CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

45,298 vulnerabilities with CWE-79
CVE-2024-13658 MEDIUM
NGG Smart Image Search <= 3.2.1 - Authenticated Stored Cross-Site Scripting via 'hr_SIS_nextgen_searchbox' Shortcode
CVSS 6.4
CVE-2024-11746 MEDIUM
Woocommerce Brands Plugin <1.3.2 - XSS
CVSS 6.4
CVE-2024-13749 MEDIUM
StaffList <= 3.2.3 - Unauthenticated Cross-Site Request Forgery and Stored Cross-Site Scripting via Settings Update
CVSS 6.1
CVE-2024-13701 MEDIUM
Liveticker < 1.2.3 - Authenticated Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2024-12833 MEDIUM
Paessler PRTG Network Monitor < 25.1.102.1373 - Authentication Bypass and Cross-Site Scripting via SNMP
CVSS 6.1
CVE-2024-27781 HIGH
Fortinet FortiSandbox 3.0.0-4.0.4, 4.2.1-4.2.6, 4.4.0-4.4.4 - Cross-Site Scripting
CVSS 7.1
CVE-2024-27780 LOW
FortiSIEM 6.7.0-6.7.8, 7.0, 7.1 - Authenticated Cross-Site Scripting via Crafted HTTP Requests
CVSS 2.2
CVE-2024-12756 HIGH
Avaya Spaces - HTML Injection
CVSS 7.3
CVE-2024-12755 HIGH
Avaya Spaces - Cross-Site Scripting
CVSS 7.9
CVE-2024-13830 MEDIUM
Ivanti Connect Secure < 22.7R2.6 and Policy Secure < 22.7R1.3 - Unauthenticated Reflected Cross-Site Scripting
CVSS 6.1
CVE-2024-13506 MEDIUM
GeoDirectory - WP Business Directory Plugin <2.8.97 - XSS
CVSS 6.4
CVE-2024-52612 MEDIUM
SolarWinds Platform < 2025.1 - Authenticated Reflected Cross-Site Scripting via Input Parameter
CVSS 6.8
CVE-2024-13570 MEDIUM
Stray Random Quotes < 1.9.9 - Reflected Cross-Site Scripting
CVSS 6.1
CVE-2024-13543 MEDIUM
Zarinpal Paid Download < 2.3 - Reflected Cross-Site Scripting
CVSS 6.1
CVE-2024-12599 MEDIUM
HT Mega - Absolute Addons For Elementor <= 2.8.1 - Authenticated Stored Cross-Site Scripting via Countdown Widget
CVSS 6.4
CVE-2024-13010 MEDIUM
WP Foodbakery <= 4.8 - Unauthenticated Reflected Cross-Site Scripting via Search Type Parameter
CVSS 6.1
CVE-2024-57409 MEDIUM
cool-admin-java 1.0 - Stored Cross-Site Scripting via Internet Pictures Field
CVSS 4.8
CVE-2024-48170 MEDIUM
PHPGurukul Small CRM 3.0 - Stored Cross-Site Scripting via Profile Name Field
CVSS 5.4
CVE-2024-11831 MEDIUM
serialize-javascript >=6.0.0 <6.0.2 - Cross-Site Scripting via Unsanitized JavaScript Object Input
CVSS 5.4
CVE-2024-13850 MEDIUM
Simple add pages or posts <= 2.0.0 - Authenticated Stored Cross-Site Scripting
CVSS 5.5
CVE-2024-57279 MEDIUM
LDAP User Manager <= ce92321 - Reflected Cross-Site Scripting via /setup/index.php returnto Parameter
CVSS 5.4
CVE-2024-57278 MEDIUM
QingScan <=v1.8.0 - Reflected Cross-Site Scripting via Query Parameter
CVSS 5.4
CVE-2024-52882 MEDIUM
AudioCodes One Voice Operations Center < 8.4.582 - Cross-Site Scripting via Devices API
CVSS 6.1
CVE-2024-10383 HIGH
GitLab 15.11-17.2 - Stored Cross-Site Scripting in Web IDE via .ipynb File Loading
CVSS 8.7
CVE-2024-13492 MEDIUM
Guten Free Options < 0.9.5 - Reflected Cross-Site Scripting
CVSS 6.1
Details
Vulnerabilities 45,298
Exploit Likelihood High