Cross-Site Scripting

⚔️ Attack Types Related 27
slug: xss

Explanation

XSSは「Webページの中に、攻撃者の悪意あるJavaScriptを忍び込ませる」攻撃です。 例えば掲示板に `<script>盗む()</script>` のような投稿をして、それを見た他のユーザーのCookie (ログイン情報) を盗む、といった攻撃が典型的です。 対策は「ユーザー入力を画面に出すときに、HTMLとして無害化 (エスケープ) する」こと。多くのフレームワークでは標準で対策されています。
📌 Example
2005年MySpaceワーム「Samy」: 1人の投稿が見るだけで他人のプロフィールにコピーされ、24時間で100万人に感染した有名事件。

🔖 Related tags

🛡 Vulnerabilities tagged with this 3,314

ID Title
CVE-2017-14724 Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.
CVE-2017-14726 Cross-Site Scripting (XSS) in wordpress (CVE-2017-14726)
CVE-2017-14712 In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Phonecall Notes Title parameter.
CVE-2017-14713 In EPESI 1.8.2 rev20170830, there is Stored XSS in the Phonecalls Description parameter.
CVE-2017-14714 In EPESI 1.8.2 rev20170830, there is Stored XSS in the Phonecalls Subject parameter.
CVE-2017-14715 In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Alerts Title parameter.
CVE-2017-14716 In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Title parameter.
CVE-2017-14717 In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Description parameter.
CVE-2017-14651 Cross-Site Scripting (XSS) in wso2 (CVE-2017-14651)
CVE-2017-14321 Cross-Site Scripting (XSS) in mirasvit (CVE-2017-14321)
CVE-2015-3296 Cross-Site Scripting (XSS) in nodebb (CVE-2015-3296)
CVE-2015-4706 Cross-Site Scripting (XSS) in ipython (CVE-2015-4706)
CVE-2017-12248 Cross-Site Scripting (XSS) in cisco (CVE-2017-12248)
CVE-2017-12254 Cross-Site Scripting (XSS) in cisco (CVE-2017-12254)
CVE-2017-14621 Portus 2.2.0 has XSS via the Team field, related to typeahead.
CVE-2017-14618 Cross-Site Scripting (XSS) in phpmyfaq (CVE-2017-14618)
CVE-2017-14619 Cross-Site Scripting (XSS) in phpmyfaq (CVE-2017-14619)
CVE-2015-7347 Cross-site scripting (XSS) vulnerability in ZCMS JavaServer Pages Content Management System 1.1.
CVE-2014-9758 Cross-site scripting (XSS) vulnerability in Magento E-Commerce Platform 1.9.0.1.
CVE-2015-1866 Cross-site scripting (XSS) vulnerability in Ember.js 1.10.x before 1.10.1 and 1.11.x before 1.11.2.
CVE-2015-4707 Cross-Site Scripting (XSS) in ipython (CVE-2015-4707)
CVE-2015-4072 Cross-Site Scripting (XSS) in helpdesk-pro-project (CVE-2015-4072)
CVE-2017-14142 Cross-Site Scripting (XSS) in kaltura (CVE-2017-14142)
CVE-2014-6191 Cross-Site Scripting (XSS) in ibm (CVE-2014-6191)
CVE-2015-1864 Cross-Site Scripting (XSS) in kallithea (CVE-2015-1864)
CVE-2015-3299 Cross-Site Scripting (XSS) in wordpress (CVE-2015-3299)
CVE-2015-3432 Cross-Site Scripting (XSS) in pydio (CVE-2015-3432)
CVE-2017-14597 Cross-Site Scripting (XSS) in afterlogic (CVE-2017-14597)
CVE-2014-6106 Cross-Site Request Forgery (CSRF) in csrf (CVE-2014-6106)
CVE-2017-12156 Moodle 3.x has XSS in the contact form on the "non-respondents" page in non-anonymous feedback.

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →