yourls is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-3780Sep 15, 2021
risk 0.00cvss —epss 0.01
peertube is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-39391Sep 14, 2021
risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability exists in the admin panel in Beego v2.0.1 via the URI path in an HTTP request, which is activated by administrators viewing the "Request Statistics" page.
CVE-2021-31274Sep 8, 2021
risk 0.00cvss —epss 0.01
In LibreNMS < 21.3.0, a stored XSS vulnerability was identified in the API Access page due to insufficient sanitization of the $api->description variable. As a result, arbitrary Javascript code can get executed.
CVE-2021-39199Sep 7, 2021
remarkjs
remark-html
risk 0.00cvss —epss 0.01
remark-html is an open source nodejs library which compiles Markdown to HTML. In affected versions the documentation of remark-html has mentioned that it was safe by default. In practice the default was never safe and had to be opted into. That is, user input was not sanitized.…
CVE-2021-23439Sep 5, 2021
risk 0.00cvss —epss 0.01
This affects the package file-upload-with-preview before 4.2.0. A file containing malicious JavaScript code in the name can be uploaded (a user needs to be tricked into uploading such a file).
CVE-2021-27578Sep 2, 2021
Apache
Zeppelin
risk 0.00cvss —epss 0.03
Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue affects Apache Zeppelin Apache Zeppelin versions prior to 0.9.0.
CVE-2021-36027Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.00cvss —epss 0.01
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be…
CVE-2021-36026Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.00cvss —epss 0.02
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that could be abused by an attacker to inject malicious scripts into vulnerable form…
CVE-2021-39170Sep 1, 2021
Pimcore
Pimcore
risk 0.00cvss —epss 0.01
Pimcore is an open source data & experience management platform. Prior to version 10.1.2, an authenticated user could add XSS code as a value of custom metadata on assets. There is a patch for this issue in Pimcore version 10.1.2. As a workaround, users may apply the patch…
CVE-2021-39166Sep 1, 2021
Pimcore
Pimcore
risk 0.00cvss —epss 0.01
Pimcore is an open source data & experience management platform. Prior to version 10.1.2, text-values were not properly escaped before printed in the version preview. This allowed XSS by authenticated users with access to the resources. This issue is patched in Pimcore version…
CVE-2021-39178Aug 30, 2021
Vercel
Next.js
risk 0.00cvss —epss 0.01
Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned…
CVE-2021-27909Aug 30, 2021
Mautic
Mautic
risk 0.00cvss —epss 0.04
For Mautic versions prior to 3.3.4/4.0.0, there is an XSS vulnerability on Mautic's password reset page where a vulnerable parameter, "bundle," in the URL could allow an attacker to execute Javascript code. The attacker would be required to convince or trick the target into…
CVE-2021-27912Aug 30, 2021
Mautic
Mautic
risk 0.00cvss —epss 0.01
Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack when viewing Mautic assets by utilizing inline JS in the title and adding a broken image URL as a remote asset. This can only be leveraged by an authenticated user with permission to create or edit…
CVE-2021-27911Aug 30, 2021
Mautic
Mautic
risk 0.00cvss —epss 0.01
Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack through the contact's first or last name and triggered when viewing a contact's details page then clicking on the action drop down and hovering over the Campaigns button. Contact first and last name can…