A vulnerability was found in Translator PoqDev Add-On 1.0.11 on Firefox. It has been rated as problematic. This issue affects some unknown processing of the component Select Text Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-241649 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to the opening of arbitrary URLs, which can inject deceptive content into the UI. (When in physical possession of the device, opening local files is also possible.) NOTE: As of 2019-09-23, the vendor has not agreed that this issue has serious impact. The vendor states that the issue is not critical because it does not allow Elevation of Privilege, Sensitive Data Leakage, or any critical unauthorized activity from a malicious user. The vendor also states that a victim must first install a malicious APK to their application.
A vulnerability was found in Travelmate Travelable Trek Management Solution 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Comment Box Handler. The manipulation of the argument comment leads to cross site scripting. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. VDB-235214 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
A vulnerability, which was classified as problematic, was found in Comodo Dragon up to 134.0.6998.179. This affects an unknown part of the component IP DNS Leakage Detector. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a XSS vulnerability in SearchHighlighter::highlightText() with non-default configurations.
The Chartkick gem through 3.1.0 for Ruby allows XSS.
A vulnerability was found in Protected Total WebShield Extension up to 3.2.0 on Chrome. It has been classified as problematic. This affects an unknown part of the component Block Page. The manipulation of the argument Category leads to cross site scripting. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A Reflected Cross Site Scripting flaw was found in all pki-core 10.x.x versions module from the pki-core server due to the CA Agent Service not properly sanitizing the certificate request page. An attacker could inject a specially crafted value that will be executed on the victim's browser.
Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.7 and 6.x before 6.x-1.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML by modifying a document head, before the Content-Type META element, to contain crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, a related issue to CVE-2009-1575.
An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. The issue involves the "Safari Reader" component, which allows remote attackers to conduct UXSS attacks via a crafted web site.
Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP.
A Cross-Site Scripting (XSS) vulnerability was found in Routers2 2.24, affecting the 'rtr' GET parameter in a page=graph action to cgi-bin/routers2.pl.
Cross-site scripting (XSS) vulnerability in the iThoughtsHD app 4.19 for iOS on iPad devices, when the WiFi Transfer feature is used, allows remote attackers to inject arbitrary web script or HTML via a crafted map name.
Cross-site scripting (XSS) vulnerability in the errorAction method in the ActionController base class in the Extbase Framework in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6, when the Rewritten Property Mapper is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message. NOTE: this might be the same vulnerability as CVE-2013-7072.
A cross-site scripting (XSS) vulnerability in the View Filters page (view_filters_page.php) and Edit Filter page (manage_filter_edit_page.php) in MantisBT 2.1.0 through 2.17.0 allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted PATH_INFO. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-13055.
MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Content Security Policy when using the Gravatar plugin, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.
CMS Made Simple 2.x before 2.1.3 and 1.x before 1.12.2, when Smarty Cache is activated, allow remote attackers to conduct cache poisoning attacks, modify links, and conduct cross-site scripting (XSS) attacks via a crafted HTTP Host header in a request.
An issue was discovered in Joomla! Core before 3.8.8. Under specific circumstances (a redirect issued with a URI containing a username and password when the Location: header cannot be used), a lack of escaping the user-info component of the URI could result in an XSS vulnerability.
RSA Authentication Manager versions prior to 8.3 P3 contain a reflected cross-site scripting vulnerability in a Security Console page. A remote, unauthenticated malicious user, with the knowledge of a target user's anti-CSRF token, could potentially exploit this vulnerability by tricking a victim Security Console user to supply malicious HTML or JavaScript code to the vulnerable web application, which code is then executed by the victim's web browser in the context of the vulnerable web application.
phpipam version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in The value of the phpipamredirect cookie is copied into an HTML tag on the login page encapsulated in single quotes. Editing the value of the cookie to r5zkh'><script>alert(1)</script>quqtl exploits an XSS vulnerability. that can result in Arbitrary code executes in victims browser.. This attack appear to be exploitable via Needs to be chained with another exploit that allows an attacker to set or modify a cookie for the phpIPAM instance's domain..
Gorouter in Cloud Foundry cf-release v141 through v228 allows man-in-the-middle attackers to conduct cross-site scripting (XSS) attacks via vectors related to modified requests.
Cross-site scripting (XSS) vulnerability in showdependencygraph.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2, when a local dot configuration is used, allows remote attackers to inject arbitrary web script or HTML via a crafted bug summary.
Cross-site scripting (XSS) vulnerability in the amoCRM module 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified HTTP POST data.
Sun ONE (aka iPlanet) Web Server 4.1 through SP12 and 6.0 through SP5, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files, and conduct cross-site scripting (XSS) attacks involving the iPlanet Log Analyzer, via an HTTP request in conjunction with a crafted DNS response, related to an "Inverse Lookup Log Corruption (ILLC)" issue, a different vulnerability than CVE-2002-1315 and CVE-2002-1316.
Cross-site scripting (XSS) vulnerability in the Migrate module 7.x-2.x before 7.x-2.8 for Drupal, when the migrate_ui submodule is enabled, allows user-assisted remote attackers to inject arbitrary web script or HTML via a destination field label.
Cross-site scripting (XSS) vulnerability in the HTML-Scrubber module before 0.15 for Perl, when the comment feature is enabled, allows remote attackers to inject arbitrary web script or HTML via a crafted comment.
Cross-site scripting (XSS) vulnerability in the Current Search Links module 7.x-1.x before 7.x-1.1 for Drupal, when the "Append the keywords passed by the user to the list" option is disabled, allows remote attackers to inject arbitrary web script or HTML via a crafted search query.
Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Password Policy module 6.x-1.x before 6.x-1.11 and 7.x-1.x before 7.x-1.11 for Drupal, when a site has a policy that uses the username constraint, allows remote attackers to inject arbitrary web script or HTML via a crafted username that is imported from an external source.
Cross-site scripting (XSS) vulnerability in the SMS Framework module 6.x-1.x before 6.x-1.1 for Drupal, when the "Send to phone" submodule is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to message previews.
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the “additional signup fields” feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the “additional signup fields” feature in your application. Upgrade to version `11.33.0`.
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file name used for assets accessible through the Content Viewer application are vulnerable to self cross-site scripting self-XSS. As a result, adversaries can add files to shares accessible from the Content Viewer with a cross site scripting payload in its name, and wait for a user to try and rename the file for their payload to trigger.
Multiple cross-site scripting (XSS) vulnerabilities in cms/front_content.php in Contenido before 4.9.6, when advanced mod rewrite (AMR) is disabled, allow remote attackers to inject arbitrary web script or HTML via the (1) idart, (2) lang, or (3) idcat parameter.
MediaWiki 1.21.x, 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgContentHandlerUseDB is enabled, allows remote attackers to conduct cross-site scripting (XSS) attacks by setting the content model for a revision to JS.
Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie.
Cross-site scripting (XSS) vulnerability in the preview in the ExpandTemplates extension for MediaWiki, when $wgRawHTML is set to true, allows remote attackers to inject arbitrary web script or HTML via the wpInput parameter to the Special:ExpandTemplates page.
Cross-site scripting (XSS) vulnerability in Webmin before 1.690, when referrer checking is disabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this might overlap CVE-2014-3924.
Cross-site scripting (XSS) vulnerability in templates/defaultheader.php in Lamp Design Storesprite before 7 - 19-06-14, when using the currency selection dropdown, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to brand.php, related to the currencyUrl function.
Cross-site scripting (XSS) vulnerability in Special:PasswordReset in MediaWiki before 1.19.16, 1.21.x before 1.21.10, and 1.22.x before 1.22.7, when wgRawHtml is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid username.
Cross-site Scripting (XSS) vulnerability in Citrix StoreFront affects version 1912 before CU5 and version 3.12 before CU9
Cross-site scripting (XSS) vulnerability in the Lazyest Gallery plugin before 1.1.21 for WordPress allows remote attackers to inject arbitrary web script or HTML via an EXIF tag. NOTE: some of these details are obtained from third party information.
Technicolor DPC3928SL D3928SL-PSIP-13-A010-c3420r55105-160428a devices allow XSS via a Cross Protocol Injection attack with setSSID of 1.3.6.1.4.1.4413.2.2.2.1.18.1.2.1.1.3.10001.
A vulnerability was found in w3c online-spellchecker-py up to 20140130. It has been rated as problematic. This issue affects some unknown processing of the file spellchecker. The manipulation leads to cross site scripting. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The identifier of the patch is d6c21fd8187c5db2a50425ff80694149e75d722e. It is recommended to apply a patch to fix this issue. The identifier VDB-248849 was assigned to this vulnerability.
Cross-site scripting (XSS) vulnerability in the link-to helper in Ember.js 1.2.x before 1.2.2, 1.3.x before 1.3.2, and 1.4.x before 1.4.0-beta.6, when used in non-block form, allows remote attackers to inject arbitrary web script or HTML via the title attribute.
Cross-domain vulnerability in js/src/jsobj.cpp in Mozilla Firefox 3.x before 3.0.6 allows remote attackers to bypass the Same Origin Policy, and access the properties of an arbitrary window and conduct cross-site scripting (XSS) attacks, via vectors involving a chrome XBL method and the window.eval function.
Cross-site scripting (XSS) vulnerability in modules.php in NavBoard 16 (2.6.0) allows remote attackers to inject arbitrary web script or HTML via the module parameter.
Multiple cross-site scripting (XSS) vulnerabilities in Pluck 4.5.2, when register_globals is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) lang_footer parameter to (a) data/inc/footer.php; the (2) pluck_version, (3) lang_install22, (4) titelkop, (5) lang_kop1, (6) lang_kop2, (7) lang_modules, (8) lang_kop4, (9) lang_kop15, (10) lang_kop5, and (11) titelkop parameters to (b) data/inc/header.php; the pluck_version and titelkop parameters to (c) data/inc/header2.php; and the (14) lang_theme6 parameter to (d) data/inc/themeinstall.php.
Cross-site scripting (XSS) vulnerability in admin_dblayers.asp in ClickAndEmail allows remote attackers to inject arbitrary web script or HTML via the tablename parameter in an update action.
Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and earlier, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: because of the lack of details, it is unclear whether this is related to CVE-2006-0208.
Cross-site scripting (XSS) vulnerability in pmd_pdf.php in phpMyAdmin 3.0.0, and possibly other versions including 2.11.9.2 and 3.0.1, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the db parameter, a different vector than CVE-2006-6942 and CVE-2007-5977.