CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

45,414 vulnerabilities with CWE-79
CVE-2024-53257 MEDIUM
vitess <19.0.8, 0.20.0-rc1-20.0.4, 0.21.0-rc1-0.21.1 - Stored XSS via Debug Query Log and Environment Pages
CVSS 4.9
CVE-2024-11200 MEDIUM
Goodlayers Core <= 2.0.7 - Unauthenticated Reflected Cross-Site Scripting via Font-Family Parameter
CVSS 6.1
CVE-2024-11326 MEDIUM
Campaign Monitor Forms by Optin Cat <2.5.7 - XSS
CVSS 6.1
CVE-2024-11782 MEDIUM
WP Mailster <= 1.8.17.0 - Authenticated Stored Cross-Site Scripting via mst_subscribe Shortcode
CVSS 6.4
CVE-2024-11325 MEDIUM
AWeber Forms by Optin Cat <2.5.7 - XSS
CVSS 5.2
CVE-2024-11866 MEDIUM
BMLT Tabbed Map <= 1.1.8 - Authenticated Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2024-11898 MEDIUM
Scratch & Win - Giveaways and Contests <2.6.9 - XSS
CVSS 6.4
CVE-2024-11853 MEDIUM
jAlbum Bridge <= 2.0.16 - Authenticated Stored Cross-Site Scripting via 'ar' Parameter
CVSS 6.4
CVE-2024-11805 MEDIUM
Quick License Manager - WooCommerce Plugin <= 2.4.17 - Unauthenticated XSS via submit_qlm_products
CVSS 6.1
CVE-2024-11707 MEDIUM
WordPress My auctions allegro plugin <3.6.17 - XSS
CVSS 6.1
CVE-2024-11461 MEDIUM
WordPress Form Data Collector <2.2.3 - XSS
CVSS 6.1
CVE-2024-11453 MEDIUM
WordPress Pinterest Plugin <1.8.8 - XSS
CVSS 6.4
CVE-2024-9058 MEDIUM
Element Pack Elementor Addons < 5.10.5 - Authenticated Stored Cross-Site Scripting via Lightbox Widget
CVSS 6.4
CVE-2024-10893 MEDIUM
WP Booking Calendar < 10.6.5 - Authenticated Stored Cross-Site Scripting in Settings
CVSS 4.8
CVE-2024-10484 MEDIUM
Spectra < 2.16.3 - Authenticated Stored Cross-Site Scripting via Team Widget
CVSS 6.4
CVE-2024-9694 MEDIUM
CMSMasters Elementor Addon <= 1.14.7 - Authenticated Stored Cross-Site Scripting via Widget Attributes
CVSS 6.4
CVE-2024-53988 MEDIUM
rails-html-sanitizer 1.6.0 - Cross-Site Scripting via Allowed Math and Style Elements
CVSS 6.1
CVE-2024-53987 MEDIUM
rails-html-sanitizer 1.6.0 - Cross-Site Scripting via Style Element Injection
CVSS 6.1
CVE-2024-53986 MEDIUM
rails-html-sanitizer 1.6.0 - Cross-Site Scripting via HTML5 Sanitization with Allowed math and style Elements
CVSS 6.1
CVE-2024-53985 MEDIUM
Rails::HTML::Sanitizer <1.16.8 - XSS
CVSS 6.1
CVE-2024-53989 MEDIUM
rails-html-sanitizer 1.6.0 - Cross-Site Scripting via Noscript Tag Override
CVSS 6.1
CVE-2024-5890 MEDIUM
ServiceNow Now Platform < Utah Patch 8 Hot Fix 1, < Vancouver Patch 10, < Washington DC Early Access - HTML Injection
CVSS 4.3
CVE-2024-53617 MEDIUM
LibrePhotos - Cross-Site Scripting and Authorization Bypass via File Upload
CVSS 4.8
CVE-2024-53459 MEDIUM
Sysax Multi Server 6.99 - Cross-Site Scripting via SCGI SID Parameter
CVSS 5.4
CVE-2024-53759 HIGH
ArCa Payment Gateway <= 1.3.1 - Stored Cross-Site Scripting
CVSS 7.1
Details
Vulnerabilities 45,414
Exploit Likelihood High