CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (24,712)
page 9 of 1,236| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-7835 | Hig | 0.57 | — | 0.00 | Sep 23, 2024 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Exnet Informatics Software Ferry Reservation System allows Reflected XSS. This issue affects Ferry Reservation System: before 240805-002. | ||
| CVE-2024-7737 | Hig | 0.57 | 8.7 | 0.00 | Sep 19, 2024 | A stored Cross-site Scripting (XSS) vulnerability affecting 3DSwym in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session. | ||
| CVE-2024-3798 | Hig | 0.57 | — | 0.00 | Jul 10, 2024 | Insecure handling of GET header parameter file included in requests being sent to an instance of the open-source project Phoniebox allows an attacker to create a website, which – when visited by a user – will send malicious requests to multiple hosts on the local… | ||
| CVE-2024-5420 | Hig | 0.57 | — | 0.06 | Jun 4, 2024 | Missing input validation in the SEH Computertechnik utnserver Pro, SEH Computertechnik utnserver ProMAX, SEH Computertechnik INU-100 web-interface allows stored Cross-Site Scripting (XSS)..This issue affects utnserver Pro, utnserver ProMAX, INU-100 version 20.1.22 and below. | ||
| CVE-2024-3482 | Hig | 0.57 | 8.7 | 0.00 | May 20, 2024 | A Stored Cross-Site Scripting (XSS) vulnerability has been identified in OpenText ArcSight Enterprise Security Manager and ArcSight Platform. The vulnerability could be remotely exploited. | ||
| CVE-2024-2835 | Hig | 0.57 | 8.7 | 0.00 | May 20, 2024 | A Stored Cross-Site Scripting (XSS) vulnerability has been identified in OpenText ArcSight Enterprise Security Manager and ArcSight Platform. The vulnerability could be remotely exploited. | ||
| CVE-2024-34058 | Hig | 0.57 | 8.8 | 0.01 | May 17, 2024 | The WebTop package for NethServer 7 and 8 allows stored XSS (for example, via the Subject field if an e-mail message). | ||
| CVE-2024-2834 | — | Hig | 0.57 | 8.7 | 0.01 | Apr 8, 2024 | A Stored Cross-Site Scripting (XSS) vulnerability has been identified in OpenText ArcSight Management Center and ArcSight Platform. The vulnerability could be remotely exploited. | |
| CVE-2024-29890 | Hig | 0.57 | 8.8 | 0.01 | Mar 29, 2024 | DataLens is a business intelligence and data visualization system. A specifically crafted request allowed the creation of a special chart type with the ability to pass custom javascript code that would later be executed in an unprotected sandbox on subsequent requests to that… | ||
| CVE-2018-9078 | Hig | 0.57 | 8.8 | 0.01 | Sep 28, 2018 | For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device's origin instead of prompting to download the asset.… | ||
| CVE-2018-0402 | Hig | 0.57 | 8.8 | 0.01 | Jul 18, 2018 | Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. Cisco Bug IDs: CSCvg70921. | ||
| CVE-2018-11501 | Hig | 0.57 | 8.8 | 0.01 | May 26, 2018 | PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via user_submit.php?upd=2, with resultant XSS. | ||
| CVE-2018-6357 | Hig | 0.57 | 8.8 | 0.01 | Jan 27, 2018 | The acx_asmw_saveorder_callback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant social_widget_icon_array_order XSS. | ||
| CVE-2017-12343 | Hig | 0.57 | 8.8 | 0.02 | Nov 30, 2017 | Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) Software could allow a remote attacker to inject arbitrary values into DCNM configuration parameters, redirect a user to a malicious website, inject malicious content into a DCNM client interface, or conduct a… | ||
| CVE-2017-7666 | Hig | 0.57 | 8.8 | 0.01 | Jul 17, 2017 | Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks. | ||
| CVE-2026-2344 | Hig | 0.56 | — | 0.00 | Feb 11, 2026 | A vulnerability in Plunet Plunet BusinessManager allows unauthorized actions being performed on behalf of privileged users.This issue affects Plunet BusinessManager: 10.15.1 | ||
| CVE-2025-7799 | Hig | 0.56 | 8.6 | 0.00 | Feb 9, 2026 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zirve Information Technologies Inc. E-Taxpayer Accounting Website allows Reflected XSS. This issue affects e-Taxpayer Accounting Website: through 07082025. | ||
| CVE-2025-6397 | Hig | 0.56 | 8.6 | 0.00 | Feb 3, 2026 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ankara Hosting Website Design Website Software allows Reflected XSS. This issue affects Website Software: through 03022026. NOTE: The vendor was contacted early about… | ||
| CVE-2025-49486 | Hig | 0.56 | — | 0.00 | Jul 18, 2025 | A stored XSS vulnerability in the Balbooa Gallery plugin 1.0.0-2.4.0 for Joomla allows privileged users to store malicious scripts in gallery items. | ||
| CVE-2024-10385 | Hig | 0.56 | — | 0.01 | Dec 20, 2024 | Ticket management system in DirectAdmin Evolution Skin is vulnerable to XSS (Cross-site Scripting), which allows a low-privileged user to inject and store malicious JavaScript code. If an admin views the ticket, the script might perform actions with their privileges, including… |
- risk 0.57cvss —epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Exnet Informatics Software Ferry Reservation System allows Reflected XSS. This issue affects Ferry Reservation System: before 240805-002.
- risk 0.57cvss 8.7epss 0.00
A stored Cross-site Scripting (XSS) vulnerability affecting 3DSwym in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.
- risk 0.57cvss —epss 0.00
Insecure handling of GET header parameter file included in requests being sent to an instance of the open-source project Phoniebox allows an attacker to create a website, which – when visited by a user – will send malicious requests to multiple hosts on the local…
- risk 0.57cvss —epss 0.06
Missing input validation in the SEH Computertechnik utnserver Pro, SEH Computertechnik utnserver ProMAX, SEH Computertechnik INU-100 web-interface allows stored Cross-Site Scripting (XSS)..This issue affects utnserver Pro, utnserver ProMAX, INU-100 version 20.1.22 and below.
- risk 0.57cvss 8.7epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in OpenText ArcSight Enterprise Security Manager and ArcSight Platform. The vulnerability could be remotely exploited.
- risk 0.57cvss 8.7epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in OpenText ArcSight Enterprise Security Manager and ArcSight Platform. The vulnerability could be remotely exploited.
- risk 0.57cvss 8.8epss 0.01
The WebTop package for NethServer 7 and 8 allows stored XSS (for example, via the Subject field if an e-mail message).
- risk 0.57cvss 8.7epss 0.01
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in OpenText ArcSight Management Center and ArcSight Platform. The vulnerability could be remotely exploited.
- risk 0.57cvss 8.8epss 0.01
DataLens is a business intelligence and data visualization system. A specifically crafted request allowed the creation of a special chart type with the ability to pass custom javascript code that would later be executed in an unprotected sandbox on subsequent requests to that…
- risk 0.57cvss 8.8epss 0.01
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device's origin instead of prompting to download the asset.…
- risk 0.57cvss 8.8epss 0.01
Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. Cisco Bug IDs: CSCvg70921.
- risk 0.57cvss 8.8epss 0.01
PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via user_submit.php?upd=2, with resultant XSS.
- risk 0.57cvss 8.8epss 0.01
The acx_asmw_saveorder_callback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant social_widget_icon_array_order XSS.
- risk 0.57cvss 8.8epss 0.02
Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) Software could allow a remote attacker to inject arbitrary values into DCNM configuration parameters, redirect a user to a malicious website, inject malicious content into a DCNM client interface, or conduct a…
- risk 0.57cvss 8.8epss 0.01
Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks.
- risk 0.56cvss —epss 0.00
A vulnerability in Plunet Plunet BusinessManager allows unauthorized actions being performed on behalf of privileged users.This issue affects Plunet BusinessManager: 10.15.1
- risk 0.56cvss 8.6epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zirve Information Technologies Inc. E-Taxpayer Accounting Website allows Reflected XSS. This issue affects e-Taxpayer Accounting Website: through 07082025.
- risk 0.56cvss 8.6epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ankara Hosting Website Design Website Software allows Reflected XSS. This issue affects Website Software: through 03022026. NOTE: The vendor was contacted early about…
- risk 0.56cvss —epss 0.00
A stored XSS vulnerability in the Balbooa Gallery plugin 1.0.0-2.4.0 for Joomla allows privileged users to store malicious scripts in gallery items.
- risk 0.56cvss —epss 0.01
Ticket management system in DirectAdmin Evolution Skin is vulnerable to XSS (Cross-site Scripting), which allows a low-privileged user to inject and store malicious JavaScript code. If an admin views the ticket, the script might perform actions with their privileges, including…