CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (19,212)
page 942 of 961| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2008-0462 | 0.00 | — | 0.00 | Jan 25, 2008 | Cross-site scripting (XSS) vulnerability in the Archive 5.x before 5.x-1.8 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2008-0463 | 0.00 | — | 0.00 | Jan 25, 2008 | Cross-site scripting (XSS) vulnerability in the Workflow 4.7.x before 4.7.x-1.2 and 5.x before 5.x-1.2 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving node properties. | ||
| CVE-2008-0444 | 0.00 | — | 0.01 | Jan 25, 2008 | Cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG) before 2.7.0 allows remote attackers to inject arbitrary web script or HTML via subtext parameter to unspecified components. | ||
| CVE-2008-0426 | 0.00 | — | 0.00 | Jan 23, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in submit.php in PacerCMS before 0.6.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) headline, or (3) text field in a message. | ||
| CVE-2008-0404 | 0.00 | — | 0.01 | Jan 23, 2008 | Cross-site scripting (XSS) vulnerability in Mantis before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to the "Most active bugs" summary. | ||
| CVE-2008-0370 | 0.00 | — | 0.00 | Jan 22, 2008 | Cross-site scripting (XSS) vulnerability in dohtaccess.html in cPanel before 11.17 build 19417 allows remote attackers to inject arbitrary web script or HTML via the rurl parameter. NOTE: some of these details are obtained from third party information. | ||
| CVE-2008-0381 | 0.00 | — | 0.00 | Jan 22, 2008 | Unspecified vulnerability in Mahara before 0.9.1 has unknown impact and remote attack vectors, probably related to cross-site scripting (XSS) in uploaded files. | ||
| CVE-2008-0354 | 0.00 | — | 0.01 | Jan 18, 2008 | Cross-site scripting (XSS) vulnerability in the chat client in IBM Lotus Sametime 7.5 and 7.5.1 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted message, which triggers code execution after a mouseover event initiated by the victim. | ||
| CVE-2008-0362 | 0.00 | — | 0.00 | Jan 18, 2008 | Cross-site scripting (XSS) vulnerability in gallery.php in Clever Copy 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the album parameter. | ||
| CVE-2008-0335 | 0.00 | — | 0.00 | Jan 17, 2008 | Cross-site scripting (XSS) vulnerability in BugTracker.NET before 2.7.2 allows remote attackers to inject arbitrary web script or HTML via an arbitrary custom text field. | ||
| CVE-2007-6687 | 0.00 | — | 0.01 | Jan 17, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in Menalto Gallery before 2.2.4 allow remote attackers to inject arbitrary web script or HTML via crafted filenames to the (1) Core or (2) add-item modules; or via (3) HTTP PROPPATCH in the WebDAV module. | ||
| CVE-2008-0292 | 0.00 | — | 0.00 | Jan 16, 2008 | Cross-site scripting (XSS) vulnerability in photo_album.pl in Dansie Photo Album 1.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||
| CVE-2008-0284 | 0.00 | — | 0.00 | Jan 15, 2008 | Cross-site scripting (XSS) vulnerability in Simple Machines Forum (SMF) 1.1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via (1) Itemid or (2) topic arguments. | ||
| CVE-2008-0257 | 0.00 | — | 0.00 | Jan 15, 2008 | Cross-site scripting (XSS) vulnerability in search.pl in Dansie Search Engine 2.7 allows remote attackers to inject arbitrary web script or HTML via the keywords parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||
| CVE-2008-0276 | 0.00 | — | 0.00 | Jan 15, 2008 | Cross-site scripting (XSS) vulnerability in the Devel module before 5.x-0.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via a site variable, related to lack of escaping of the variable table. | ||
| CVE-2008-0274 | 0.00 | — | 0.01 | Jan 15, 2008 | Cross-site scripting (XSS) vulnerability in Drupal 4.7.x and 5.x, when certain .htaccess protections are disabled, allows remote attackers to inject arbitrary web script or HTML via crafted links involving theme .tpl.php files. | ||
| CVE-2008-0273 | 0.00 | — | 0.01 | Jan 15, 2008 | Interpretation conflict in Drupal 4.7.x before 4.7.11 and 5.x before 5.6, when Internet Explorer 6 is used, allows remote attackers to conduct cross-site scripting (XSS) attacks via invalid UTF-8 byte sequences, which are not processed as UTF-8 by Drupal's HTML filtering, but are processed as UTF-8 by Internet Explorer, effectively removing characters from the document and defeating the HTML protection mechanism. | ||
| CVE-2008-0005 | 0.00 | — | 0.03 | Jan 12, 2008 | mod_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev does not define a charset, which allows remote attackers to conduct cross-site scripting (XSS) attacks using UTF-7 encoding. | ||
| CVE-2008-0197 | 0.00 | — | 0.00 | Jan 10, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in wp-contact-form/options-contactform.php in the WP-ContactForm 1.5 alpha and earlier plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) wpcf_email, (2) wpcf_subject, (3) wpcf_question, (4) wpcf_answer, (5) wpcf_success_msg, (6) wpcf_error_msg, or (7) wpcf_msg parameter to wp-admin/admin.php, or (8) the SRC attribute of an IFRAME element. | ||
| CVE-2008-0200 | 0.00 | — | 0.01 | Jan 10, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in account/index.html in RotaBanner Local 3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) user or (2) drop parameter. |
- CVE-2008-0462Jan 25, 2008risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Archive 5.x before 5.x-1.8 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2008-0463Jan 25, 2008risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Workflow 4.7.x before 4.7.x-1.2 and 5.x before 5.x-1.2 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving node properties.
- CVE-2008-0444Jan 25, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG) before 2.7.0 allows remote attackers to inject arbitrary web script or HTML via subtext parameter to unspecified components.
- CVE-2008-0426Jan 23, 2008risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in submit.php in PacerCMS before 0.6.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) headline, or (3) text field in a message.
- CVE-2008-0404Jan 23, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Mantis before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to the "Most active bugs" summary.
- CVE-2008-0370Jan 22, 2008risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in dohtaccess.html in cPanel before 11.17 build 19417 allows remote attackers to inject arbitrary web script or HTML via the rurl parameter. NOTE: some of these details are obtained from third party information.
- CVE-2008-0381Jan 22, 2008risk 0.00cvss —epss 0.00
Unspecified vulnerability in Mahara before 0.9.1 has unknown impact and remote attack vectors, probably related to cross-site scripting (XSS) in uploaded files.
- CVE-2008-0354Jan 18, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the chat client in IBM Lotus Sametime 7.5 and 7.5.1 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted message, which triggers code execution after a mouseover event initiated by the victim.
- CVE-2008-0362Jan 18, 2008risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in gallery.php in Clever Copy 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the album parameter.
- CVE-2008-0335Jan 17, 2008risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in BugTracker.NET before 2.7.2 allows remote attackers to inject arbitrary web script or HTML via an arbitrary custom text field.
- CVE-2007-6687Jan 17, 2008risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Menalto Gallery before 2.2.4 allow remote attackers to inject arbitrary web script or HTML via crafted filenames to the (1) Core or (2) add-item modules; or via (3) HTTP PROPPATCH in the WebDAV module.
- CVE-2008-0292Jan 16, 2008risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in photo_album.pl in Dansie Photo Album 1.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2008-0284Jan 15, 2008risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Simple Machines Forum (SMF) 1.1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via (1) Itemid or (2) topic arguments.
- CVE-2008-0257Jan 15, 2008risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in search.pl in Dansie Search Engine 2.7 allows remote attackers to inject arbitrary web script or HTML via the keywords parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2008-0276Jan 15, 2008risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Devel module before 5.x-0.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via a site variable, related to lack of escaping of the variable table.
- CVE-2008-0274Jan 15, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Drupal 4.7.x and 5.x, when certain .htaccess protections are disabled, allows remote attackers to inject arbitrary web script or HTML via crafted links involving theme .tpl.php files.
- CVE-2008-0273Jan 15, 2008risk 0.00cvss —epss 0.01
Interpretation conflict in Drupal 4.7.x before 4.7.11 and 5.x before 5.6, when Internet Explorer 6 is used, allows remote attackers to conduct cross-site scripting (XSS) attacks via invalid UTF-8 byte sequences, which are not processed as UTF-8 by Drupal's HTML filtering, but are processed as UTF-8 by Internet Explorer, effectively removing characters from the document and defeating the HTML protection mechanism.
- CVE-2008-0005Jan 12, 2008risk 0.00cvss —epss 0.03
mod_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev does not define a charset, which allows remote attackers to conduct cross-site scripting (XSS) attacks using UTF-7 encoding.
- CVE-2008-0197Jan 10, 2008risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in wp-contact-form/options-contactform.php in the WP-ContactForm 1.5 alpha and earlier plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) wpcf_email, (2) wpcf_subject, (3) wpcf_question, (4) wpcf_answer, (5) wpcf_success_msg, (6) wpcf_error_msg, or (7) wpcf_msg parameter to wp-admin/admin.php, or (8) the SRC attribute of an IFRAME element.
- CVE-2008-0200Jan 10, 2008risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in account/index.html in RotaBanner Local 3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) user or (2) drop parameter.