IBM Security Identity Manager Virtual Appliance is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Cross-site scripting (XSS) vulnerability in libraries/config/ConfigFile.class.php in the setup interface in phpMyAdmin 3.4.x before 3.4.9 allows remote attackers to inject arbitrary web script or HTML via the host parameter.
Multiple cross-site scripting (XSS) vulnerabilities in TornadoStore 1.4.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) tipo or (2) destino parameter to login_registrese.php3 in the Services section, (3) the rubro parameter to precios.php3 in the Products section, (4) the arti parameter to recomenda_articulo.php3 in the Products section, (5) the descrip parameter in a profile action to control/abm_det.php3 in the e-Commerce section, (6) the tit parameter in a delivery_courier action to control/abm_list.php3 in the e-Commerce section, or (7) the tit parameter in an usuario action to control/abm_det.php3 in the e-Commerce section.
A potential security vulnerability has been identified in HPE enhanced Internet Usage Manager (eIUM) versions 8.3 and 9.0. The vulnerability could be used for unauthorized access to information via cross site scripting. HPE has made the following software updates to resolve the vulnerability in eIUM. The eIUM 8.3 FP01 customers are advised to install eIUM83FP01Patch_QXCR1001711284.20190806-1244 patch. The eIUM 9.0 customers are advised to upgrade to eIUM 9.0 FP02 PI5 or later versions. For other versions, please, contact the product support.
This affects all versions of package pekeupload. If an attacker induces a user to upload a file whose name contains javascript code, the javascript code will be executed.
Cross-site scripting (XSS) vulnerability in Employee/emp_login.asp in Pre ASP Job Board allows remote attackers to inject arbitrary web script or HTML via the msg parameter.
Cross-site scripting (XSS) vulnerability in wizardlist.aspx in Microsoft Office SharePoint Server 2010 Gold and SP1 and SharePoint Foundation 2010 Gold and SP1 allows remote attackers to inject arbitrary web script or HTML via JavaScript sequences in a URL, aka "XSS in wizardlist.aspx Vulnerability."
Multiple cross-site scripting (XSS) vulnerabilities in (1) view/admin/log_item.php and (2) view/admin/log_item_details.php in the Redirection plugin 2.2.9 for WordPress allow remote attackers to inject arbitrary web script or HTML via the Referer HTTP header in a request to a post that does not exist.
The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting (XSS) attacks by leveraging mishandling of the < (less than) character in attribute values.
Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
The Per page add to head WordPress plugin before 1.4.4 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting (feature mentioned by the plugin), this could lead to Stored XSS issue which will be triggered either in the backend, frontend or both depending on the payload used.
Multiple cross-site scripting (XSS) vulnerabilities in TTChat 1.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the msg parameter to default.php or (2) the username parameter to chat_form.php.
Multiple cross-site scripting (XSS) vulnerabilities in the ZMI page in Zope2 in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.
Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 allow remote attackers to inject arbitrary web script or HTML via the (1) searchType and (2) searchString parameters, a different vulnerability than CVE-2010-3274.
Multiple cross-site scripting (XSS) vulnerabilities in Support Incident Tracker (aka SiT!) before 3.65 allow remote attackers to inject arbitrary web script or HTML via the (1) mode parameter to contact_support.php; (2) contractid parameter to contract_add_service.php; (3) user parameter to edit_backup_users.php; (4) id parameter to edit_escalation_path.php; the Referer to (5) forgotpwd.php, (6) an approvalpage action to billable_incidents.php, or (7) transactions.php; (8) action parameter to inbox.php; (9) search_string parameter in a findcontact action to incident_add.php; table1 parameter to (10) report_customers.php, (11) report_incidents_by_engineer.php, (12) report_incidents_by_site.php, or (13) report_marketing.php; or the (14) startdate or (15) enddate parameter to report_incidents_by_vendor.php.
The Microsoft Anti-Cross Site Scripting (AntiXSS) Library 3.x and 4.0 does not properly evaluate characters after the detection of a Cascading Style Sheets (CSS) escaped character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via HTML input, aka "AntiXSS Library Bypass Vulnerability."
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue
Microsoft Internet Information Server (IIS) in Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to perform cross-site scripting and run script with local user privileges via a crafted request, aka "Microsoft IIS Server XSS Elevation of Privilege Vulnerability."
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5 allow remote attackers to inject arbitrary web script or HTML via the uisesionid parameter to (1) maximo.jsp or (2) the default URI under ui/.
An XSS vulnerability allows remote attackers to execute arbitrary client side script on vulnerable installations of Sophos Cyberoam firewall devices with firmware through 10.6.4. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of a request to the "LiveConnectionDetail.jsp" application. GET parameters "applicationname" and "username" are improperly sanitized allowing an attacker to inject arbitrary JavaScript into the page. This can be abused by an attacker to perform a cross-site scripting attack on the user. A vulnerable URI is /corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp.
Cross-site scripting (XSS) vulnerability in Blue Coat Director before 5.5.2.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving the HTTP TRACE method.
IBM QRadar 7.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1999534.
A potential XSS exists in Self Service Password Reset, in Micro Focus NetIQ Software all versions prior to version 4.4. The vulnerability could be exploited to enable an XSS attack.
Multiple cross-site scripting (XSS) vulnerabilities in the meta plugin (Plugin/meta.pm) in ikiwiki before 3.20120516 allow remote attackers to inject arbitrary web script or HTML via the (1) author or (2) authorurl meta tags.
A reflected Cross-site scripting (XSS) vulnerability in HRworks V 1.16.1 allows remote attackers to inject arbitrary web script or HTML via the URL parameter to the Login component.
Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly support the application/octet-stream content type as a protection mechanism against execution of web script in certain circumstances involving SVG and the EMBED element, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via an embedded SVG document.
In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers inject a payload into the Name or Description field via an acme_accountkeys_edit.php action. The vulnerability occurs due to input validation errors.
Multiple cross-site scripting (XSS) vulnerabilities in poMMo Aardvark PR16.1 allow remote attackers to inject arbitrary web script or HTML via (1) the referer parameter to index.php, (2) the site_name parameter to admin/setup/config/general.php, (3) the group_name parameter to admin/subscribers/subscribers_groups.php, or (4) the field_name parameter to admin/setup/setup_fields.php.
Multiple cross-site scripting (XSS) vulnerabilities in admin/login in X3 CMS 0.4.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, (2) username, or (3) password parameter.
Cross-site scripting (XSS) vulnerability in the search results front end in Piwigo 2.8.3 allows remote attackers to inject arbitrary web script or HTML via the search parameter.
The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting (XSS) attacks by leveraging mishandling of special characters in attribute values, a different vulnerability than CVE-2016-9909.
Cross-site scripting (XSS) vulnerability in lib/class.tx_jftcaforms_tceFunc.php in the Additional TCA Forms (jftcaforms) extension before 0.2.1 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Multiple cross-site scripting (XSS) vulnerabilities in BrowserCRM 5.100.01 and earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) modules/admin/admin_module_index.php, or (3) modules/calendar/customise_calendar_times.php; login[] parameter to (4) index.php or (5) pub/clients.php; or framed parameter to (6) licence/index.php or (7) licence/view.php.
Multiple cross-site scripting (XSS) vulnerabilities in Gollos 2.8 allow remote attackers to inject arbitrary web script or HTML via the returnurl parameter to (1) register.aspx, (2) publication/info.aspx, or (3) user/add.aspx, or (4) the q parameter to product/list.aspx.
Cross-site scripting (XSS) vulnerability in lazyest-backup.php in the Lazyest Backup plugin before 0.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xml_or_all parameter.
Cross-site scripting (XSS) vulnerability in wordpress_sentinel.php in the Sentinel plugin 1.0.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
Cross-site scripting (XSS) vulnerability in tiki-cookie-jar.php in TikiWiki CMS/Groupware before 8.2 and LTS before 6.5 allows remote attackers to inject arbitrary web script or HTML via arbitrary parameters.
Cross-site scripting (XSS) vulnerability in view/frontend-head.php in the Flowplayer plugin before 1.2.12 for WordPress allows remote attackers to inject arbitrary web script or HTML via the URI.
Multiple cross-site scripting (XSS) vulnerabilities in SpamTitan 5.07 and possibly earlier allow remote attackers or authenticated users to inject arbitrary web script or HTML via the (1) ipaddress or (2) domain parameter to setup-network.php, different vectors than CVE-2011-5149. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
An error in the URL handler Bosch IP cameras may lead to a reflected cross site scripting (XSS) in the web-based interface. An attacker with knowledge of the camera address can send a crafted link to a user, which will execute javascript code in the context of the user.
An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link type attributes with javascript:// links.
Multiple cross-site scripting (XSS) vulnerabilities in the Authoritative DNS - DNS Zones page in Barracuda Link Balancer 330 Firmware 1.3.2.005 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) zoneid or (2) scope parameter.
Cross-site scripting (XSS) vulnerability in DLGuard, possibly 4.6 and earlier, allows remote attackers to inject arbitrary web script or HTML via the searchCart parameter to index.php.
Multiple cross-site scripting (XSS) vulnerabilities in Parallels Plesk Small Business Panel 10.2.0 allow remote attackers to inject arbitrary web script or HTML via crafted input to a PHP script, as demonstrated by smb/app/available/id/apscatalog/ and certain other files.
A cross-site scripting (XSS) vulnerability in Smoothwall Express 3.
Multiple cross-site scripting (XSS) vulnerabilities in the user profile feature in Atlassian FishEye before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via (1) snippets in a user comment, which is not properly handled in a Confluence page, or (2) the user profile display name, which is not properly handled in a FishEye page.
The Glass WordPress plugin through 1.3.2 does not sanitise or escape its "Glass Pages" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin did not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack.
Cross-site scripting (XSS) vulnerability in IBM Rational Asset Manager before 7.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting (XSS) vulnerability in serverreport.cgi in Axis M10 Series Network Cameras M1054 firmware 5.21 and earlier allows remote attackers to inject arbitrary web script or HTML via the pageTitle parameter to admin/showReport.shtml.