CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStableLikelihood: High

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Hierarchy (View 1000)

Parents

CWE-74

Children

Related attack patterns (CAPEC)

CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85

CVEs mapped to this weakness (19,212)

page 946 of 961

CVE	CVSS	EPSS	Published	Description
CVE-2007-6104	—	0.01	Nov 23, 2007	Cross-site scripting (XSS) vulnerability in the Instant Web Publishing feature in FileMaker Pro 7 and 8, Server 7 and 8, and Developer 7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2007-6090	—	0.00	Nov 22, 2007	Cross-site scripting (XSS) vulnerability in index.php in Nuked-Klan 1.7.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2007-6002	—	0.01	Nov 15, 2007	Cross-site scripting (XSS) vulnerability in Fenriru (1) Sleipnir 2.5.17 R2 and earlier and (2) Grani 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the Search field in a search for additions to the Favorites section.
CVE-2007-5990	—	0.01	Nov 15, 2007	Cross-site scripting (XSS) vulnerability in ExoPHPdesk allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a user profile, possibly the (1) name and (2) website parameters to register.php.
CVE-2007-5977	—	0.01	Nov 15, 2007	Cross-site scripting (XSS) vulnerability in db_create.php in phpMyAdmin before 2.11.2.1 allows remote authenticated users with CREATE DATABASE privileges to inject arbitrary web script or HTML via a hex-encoded IMG element in the db parameter in a POST request, a different vulnerability than CVE-2006-6942.
CVE-2007-5980	—	0.01	Nov 15, 2007	Cross-site scripting (XSS) vulnerability in home/rss.php in eggblog before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF).
CVE-2007-5985	—	0.01	Nov 15, 2007	Multiple cross-site scripting (XSS) vulnerabilities in BtiTracker before 1.4.5 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) account.php, (2) moresmiles.php, or (3) recover.php; or (4) the "to" parameter to usercp.php.
CVE-2007-4698	—	0.01	Nov 15, 2007	Apple Safari 3 before Beta Update 3.0.4 on Windows, and Mac OS X 10.4 through 10.4.10, allows remote attackers to conduct cross-site scripting (XSS) attacks by causing JavaScript events to be associated with the wrong frame.
CVE-2007-5955	—	0.01	Nov 14, 2007	Cross-site scripting (XSS) vulnerability in updir.php in UPDIR.NET before 2.04 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2007-5948	—	0.00	Nov 14, 2007	Multiple cross-site scripting (XSS) vulnerabilities in main.php in SF-Shoutbox 1.2.1 through 1.4 allow remote attackers to inject arbitrary web script or HTML via the (1) nick (aka Name) and (2) shout (aka Shout) parameters.
CVE-2007-5950	—	0.01	Nov 14, 2007	Cross-site scripting (XSS) vulnerability in NetCommons before 1.0.11, and 1.1.x before 1.1.2, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2006-4165.
CVE-2007-5949	—	0.00	Nov 14, 2007	Cross-site scripting (XSS) vulnerability in IBM Tivoli Service Desk 6.2 allows remote authenticated users to inject arbitrary web script or HTML via the Description parameter in a Maximo change action.
CVE-2007-5932	—	0.01	Nov 10, 2007	Multiple cross-site scripting (XSS) vulnerabilities in Fatwire Content Server (CS) CMS 6.3.0 allow remote attackers to inject arbitrary web script or HTML via unspecified form fields related to the (1) search function, (2) advanced search function, and possibly other components.
CVE-2007-5930	—	0.01	Nov 10, 2007	Cross-site scripting (XSS) vulnerability in the web interface in Cerberus FTP Server before 2.46 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2007-5924	—	0.00	Nov 10, 2007	Cross-site scripting (XSS) vulnerability in the Web Server (HTTP) task in IBM Lotus Domino before 6.5.6 FP2, and 7.x before 7.0.2 FP2, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVE-2007-5891	—	0.00	Nov 8, 2007	Multiple cross-site scripting (XSS) vulnerabilities in jsp/Login.do in ManageEngine OpManager MSP Edition and OpManager 7.0 allow remote attackers to inject arbitrary web script or HTML via the (1) requestid, (2) fileid, (3) woMode, and (2) woID parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2007-5581	—	0.01	Nov 8, 2007	Multiple cross-site scripting (XSS) vulnerabilities in mpweb/scripts/mpx.dll in Cisco Unified MeetingPlace 5.4 and earlier and 6.0 allow remote attackers to inject arbitrary web script or HTML via the (1) FirstName and (2) LastName parameters.
CVE-2007-5888	—	0.00	Nov 7, 2007	Cross-site scripting (XSS) vulnerability in displayecard.php in Coppermine Photo Gallery (CPG) before 1.4.14 allows remote attackers to inject arbitrary web script or HTML via the data parameter.
CVE-2007-5833	—	0.00	Nov 5, 2007	Multiple cross-site scripting (XSS) vulnerabilities in BosDev BosMarket Business Directory System allow remote authenticated users to inject arbitrary web script or HTML via (1) user info (account details) or (2) a post.
CVE-2007-5834	—	0.00	Nov 5, 2007	Cross-site scripting (XSS) vulnerability in BosDev BosNews 4 allows remote attackers to inject arbitrary web script or HTML via a SCRIPT element in a news post.

CVE-2007-6104Nov 23, 2007
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Instant Web Publishing feature in FileMaker Pro 7 and 8, Server 7 and 8, and Developer 7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2007-6090Nov 22, 2007
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in index.php in Nuked-Klan 1.7.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2007-6002Nov 15, 2007
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Fenriru (1) Sleipnir 2.5.17 R2 and earlier and (2) Grani 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the Search field in a search for additions to the Favorites section.
CVE-2007-5990Nov 15, 2007
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in ExoPHPdesk allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a user profile, possibly the (1) name and (2) website parameters to register.php.
CVE-2007-5977Nov 15, 2007
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in db_create.php in phpMyAdmin before 2.11.2.1 allows remote authenticated users with CREATE DATABASE privileges to inject arbitrary web script or HTML via a hex-encoded IMG element in the db parameter in a POST request, a different vulnerability than CVE-2006-6942.
CVE-2007-5980Nov 15, 2007
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in home/rss.php in eggblog before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF).
CVE-2007-5985Nov 15, 2007
risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in BtiTracker before 1.4.5 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) account.php, (2) moresmiles.php, or (3) recover.php; or (4) the "to" parameter to usercp.php.
CVE-2007-4698Nov 15, 2007
risk 0.00cvss —epss 0.01
Apple Safari 3 before Beta Update 3.0.4 on Windows, and Mac OS X 10.4 through 10.4.10, allows remote attackers to conduct cross-site scripting (XSS) attacks by causing JavaScript events to be associated with the wrong frame.
CVE-2007-5955Nov 14, 2007
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in updir.php in UPDIR.NET before 2.04 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2007-5948Nov 14, 2007
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in main.php in SF-Shoutbox 1.2.1 through 1.4 allow remote attackers to inject arbitrary web script or HTML via the (1) nick (aka Name) and (2) shout (aka Shout) parameters.
CVE-2007-5950Nov 14, 2007
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in NetCommons before 1.0.11, and 1.1.x before 1.1.2, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2006-4165.
CVE-2007-5949Nov 14, 2007
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in IBM Tivoli Service Desk 6.2 allows remote authenticated users to inject arbitrary web script or HTML via the Description parameter in a Maximo change action.
CVE-2007-5932Nov 10, 2007
risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Fatwire Content Server (CS) CMS 6.3.0 allow remote attackers to inject arbitrary web script or HTML via unspecified form fields related to the (1) search function, (2) advanced search function, and possibly other components.
CVE-2007-5930Nov 10, 2007
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the web interface in Cerberus FTP Server before 2.46 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2007-5924Nov 10, 2007
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the Web Server (HTTP) task in IBM Lotus Domino before 6.5.6 FP2, and 7.x before 7.0.2 FP2, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVE-2007-5891Nov 8, 2007
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in jsp/Login.do in ManageEngine OpManager MSP Edition and OpManager 7.0 allow remote attackers to inject arbitrary web script or HTML via the (1) requestid, (2) fileid, (3) woMode, and (2) woID parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2007-5581Nov 8, 2007
risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in mpweb/scripts/mpx.dll in Cisco Unified MeetingPlace 5.4 and earlier and 6.0 allow remote attackers to inject arbitrary web script or HTML via the (1) FirstName and (2) LastName parameters.
CVE-2007-5888Nov 7, 2007
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in displayecard.php in Coppermine Photo Gallery (CPG) before 1.4.14 allows remote attackers to inject arbitrary web script or HTML via the data parameter.
CVE-2007-5833Nov 5, 2007
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in BosDev BosMarket Business Directory System allow remote authenticated users to inject arbitrary web script or HTML via (1) user info (account details) or (2) a post.
CVE-2007-5834Nov 5, 2007
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in BosDev BosNews 4 allows remote attackers to inject arbitrary web script or HTML via a SCRIPT element in a news post.