CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (19,212)
page 937 of 961| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2008-1001 | 0.00 | — | 0.00 | Mar 19, 2008 | Cross-site scripting (XSS) vulnerability in Apple Safari before 3.1, when running on Windows XP or Vista, allows remote attackers to inject arbitrary web script or HTML via a crafted URL that is not properly handled in the error page. | ||
| CVE-2008-1002 | 0.00 | — | 0.02 | Mar 19, 2008 | Cross-site scripting (XSS) vulnerability in Apple Safari before 3.1 allows remote attackers to inject arbitrary web script or HTML via a crafted javascript: URL. | ||
| CVE-2008-1003 | 0.00 | — | 0.01 | Mar 19, 2008 | Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to sites that set the document.domain property or have the same document.domain. | ||
| CVE-2008-1004 | 0.00 | — | 0.01 | Mar 19, 2008 | Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to the Web Inspector. | ||
| CVE-2008-1007 | 0.00 | — | 0.01 | Mar 19, 2008 | WebCore, as used in Apple Safari before 3.1, does not enforce the frame navigation policy for Java applets, which allows remote attackers to conduct cross-site scripting (XSS) attacks. | ||
| CVE-2008-1008 | 0.00 | — | 0.01 | Mar 19, 2008 | Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via the document.domain property. | ||
| CVE-2008-1009 | 0.00 | — | 0.01 | Mar 19, 2008 | Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary JavaScript by modifying the history object. | ||
| CVE-2008-1011 | 0.00 | — | 0.02 | Mar 19, 2008 | Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via a frame that calls a method instance in another frame. | ||
| CVE-2008-1360 | 0.00 | — | 0.00 | Mar 17, 2008 | Cross-site scripting (XSS) vulnerability in Nagios before 2.11 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts, a different issue than CVE-2007-5624. | ||
| CVE-2008-1359 | 0.00 | — | 0.00 | Mar 17, 2008 | Cross-site scripting (XSS) vulnerability in Invision Power Board (IPB or IP.Board) 2.3.4 before 2008-03-13 allows remote attackers to inject arbitrary web script or HTML via nested BBCodes, a different vector than CVE-2008-0913. | ||
| CVE-2008-1342 | 0.00 | — | 0.00 | Mar 17, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in the search feature in Polymita BPM-Suite and CollagePortal allow remote attackers to inject arbitrary web script or HTML via the (1) _q and (2) lucene_index_field_value parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||
| CVE-2007-6707 | 0.00 | — | 0.00 | Mar 13, 2008 | Multiple cross-site scripting (XSS) vulnerabilities on the Cisco Linksys WAG54GS Wireless-G ADSL Gateway with 1.01.03 and earlier firmware allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different issue than CVE-2007-3574. | ||
| CVE-2008-1300 | 0.00 | — | 0.01 | Mar 12, 2008 | Cross-site scripting (XSS) vulnerability in the Logfile Viewer Settings function in system/workplace/admin/workplace/logfileview/logfileViewSettings.jsp in Alkacon OpenCms 7.0.3 and 7.0.4 allows remote attackers to inject arbitrary web script or HTML via the filePath.0 parameter in a save action, a different vector than CVE-2008-1045. | ||
| CVE-2008-1306 | 0.00 | — | 0.00 | Mar 12, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in Savvy Content Manager (CM) allow remote attackers to inject arbitrary web script or HTML via the searchterms parameter to (1) searchresults.cfm, (2) search_results.cfm, and (3) search_results/index.cfm. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||
| CVE-2008-1202 | 0.00 | — | 0.04 | Mar 12, 2008 | Cross-site scripting (XSS) vulnerability in the web management interface in Adobe LiveCycle Workflow 6.2 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. | ||
| CVE-2008-0643 | 0.00 | — | 0.03 | Mar 12, 2008 | Cross-site scripting (XSS) vulnerability in Adobe ColdFusion MX 7 and ColdFusion 8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2008-1285 | 0.00 | — | 0.01 | Mar 11, 2008 | Cross-site scripting (XSS) vulnerability in Sun Java Server Faces (JSF) 1.2 before 1.2_08 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. | ||
| CVE-2008-1257 | 0.00 | — | 0.00 | Mar 10, 2008 | Cross-site scripting (XSS) vulnerability in Forms/DiagGeneral_2 on the ZyXEL P-660HW series router allows remote attackers to inject arbitrary web script or HTML via the PingIPAddr parameter. | ||
| CVE-2008-1253 | 0.00 | — | 0.00 | Mar 10, 2008 | Cross-site scripting (XSS) vulnerability in cgi-bin/webcm on the D-Link DSL-G604T router allows remote attackers to inject arbitrary web script or HTML via the var:category parameter, as demonstrated by a request for advanced/portforw.htm on the fwan page. | ||
| CVE-2008-1251 | 0.00 | — | 0.00 | Mar 10, 2008 | Cross-site scripting (XSS) vulnerability in the web interface on the central phone server for the Snom 320 SIP Phone allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
- CVE-2008-1001Mar 19, 2008risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Apple Safari before 3.1, when running on Windows XP or Vista, allows remote attackers to inject arbitrary web script or HTML via a crafted URL that is not properly handled in the error page.
- CVE-2008-1002Mar 19, 2008risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Apple Safari before 3.1 allows remote attackers to inject arbitrary web script or HTML via a crafted javascript: URL.
- CVE-2008-1003Mar 19, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to sites that set the document.domain property or have the same document.domain.
- CVE-2008-1004Mar 19, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to the Web Inspector.
- CVE-2008-1007Mar 19, 2008risk 0.00cvss —epss 0.01
WebCore, as used in Apple Safari before 3.1, does not enforce the frame navigation policy for Java applets, which allows remote attackers to conduct cross-site scripting (XSS) attacks.
- CVE-2008-1008Mar 19, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via the document.domain property.
- CVE-2008-1009Mar 19, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary JavaScript by modifying the history object.
- CVE-2008-1011Mar 19, 2008risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via a frame that calls a method instance in another frame.
- CVE-2008-1360Mar 17, 2008risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Nagios before 2.11 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts, a different issue than CVE-2007-5624.
- CVE-2008-1359Mar 17, 2008risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Invision Power Board (IPB or IP.Board) 2.3.4 before 2008-03-13 allows remote attackers to inject arbitrary web script or HTML via nested BBCodes, a different vector than CVE-2008-0913.
- CVE-2008-1342Mar 17, 2008risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in the search feature in Polymita BPM-Suite and CollagePortal allow remote attackers to inject arbitrary web script or HTML via the (1) _q and (2) lucene_index_field_value parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2007-6707Mar 13, 2008risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities on the Cisco Linksys WAG54GS Wireless-G ADSL Gateway with 1.01.03 and earlier firmware allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different issue than CVE-2007-3574.
- CVE-2008-1300Mar 12, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Logfile Viewer Settings function in system/workplace/admin/workplace/logfileview/logfileViewSettings.jsp in Alkacon OpenCms 7.0.3 and 7.0.4 allows remote attackers to inject arbitrary web script or HTML via the filePath.0 parameter in a save action, a different vector than CVE-2008-1045.
- CVE-2008-1306Mar 12, 2008risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in Savvy Content Manager (CM) allow remote attackers to inject arbitrary web script or HTML via the searchterms parameter to (1) searchresults.cfm, (2) search_results.cfm, and (3) search_results/index.cfm. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2008-1202Mar 12, 2008risk 0.00cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in the web management interface in Adobe LiveCycle Workflow 6.2 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
- CVE-2008-0643Mar 12, 2008risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in Adobe ColdFusion MX 7 and ColdFusion 8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2008-1285Mar 11, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Sun Java Server Faces (JSF) 1.2 before 1.2_08 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
- CVE-2008-1257Mar 10, 2008risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Forms/DiagGeneral_2 on the ZyXEL P-660HW series router allows remote attackers to inject arbitrary web script or HTML via the PingIPAddr parameter.
- CVE-2008-1253Mar 10, 2008risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in cgi-bin/webcm on the D-Link DSL-G604T router allows remote attackers to inject arbitrary web script or HTML via the var:category parameter, as demonstrated by a request for advanced/portforw.htm on the fwan page.
- CVE-2008-1251Mar 10, 2008risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the web interface on the central phone server for the Snom 320 SIP Phone allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.