CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
BaseStableLikelihood: High
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-209 · CAPEC-588 · CAPEC-591 · CAPEC-592 · CAPEC-63 · CAPEC-85
CVEs mapped to this weakness (19,212)
page 955 of 961| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2006-6163 | 0.00 | — | 0.00 | Nov 29, 2006 | Cross-site scripting (XSS) vulnerability in tiki-setup_base.php in TikiWiki before 1.9.7 allows remote attackers to inject arbitrary JavaScript via unspecified parameters. | ||
| CVE-2006-6159 | 0.00 | — | 0.02 | Nov 28, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in newticket.php in DeskPRO 2.0.0 and 2.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) message or (2) subject parameter. | ||
| CVE-2006-6108 | 0.00 | — | 0.01 | Nov 26, 2006 | Cross-site scripting (XSS) vulnerability in EC-CUBE before 1.0.1a-beta allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. | ||
| CVE-2006-6037 | 0.00 | — | 0.02 | Nov 22, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in index.php in Dan Jensen Travelsized CMS 0.4.1 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) page, (2) page_id, or (3) language parameter. | ||
| CVE-2006-6046 | 0.00 | — | 0.01 | Nov 22, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in eggblog 3.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) edit parameter to (a) admin/articles.php or (b) admin/comments.php, or the (2) add parameter to admin/users.php. | ||
| CVE-2006-5843 | 0.00 | — | 0.02 | Nov 10, 2006 | Cross-site scripting (XSS) vulnerability in index.php in Speedywiki 2.0 allows remote attackers to inject arbitrary web script or HTML via the showRevisions parameter. | ||
| CVE-2006-5560 | 0.00 | — | 0.01 | Oct 27, 2006 | Cross-site scripting (XSS) vulnerability in heading.php in Boesch ProgSys 0.151 and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/index.php, and unspecified vectors related to certain other files. NOTE: some of these details are obtained from third party information. | ||
| CVE-2006-5534 | 0.00 | — | 0.00 | Oct 26, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in index.htm in Zwahlen Online Shop Freeware 5.2.2.50, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) cat, (2) Kat, (3) id, or (4) no parameters. NOTE: some of these details are obtained from third party information. | ||
| CVE-2006-5486 | 0.00 | — | 0.01 | Oct 24, 2006 | Cross-site scripting (XSS) vulnerability in Webmail in Sun Java System Messaging Server 6.0 through 6.2 and iPlanet Messaging Server 5.2 allows remote attackers to execute arbitrary Javascript via crafted messages. | ||
| CVE-2006-5451 | 0.00 | — | 0.02 | Oct 23, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in TorrentFlux 2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) action, (2) file, and (3) users array variables in (a) admin.php, which are not properly handled when the administrator views the Activity Log; and the (4) torrent parameter, as used by the displayName variable, in (b) startpop.php, different vectors than CVE-2006-5227. | ||
| CVE-2006-5168 | 0.00 | — | 0.00 | Oct 10, 2006 | Cross-site scripting (XSS) vulnerability in the search functionality in Simon Brown Pebble 2.0.0 RC1 and RC2 allows remote attackers to inject arbitrary web script or HTML via the query string. | ||
| CVE-2006-5119 | 0.00 | — | 0.01 | Oct 3, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in Zen Cart 1.3.5 allow remote attackers to inject arbitrary web script or HTML via the (1) admin_name or (2) admin_pass parameter in (a) admin/login.php, or the (3) admin_email parameter in (b) admin/password_forgotten.php. | ||
| CVE-2006-5080 | 0.00 | — | 0.01 | Sep 29, 2006 | Cross-site scripting (XSS) vulnerability in the search function in Six Apart Movable Type 3.3 to 3.32, and Movable Type Enterprise 1.01 and 1.02, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2006-4568 | 0.00 | — | 0.01 | Sep 15, 2006 | Mozilla Firefox before 1.5.0.7 and SeaMonkey before 1.0.5 allows remote attackers to bypass the security model and inject content into the sub-frame of another site via targetWindow.frames[n].document.open(), which facilitates spoofing and other attacks. | ||
| CVE-2006-4755 | 0.00 | — | 0.00 | Sep 13, 2006 | Cross-site scripting (XSS) vulnerability in alpha.php in phpMyDirectory 10.4.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the letter parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. | ||
| CVE-2006-4712 | 0.00 | — | 0.05 | Sep 12, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in Sage 1.3.6 allow remote attackers to inject arbitrary web script or HTML via JavaScript in a content:encoded element within an item element in an RSS feed, as demonstrated by four example content:encoded elements that use XMLHttpRequest to read arbitrary local files, aka "Cross Context Scripting." | ||
| CVE-2006-4542 | 0.00 | — | 0.03 | Sep 5, 2006 | Webmin before 1.296 and Usermin before 1.226 do not properly handle a URL with a null ("%00") character, which allows remote attackers to conduct cross-site scripting (XSS), read CGI program source code, list directories, and possibly execute programs. | ||
| CVE-2006-4299 | 0.00 | — | 0.01 | Aug 23, 2006 | Cross-site scripting (XSS) vulnerability in tiki-searchindex.php in TikiWiki 1.9.4 allows remote attackers to inject arbitrary web script or HTML via the highlight parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. | ||
| CVE-2006-4067 | 0.00 | — | 0.00 | Aug 10, 2006 | Cross-site scripting (XSS) vulnerability in cake/libs/error.php in CakePHP before 1.1.7.3363 allows remote attackers to inject arbitrary web script or HTML via the URL, which is reflected back in a 404 ("Not Found") error page. NOTE: some of these details are obtained from third party information. | ||
| CVE-2006-4038 | 0.00 | — | 0.01 | Aug 9, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in eintragen.php in GaesteChaos 0.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) gastname or (2) gastwohnort parameters. |