VYPR

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (24,712)

page 9 of 1,236
  • CVE-2024-7835HigSep 23, 2024
    risk 0.57cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Exnet Informatics Software Ferry Reservation System allows Reflected XSS. This issue affects Ferry Reservation System: before 240805-002.

  • CVE-2024-7737HigSep 19, 2024
    risk 0.57cvss 8.7epss 0.00

    A stored Cross-site Scripting (XSS) vulnerability affecting 3DSwym in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.

  • CVE-2024-3798HigJul 10, 2024
    risk 0.57cvss epss 0.00

    Insecure handling of GET header parameter file included in requests being sent to an instance of the open-source project Phoniebox allows an attacker to create a website, which – when visited by a user – will send malicious requests to multiple hosts on the local…

  • CVE-2024-5420HigJun 4, 2024
    risk 0.57cvss epss 0.06

    Missing input validation in the SEH Computertechnik utnserver Pro, SEH Computertechnik utnserver ProMAX, SEH Computertechnik INU-100 web-interface allows stored Cross-Site Scripting (XSS)..This issue affects utnserver Pro, utnserver ProMAX, INU-100 version 20.1.22 and below.

  • CVE-2024-3482HigMay 20, 2024
    risk 0.57cvss 8.7epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability has been identified in OpenText ArcSight Enterprise Security Manager and ArcSight Platform. The vulnerability could be remotely exploited.

  • CVE-2024-2835HigMay 20, 2024
    risk 0.57cvss 8.7epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability has been identified in OpenText ArcSight Enterprise Security Manager and ArcSight Platform. The vulnerability could be remotely exploited.

  • CVE-2024-34058HigMay 17, 2024
    risk 0.57cvss 8.8epss 0.01

    The WebTop package for NethServer 7 and 8 allows stored XSS (for example, via the Subject field if an e-mail message).

  • CVE-2024-2834HigApr 8, 2024
    risk 0.57cvss 8.7epss 0.01

    A Stored Cross-Site Scripting (XSS) vulnerability has been identified in OpenText ArcSight Management Center and ArcSight Platform. The vulnerability could be remotely exploited.

  • CVE-2024-29890HigMar 29, 2024
    risk 0.57cvss 8.8epss 0.01

    DataLens is a business intelligence and data visualization system. A specifically crafted request allowed the creation of a special chart type with the ability to pass custom javascript code that would later be executed in an unprotected sandbox on subsequent requests to that…

  • CVE-2018-9078HigSep 28, 2018
    risk 0.57cvss 8.8epss 0.01

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device's origin instead of prompting to download the asset.…

  • CVE-2018-0402HigJul 18, 2018
    risk 0.57cvss 8.8epss 0.01

    Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. Cisco Bug IDs: CSCvg70921.

  • CVE-2018-11501HigMay 26, 2018
    risk 0.57cvss 8.8epss 0.01

    PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via user_submit.php?upd=2, with resultant XSS.

  • CVE-2018-6357HigJan 27, 2018
    risk 0.57cvss 8.8epss 0.01

    The acx_asmw_saveorder_callback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant social_widget_icon_array_order XSS.

  • CVE-2017-12343HigNov 30, 2017
    risk 0.57cvss 8.8epss 0.02

    Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) Software could allow a remote attacker to inject arbitrary values into DCNM configuration parameters, redirect a user to a malicious website, inject malicious content into a DCNM client interface, or conduct a…

  • CVE-2017-7666HigJul 17, 2017
    risk 0.57cvss 8.8epss 0.01

    Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks.

  • CVE-2026-2344HigFeb 11, 2026
    risk 0.56cvss epss 0.00

    A vulnerability in Plunet Plunet BusinessManager allows unauthorized actions being performed on behalf of privileged users.This issue affects Plunet BusinessManager: 10.15.1

  • CVE-2025-7799HigFeb 9, 2026
    risk 0.56cvss 8.6epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zirve Information Technologies Inc. E-Taxpayer Accounting Website allows Reflected XSS. This issue affects e-Taxpayer Accounting Website: through 07082025.

  • CVE-2025-6397HigFeb 3, 2026
    risk 0.56cvss 8.6epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ankara Hosting Website Design Website Software allows Reflected XSS. This issue affects Website Software: through 03022026.  NOTE: The vendor was contacted early about…

  • CVE-2025-49486HigJul 18, 2025
    risk 0.56cvss epss 0.00

    A stored XSS vulnerability in the Balbooa Gallery plugin 1.0.0-2.4.0 for Joomla allows privileged users to store malicious scripts in gallery items.

  • CVE-2024-10385HigDec 20, 2024
    risk 0.56cvss epss 0.01

    Ticket management system in DirectAdmin Evolution Skin is vulnerable to XSS (Cross-site Scripting), which allows a low-privileged user to inject and store malicious JavaScript code. If an admin views the ticket, the script might perform actions with their privileges, including…