CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (23,306)
page 889 of 1,166| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-23411 | 0.00 | — | 0.01 | Jul 21, 2021 | Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the main functionality. It accepts input that can result in the output (an anchor a tag) containing undesirable Javascript code that can be executed upon user interaction. | |||
| CVE-2021-32669 | 0.00 | — | 0.01 | Jul 20, 2021 | TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When settings for _backend layouts_ are not properly encoded, the corresponding grid view… | |||
| CVE-2021-32668 | 0.00 | — | 0.01 | Jul 20, 2021 | TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When error messages are not properly encoded, the components _QueryGenerator_ and… | |||
| CVE-2021-32667 | 0.00 | — | 0.01 | Jul 20, 2021 | TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When _Page TSconfig_ settings are not properly encoded, corresponding page preview module… | |||
| CVE-2021-35043 | — | 0.00 | — | 0.02 | Jul 19, 2021 | OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with : as the replacement for the : character. | ||
| CVE-2021-28114 | — | 0.00 | — | 0.52 | Jul 16, 2021 | Froala WYSIWYG Editor 3.2.6-1 is affected by XSS due to a namespace confusion during parsing. | ||
| CVE-2020-23700 | — | 0.00 | — | 0.01 | Jul 7, 2021 | Cross Site Scripting (XSS) vulnerability in LavaLite-CMS 5.8.0 via the Menu Links feature. | ||
| CVE-2021-35440 | — | 0.00 | — | 0.01 | Jul 6, 2021 | Smashing 1.3.4 is vulnerable to Cross Site Scripting (XSS). A URL for a widget can be crafted and used to execute JavaScript on the victim's computer. The JavaScript code can then steal data available in the session/cookies depending on the user environment (e.g. if re-using… | ||
| CVE-2021-33192 | 0.00 | — | 0.03 | Jul 5, 2021 | A vulnerability in the HTML pages of Apache Jena Fuseki allows an attacker to execute arbitrary javascript on certain page views. This issue affects Apache Jena Fuseki from version 2.0.0 to version 4.0.0 (inclusive). | |||
| CVE-2021-32737 | 0.00 | — | 0.01 | Jul 2, 2021 | Sulu is an open-source PHP content management system based on the Symfony framework. In versions of Sulu prior to 1.6.41, it is possible for a logged in admin user to add a script injection (cross-site-scripting) in the collection title. The problem is patched in version 1.6.41.… | |||
| CVE-2020-36397 | — | 0.00 | — | 0.01 | Jul 2, 2021 | A stored cross site scripting (XSS) vulnerability in the /admin/contact/contact component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter. | ||
| CVE-2020-36396 | — | 0.00 | — | 0.01 | Jul 2, 2021 | A stored cross site scripting (XSS) vulnerability in the /admin/roles/role component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter. | ||
| CVE-2020-36395 | — | 0.00 | — | 0.01 | Jul 2, 2021 | A stored cross site scripting (XSS) vulnerability in the /admin/user/team component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter. | ||
| CVE-2021-27902 | — | 0.00 | — | 0.01 | Jun 30, 2021 | An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads. | ||
| CVE-2021-35959 | — | 0.00 | — | 0.01 | Jun 30, 2021 | In Plone 5.0 through 5.2.4, Editors are vulnerable to XSS in the folder contents view, if a Contributor has created a folder with a SCRIPT tag in the description field. | ||
| CVE-2021-28556 | 0.00 | — | 0.01 | Jun 28, 2021 | Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a DOM-based Cross-Site Scripting vulnerability on mage-messages cookies. Successful exploitation could lead to arbitrary JavaScript execution by an unauthenticated attacker.… | |||
| CVE-2021-20751 | 0.00 | — | 0.01 | Jun 28, 2021 | Cross-site scripting vulnerability in EC-CUBE EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific operation. | |||
| CVE-2021-20750 | 0.00 | — | 0.02 | Jun 28, 2021 | Cross-site scripting vulnerability in EC-CUBE EC-CUBE 3.0.0 to 3.0.18-p2 (EC-CUBE 3 series) and EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a… | |||
| CVE-2021-35513 | — | 0.00 | — | 0.01 | Jun 27, 2021 | Mermaid before 8.11.0 allows XSS when the antiscript feature is used. | ||
| CVE-2021-32702 | 0.00 | — | 0.01 | Jun 25, 2021 | The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then… |
- CVE-2021-23411Jul 21, 2021risk 0.00cvss —epss 0.01
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the main functionality. It accepts input that can result in the output (an anchor a tag) containing undesirable Javascript code that can be executed upon user interaction.
- CVE-2021-32669Jul 20, 2021risk 0.00cvss —epss 0.01
TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When settings for _backend layouts_ are not properly encoded, the corresponding grid view…
- CVE-2021-32668Jul 20, 2021risk 0.00cvss —epss 0.01
TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When error messages are not properly encoded, the components _QueryGenerator_ and…
- CVE-2021-32667Jul 20, 2021risk 0.00cvss —epss 0.01
TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When _Page TSconfig_ settings are not properly encoded, corresponding page preview module…
- CVE-2021-35043Jul 19, 2021risk 0.00cvss —epss 0.02
OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with : as the replacement for the : character.
- CVE-2021-28114Jul 16, 2021risk 0.00cvss —epss 0.52
Froala WYSIWYG Editor 3.2.6-1 is affected by XSS due to a namespace confusion during parsing.
- CVE-2020-23700Jul 7, 2021risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in LavaLite-CMS 5.8.0 via the Menu Links feature.
- CVE-2021-35440Jul 6, 2021risk 0.00cvss —epss 0.01
Smashing 1.3.4 is vulnerable to Cross Site Scripting (XSS). A URL for a widget can be crafted and used to execute JavaScript on the victim's computer. The JavaScript code can then steal data available in the session/cookies depending on the user environment (e.g. if re-using…
- CVE-2021-33192Jul 5, 2021risk 0.00cvss —epss 0.03
A vulnerability in the HTML pages of Apache Jena Fuseki allows an attacker to execute arbitrary javascript on certain page views. This issue affects Apache Jena Fuseki from version 2.0.0 to version 4.0.0 (inclusive).
- CVE-2021-32737Jul 2, 2021risk 0.00cvss —epss 0.01
Sulu is an open-source PHP content management system based on the Symfony framework. In versions of Sulu prior to 1.6.41, it is possible for a logged in admin user to add a script injection (cross-site-scripting) in the collection title. The problem is patched in version 1.6.41.…
- CVE-2020-36397Jul 2, 2021risk 0.00cvss —epss 0.01
A stored cross site scripting (XSS) vulnerability in the /admin/contact/contact component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter.
- CVE-2020-36396Jul 2, 2021risk 0.00cvss —epss 0.01
A stored cross site scripting (XSS) vulnerability in the /admin/roles/role component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter.
- CVE-2020-36395Jul 2, 2021risk 0.00cvss —epss 0.01
A stored cross site scripting (XSS) vulnerability in the /admin/user/team component of LavaLite 5.8.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "New" parameter.
- CVE-2021-27902Jun 30, 2021risk 0.00cvss —epss 0.01
An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads.
- CVE-2021-35959Jun 30, 2021risk 0.00cvss —epss 0.01
In Plone 5.0 through 5.2.4, Editors are vulnerable to XSS in the folder contents view, if a Contributor has created a folder with a SCRIPT tag in the description field.
- CVE-2021-28556Jun 28, 2021risk 0.00cvss —epss 0.01
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a DOM-based Cross-Site Scripting vulnerability on mage-messages cookies. Successful exploitation could lead to arbitrary JavaScript execution by an unauthenticated attacker.…
- CVE-2021-20751Jun 28, 2021risk 0.00cvss —epss 0.01
Cross-site scripting vulnerability in EC-CUBE EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a specific operation.
- CVE-2021-20750Jun 28, 2021risk 0.00cvss —epss 0.02
Cross-site scripting vulnerability in EC-CUBE EC-CUBE 3.0.0 to 3.0.18-p2 (EC-CUBE 3 series) and EC-CUBE 4.0.0 to 4.0.5-p1 (EC-CUBE 4 series) allows a remote attacker to inject an arbitrary script by leading an administrator or a user to a specially crafted page and to perform a…
- CVE-2021-35513Jun 27, 2021risk 0.00cvss —epss 0.01
Mermaid before 8.11.0 allows XSS when the antiscript feature is used.
- CVE-2021-32702Jun 25, 2021risk 0.00cvss —epss 0.01
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then…