An issue was discovered in PHPMyWind 5.5. The method parameter of the data/api/oauth/connect.php page has a reflected Cross-site Scripting (XSS) vulnerability.
Adobe Experience Manager versions 6.1 and 6.0 are vulnerable to a reflected cross-site scripting vulnerability related to the handling of malicious content embedded in image files uploaded to the DAM.
Multiple cross-site scripting (XSS) vulnerabilities in the admin interface in EPiServer CMS through 6R2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting (XSS) vulnerability in read.php in Phorum 3.3.2a allows remote attackers to inject arbitrary web script or HTML via (1) the t parameter or (2) the body of an email response.
Cross-site scripting (XSS) vulnerability in the management interface on the Cisco IronPort Encryption Appliance with software before 6.5.3 allows remote attackers to inject arbitrary web script or HTML via the header parameter to the default URI under admin/, aka bug ID 72410.
Cross-site scripting (XSS) vulnerability in (1) showcat.php and (2) addyoursite.php in phpLinkat 0.1.0 allows remote attackers to inject arbitrary web script or HTML via the catid parameter.
Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Cross-Site Scripting vulnerability. Successful exploitation could lead to information disclosure.
Multiple cross-site scripting (XSS) vulnerabilities in index.php in Pagefusion 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) acct_fname and (2) acct_lname parameters in an edit action, and the (3) PID, (4) PGID, and (5) rez parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Cross-site scripting (XSS) vulnerability in z_user_show.php in dbtreelistproperty_method.php in Zorum 2.4 allows remote attackers to inject arbitrary web script or HTML via the class parameter.
foreman before version 1.16.0 is vulnerable to a stored XSS in organizations/locations assignment to hosts. Exploiting this requires a user to actively assign hosts to an organization that contains html in its name which is visible to the user prior to taking action.
In FusionPBX up to v4.5.7, the file app\access_controls\access_control_nodes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
Cross-site scripting (XSS) vulnerability in IBM Tivoli Endpoint Manager (TEM) 8 before 8.2 patch 3 allows remote attackers to inject arbitrary web script or HTML via the ScheduleParam parameter to the webreports program.
Multiple cross-site scripting (XSS) vulnerabilities in WiKID 2FA Enterprise Server through 4.2.0-b2047 allow remote attackers to inject arbitrary web script or HTML that is triggered when Logs.jsp is visited. The rendered_message column is retrieved and displayed, unsanitized, on Logs.jsp. A remote attack can populate the rendered_message column with malicious values via: (1) H parameter to /wikid/servlet/com.wikidsystems.server.GetDomainHash (2) S parameter to: - /wikid/DomainData - /wikid/PreRegisterLookup - /wikid/PreRegister - /wikid/InitDevice - /wikid/servlet/InitDevice2S - /wikid/servlet/InitDevice3S - /servlet/com.wikidsystems.server.InitDevice2S - /servlet/com.wikidsystems.server.InitDevice3S - /servlet/com.wikidsystems.server.InitDevice4S - /wikid/servlet/com.wikidsystems.server.InitDevice4AES - /wikid/servlet/com.wikidsystems.server.InitDevice5AES (3) a parameter to: - /wikid/PreRegisterLookup - /wikid/InitDevice - /wikid/servlet/InitDevice2S - /wikid/servlet/InitDevice3S - /servlet/com.wikidsystems.server.InitDevice2S - /servlet/com.wikidsystems.server.InitDevice3S - /servlet/com.wikidsystems.server.InitDevice4S - /wikid/servlet/com.wikidsystems.server.InitDevice4AES - /wikid/servlet/com.wikidsystems.server.InitDevice5AES.
The /browse/~raw resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the handling of response headers.
Adobe Experience Manager versions 6.3 and earlier have an exploitable Cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
A logic issue was addressed with improved validation. This issue affected versions prior to iOS 12.1, watchOS 5.1, Safari 12.0.1, iTunes 12.9.1, iCloud for Windows 7.8.
Reservo Image Hosting 1.6 is vulnerable to XSS attacks. The affected function is its search engine (the t parameter to the /search URI). Since there is an user/admin login interface, it's possible for attackers to steal sessions of users and thus admin(s). By sending users an infected URL, code will be executed.
Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple iOS before 5.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0587, CVE-2012-0588, and CVE-2012-0589.
ColdFusion versions Update 1 and earlier, Update 7 and earlier, and Update 15 and earlier have a cross site scripting vulnerability. Successful exploitation could lead to information disclosure .
Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file.
An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module form (html\admin\modules\manager\views\form.php), an unsanitized managerdisplay variable coming from the URL is reflected in HTML, leading to XSS. It can be requested via GET request to /config.php?type=tool&display=manager.
Cross-site scripting (XSS) vulnerability in the telerik HTML editor in DotNetNuke before 5.6.4 and 6.x before 6.1.0 allows remote attackers to inject arbitrary web script or HTML via a message.
Cross-site scripting (XSS) vulnerability in referencement/sites_inscription.php in Annuaire PHP allows remote attackers to inject arbitrary web script or HTML via the url parameter and possibly the nom parameter.
Cross-site scripting (XSS) vulnerability in Joomla! 1.6 and 1.7.x before 1.7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0820.
Cross-site scripting (XSS) vulnerability in Apple Safari before 6.0 allows remote attackers to inject arbitrary web script or HTML via a feed:// URL.
Cross-site scripting (XSS) vulnerability in Joomla! 1.6.x and 1.7.x before 1.7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0822.
Multiple cross-site scripting (XSS) vulnerabilities in the Executive Viewer (EV) in IBM Cognos TM1 before 9.5 FP1 allow remote attackers to inject arbitrary web script or HTML via unspecified requests to (1) aspnet_client or (2) evserver/createcontrol.js.
An issue was discovered in PHPMyWind 5.5. The username parameter of the /install/index.php page has a stored Cross-site Scripting (XSS) vulnerability, as demonstrated by admin/login.php.
crud-file-server node module before 0.8.0 suffers from a Cross-Site Scripting vulnerability to a lack of validation of file names.
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar 1.2.4 allows remote attackers to inject arbitrary web script or HTML via the Location variable.
Multiple cross-site scripting (XSS) vulnerabilities in Etano 1.22 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) user, (2) email, (3) email2, (4) f17_zip, or (5) agree parameter to join.php; (6) PATH_INFO, (7) st, (8) f17_city, (9) f17_country, (10) f17_state, (11) f17_zip, (12) f19, (13) wphoto, (14) search, or (15) v parameter to search.php; (16) PATH_INFO or (17) st parameter to photo_search.php; or (18) return parameter to photo_view.php.
TheFirstQuestion/HelpMeWatchWho before 2017-03-28 is vulnerable to a reflected XSS in HelpMeWatchWho-master/unaired.php (episodeID parameter).
Cross-site scripting (XSS) vulnerability in the cleanup_urls function in forum/utils/html.py in OSQA before 1234, and 0.9.0 Beta 3 and earlier, allows remote attackers to inject arbitrary web script or HTML via vectors related to a crafted URI.
A cross-site scripting (XSS) vulnerability in view_filters_page.php in MantisBT before 2.2.1 allows remote attackers to inject arbitrary JavaScript via the 'view_type' parameter.
Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Desktop 7.1.2 b10978 allow remote attackers to inject arbitrary web script or HTML via the (1) Username or (2) MailBox Name.
Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Applications Manager 9.x and 10.x allow remote attackers to inject arbitrary web script or HTML via the (1) period parameter to showHistoryData.do; (2) selectedNetwork, (3) network, or (4) group parameters to showresource.do; (5) header parameter to AlarmView.do; or (6) attName parameter to jsp/PopUp_Graph.jsp. NOTE: the Search.do/query vector is already covered by CVE-2008-1566, and the jsp/ThresholdActionConfiguration.jsp redirectto vector is already covered by CVE-2008-0474.
Cross-site scripting (XSS) vulnerability in the Post data records to facebook (bc_post2facebook) extension before 0.2.2 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting (XSS) vulnerability in mod_search/index.php in PortailPHP 0.99 allows remote attackers to inject arbitrary web script or HTML via the (1) $App_Theme, (2) $Rub_Search, (3) $Rub_News, (4) $Rub_File, (5) $Rub_Liens, or (6) $Rub_Faq variables.
Cross-site scripting in the Intel RAID Web Console v3 for Windows may allow an unauthenticated user to elevate privilege via remote access.
Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)," as exploited in the wild in February 2012.
Cross-site scripting (XSS) vulnerability in ForgottenPassword.aspx in MailEnable Professional, Enterprise, and Premium 4.26 and earlier, 5.x before 5.53, and 6.x before 6.03 allows remote attackers to inject arbitrary web script or HTML via the Username parameter.
In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
Cross-site scripting (XSS) vulnerability in logout.php in SimpleSAMLphp 1.8.1 and possibly other versions before 1.8.2 allows remote attackers to inject arbitrary web script or HTML via the link_href parameter.
Cross-site scripting (XSS) vulnerability in Verity Search97 allows remote attackers to insert arbitrary web content and steal sensitive information from other clients, possibly due to certain error messages from template pages that use the (1) vformat or (2) vfilter functions.
The error-log-viewer plugin before 1.0.6 for WordPress has multiple XSS issues.
ruby-grape ruby gem suffers from a cross-site scripting (XSS) vulnerability via "format" parameter.
An issue was discovered in certain Apple products. Safari before 11.1 is affected. The issue involves the "WebKit" component. A Safari cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
A reflected cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to inject arbitrary web script or HTML via extensions of uploaded files.
In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names.
Multiple cross site scripting attacks were found in the Identity Manager Plug-in, hosted on iManager 2.7.7.7, before Identity Manager 4.6.1. In certain scenarios it was possible to execute arbitrary JavaScript code in the context of vulnerable application, via user.Context in the Object Selector, via vdtData in the Version discovery and via nextFrame in the Object Inspector and via Host GUID in the System details plugins.