CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,306)

page 892 of 1,166

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2021-29048	—	—	0.01	May 17, 2021	Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the…
CVE-2021-29051	—	—	0.01	May 17, 2021	Cross-site scripting (XSS) vulnerability in the Asset module's Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via…
CVE-2021-29044	—	—	0.01	May 17, 2021	Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers…
CVE-2021-29046	—	—	0.01	May 17, 2021	Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_Asset…
CVE-2021-29045	—	—	0.01	May 17, 2021	Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the…
CVE-2021-29039	—	—	0.01	May 16, 2021	Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.
CVE-2021-32818	—	—	0.01	May 14, 2021	haml-coffee is a JavaScript templating solution. haml-coffee mixes pure template data with engine configuration options through the Express render API. More specifically, haml-coffee supports overriding a series of HTML helper functions through its configuration options. A…
CVE-2019-10062	—	—	0.01	May 13, 2021	The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example)…
CVE-2021-21649	Jenkins Project Dashboard View Plugin	—	0.73	May 11, 2021	Jenkins Dashboard View Plugin 2.15 and earlier does not escape URLs referenced in Image Dashboard Portlets, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.
CVE-2021-21648	Jenkins Project SSH Credentials Plugin	—	0.11	May 11, 2021	Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides, resulting in a reflected cross-site scripting (XSS) vulnerability.
CVE-2021-32561	—	—	0.01	May 11, 2021	OctoPrint before 1.6.0 allows XSS because API error messages include the values of input parameters.
CVE-2021-20717	Ec Cube Co.,ltd. Ec Cube	—	0.02	May 10, 2021	Cross-site scripting vulnerability in EC-CUBE 4.0.0 to 4.0.5 allows a remote attacker to inject a specially crafted script in the specific input field of the EC web site which is created using EC-CUBE. As a result, it may lead to an arbitrary script execution on the…
CVE-2021-32470	—	—	0.01	May 7, 2021	Craft CMS before 3.6.13 has an XSS vulnerability.
CVE-2021-32091	—	—	0.01	May 7, 2021	A Cross-site scripting (XSS) vulnerability exists in StackLift LocalStack 0.12.6.
CVE-2020-23263	—	—	0.01	May 6, 2021	Persistent Cross-site scripting vulnerability on Fork CMS version 5.8.2 allows remote attackers to inject arbitrary Javascript code via the "navigation_title" parameter and the "title" parameter in /private/en/pages/add.
CVE-2021-32052	—	—	0.03	May 6, 2021	In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur.…
CVE-2021-29489	Highcharts Highcharts	—	0.01	May 5, 2021	Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's…
CVE-2020-13666	Drupal Drupal Core	—	0.03	May 5, 2021	Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions…
CVE-2021-28359	Apache Airflow	—	0.14	May 2, 2021	The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the…
CVE-2021-29484	Tryghost Ghost	—	0.08	Apr 29, 2021	Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter…

CVE-2021-29048May 17, 2021
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Layout module's page administration page in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.2 before fix pack 11 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the…
CVE-2021-29051May 17, 2021
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Asset module's Asset Publisher app in Liferay Portal 7.2.1 through 7.3.5, and Liferay DXP 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via…
CVE-2021-29044May 17, 2021
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers…
CVE-2021-29046May 17, 2021
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_Asset…
CVE-2021-29045May 17, 2021
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the…
CVE-2021-29039May 16, 2021
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.
CVE-2021-32818May 14, 2021
risk 0.00cvss —epss 0.01
haml-coffee is a JavaScript templating solution. haml-coffee mixes pure template data with engine configuration options through the Express render API. More specifically, haml-coffee supports overriding a series of HTML helper functions through its configuration options. A…
CVE-2019-10062May 13, 2021
risk 0.00cvss —epss 0.01
The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example)…
CVE-2021-21649May 11, 2021
Jenkins Project
Dashboard View Plugin
risk 0.00cvss —epss 0.73
Jenkins Dashboard View Plugin 2.15 and earlier does not escape URLs referenced in Image Dashboard Portlets, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.
CVE-2021-21648May 11, 2021
Jenkins Project
SSH Credentials Plugin
risk 0.00cvss —epss 0.11
Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides, resulting in a reflected cross-site scripting (XSS) vulnerability.
CVE-2021-32561May 11, 2021
risk 0.00cvss —epss 0.01
OctoPrint before 1.6.0 allows XSS because API error messages include the values of input parameters.
CVE-2021-20717May 10, 2021
Ec Cube Co.,ltd.
Ec Cube
risk 0.00cvss —epss 0.02
Cross-site scripting vulnerability in EC-CUBE 4.0.0 to 4.0.5 allows a remote attacker to inject a specially crafted script in the specific input field of the EC web site which is created using EC-CUBE. As a result, it may lead to an arbitrary script execution on the…
CVE-2021-32470May 7, 2021
risk 0.00cvss —epss 0.01
Craft CMS before 3.6.13 has an XSS vulnerability.
CVE-2021-32091May 7, 2021
risk 0.00cvss —epss 0.01
A Cross-site scripting (XSS) vulnerability exists in StackLift LocalStack 0.12.6.
CVE-2020-23263May 6, 2021
risk 0.00cvss —epss 0.01
Persistent Cross-site scripting vulnerability on Fork CMS version 5.8.2 allows remote attackers to inject arbitrary Javascript code via the "navigation_title" parameter and the "title" parameter in /private/en/pages/add.
CVE-2021-32052May 6, 2021
risk 0.00cvss —epss 0.03
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur.…
CVE-2021-29489May 5, 2021
Highcharts
Highcharts
risk 0.00cvss —epss 0.01
Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's…
CVE-2020-13666May 5, 2021
Drupal
Drupal Core
risk 0.00cvss —epss 0.03
Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions…
CVE-2021-28359May 2, 2021
Apache
Airflow
risk 0.00cvss —epss 0.14
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the…
CVE-2021-29484Apr 29, 2021
Tryghost
Ghost
risk 0.00cvss —epss 0.08
Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter…