CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (23,177)

page 926 of 1,159

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2016-10531	—	—	0.00	May 31, 2018	marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw…
CVE-2016-10537	—	—	0.00	May 31, 2018	backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON There exists a potential Cross Site Scripting vulnerability in the `Model#Escape` function of backbone 0.3.3 and…
CVE-2016-10547	—	—	0.00	May 31, 2018	Nunjucks is a full featured templating engine for JavaScript. Versions 2.4.2 and lower have a cross site scripting (XSS) vulnerability in autoescape mode. In autoescape mode, all template vars should automatically be escaped. By using an array for the keys, such as…
CVE-2018-11627	—	—	0.00	May 31, 2018	Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.
CVE-2017-16010	—	—	0.00	May 29, 2018	i18next is a language translation framework. When using the .init method, passing interpolation options without passing an escapeValue will default to undefined rather than the assumed true. This can result in a cross-site scripting vulnerability because user input is assumed to…
CVE-2018-1136	—	—	0.00	May 25, 2018	An issue was discovered in Moodle 3.x. An authenticated user is allowed to add HTML blocks containing scripts to their Dashboard; this is normally not a security issue because a personal dashboard is visible to this user only. Through this security vulnerability, users can move…
CVE-2018-10095	—	—	0.47	May 22, 2018	Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php.
CVE-2018-11093	—	—	0.00	May 22, 2018	Cross-site scripting (XSS) vulnerability in the Link package for CKEditor 5 before 10.0.1 allows remote attackers to inject arbitrary web script through a crafted href attribute of a link (A) element.
CVE-2018-11326	—	—	0.00	May 22, 2018	An issue was discovered in Joomla! Core before 3.8.8. Inadequate input filtering leads to a multiple XSS vulnerabilities. Additionally, the default filtering settings could potentially allow users of the default Administrator user group to perform a XSS attack.
CVE-2017-2607	—	—	0.00	May 21, 2018	jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running.…
CVE-2017-2610	—	—	0.00	May 15, 2018	jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388).
CVE-2017-2601	—	—	0.00	May 10, 2018	Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.
CVE-2018-1000177	—	—	0.00	May 8, 2018	A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that…
CVE-2017-14740	—	—	0.00	Apr 26, 2018	Cross-site scripting (XSS) vulnerability in GeniXCMS 1.1.0 allows remote authenticated users to inject arbitrary web script or HTML via the Menu ID when adding a menu.
CVE-2018-10366	—	—	0.00	Apr 25, 2018	An issue was discovered in the Users (aka Front-end user management) plugin 1.4.5 for October CMS. XSS exists in the name field.
CVE-2018-9861	—	—	0.00	Apr 19, 2018	Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script…
CVE-2018-1000162	—	—	0.00	Apr 18, 2018	Parsedown version prior to 1.7.0 contains a Cross Site Scripting (XSS) vulnerability in `setMarkupEscaped` for escaping HTML that can result in JavaScript code execution. This attack appears to be exploitable via specially crafted markdown that allows it to side step HTML…
CVE-2018-1325	Apache Wicket jQuery UI	—	0.00	Apr 18, 2018	In Apache wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1, JS code created in WYSIWYG editor will be executed on display.
CVE-2018-1000160	—	—	0.00	Apr 18, 2018	RisingStack protect version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in isXss() function in lib/rules/xss.js that can result in dangerous XSS strings being validated as safe. This attack appears to be exploitable via A number of XSS strings(26)…
CVE-2018-8071	—	—	0.00	Apr 18, 2018	Mautic before v2.13.0 has stored XSS via a theme config file.

CVE-2016-10531May 31, 2018
risk 0.00cvss —epss 0.00
marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw…
CVE-2016-10537May 31, 2018
risk 0.00cvss —epss 0.00
backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON There exists a potential Cross Site Scripting vulnerability in the `Model#Escape` function of backbone 0.3.3 and…
CVE-2016-10547May 31, 2018
risk 0.00cvss —epss 0.00
Nunjucks is a full featured templating engine for JavaScript. Versions 2.4.2 and lower have a cross site scripting (XSS) vulnerability in autoescape mode. In autoescape mode, all template vars should automatically be escaped. By using an array for the keys, such as…
CVE-2018-11627May 31, 2018
risk 0.00cvss —epss 0.00
Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.
CVE-2017-16010May 29, 2018
risk 0.00cvss —epss 0.00
i18next is a language translation framework. When using the .init method, passing interpolation options without passing an escapeValue will default to undefined rather than the assumed true. This can result in a cross-site scripting vulnerability because user input is assumed to…
CVE-2018-1136May 25, 2018
risk 0.00cvss —epss 0.00
An issue was discovered in Moodle 3.x. An authenticated user is allowed to add HTML blocks containing scripts to their Dashboard; this is normally not a security issue because a personal dashboard is visible to this user only. Through this security vulnerability, users can move…
CVE-2018-10095May 22, 2018
risk 0.00cvss —epss 0.47
Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php.
CVE-2018-11093May 22, 2018
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Link package for CKEditor 5 before 10.0.1 allows remote attackers to inject arbitrary web script through a crafted href attribute of a link (A) element.
CVE-2018-11326May 22, 2018
risk 0.00cvss —epss 0.00
An issue was discovered in Joomla! Core before 3.8.8. Inadequate input filtering leads to a multiple XSS vulnerabilities. Additionally, the default filtering settings could potentially allow users of the default Administrator user group to perform a XSS attack.
CVE-2017-2607May 21, 2018
risk 0.00cvss —epss 0.00
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running.…
CVE-2017-2610May 15, 2018
risk 0.00cvss —epss 0.00
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388).
CVE-2017-2601May 10, 2018
risk 0.00cvss —epss 0.00
Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.
CVE-2018-1000177May 8, 2018
risk 0.00cvss —epss 0.00
A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that…
CVE-2017-14740Apr 26, 2018
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in GeniXCMS 1.1.0 allows remote authenticated users to inject arbitrary web script or HTML via the Menu ID when adding a menu.
CVE-2018-10366Apr 25, 2018
risk 0.00cvss —epss 0.00
An issue was discovered in the Users (aka Front-end user management) plugin 1.4.5 for October CMS. XSS exists in the name field.
CVE-2018-9861Apr 19, 2018
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script…
CVE-2018-1000162Apr 18, 2018
risk 0.00cvss —epss 0.00
Parsedown version prior to 1.7.0 contains a Cross Site Scripting (XSS) vulnerability in `setMarkupEscaped` for escaping HTML that can result in JavaScript code execution. This attack appears to be exploitable via specially crafted markdown that allows it to side step HTML…
CVE-2018-1325Apr 18, 2018
Apache
Wicket jQuery UI
risk 0.00cvss —epss 0.00
In Apache wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1, JS code created in WYSIWYG editor will be executed on display.
CVE-2018-1000160Apr 18, 2018
risk 0.00cvss —epss 0.00
RisingStack protect version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in isXss() function in lib/rules/xss.js that can result in dangerous XSS strings being validated as safe. This attack appears to be exploitable via A number of XSS strings(26)…
CVE-2018-8071Apr 18, 2018
risk 0.00cvss —epss 0.00
Mautic before v2.13.0 has stored XSS via a theme config file.