An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature.
Cross-site scripting (XSS) vulnerability in searchadvance.asp in Active Business Directory 2 allows remote attackers to inject arbitrary web script or HTML via the search parameter.
Cross-site scripting (XSS) vulnerability in index.php in devalcms 1.4a allows remote attackers to inject arbitrary web script or HTML via the currentpath parameter.
Cross-site scripting (XSS) vulnerability in the Artist avenue (com_artistavenue) component for Joomla! and Mambo allows remote attackers to inject arbitrary web script or HTML via the Itemid parameter to index.php.
Cross-site scripting (XSS) vulnerability in frontend/x3/files/fileop.html in cPanel 11.0 through 11.24.7 allows remote attackers to inject arbitrary web script or HTML via the fileop parameter.
Cross-site scripting (XSS) vulnerability in register.php in FreshScripts Fresh Email Script 1.0 through 1.11 allows remote attackers to inject arbitrary web script or HTML via the Email parameter. NOTE: this can be leveraged to modify cookies and conduct session fixation attacks.
A Cross-site scripting (XSS) vulnerability in Users in Qiong ICP EyouCMS 1.5.4 allows remote attackers to inject arbitrary web script or HTML via the `title` parameter in bind_email function.
Cross-site scripting (XSS) vulnerability in www/help/tracker.php in GForge 4.5.14, 4.7 rc2, and 4.8.1 allows remote attackers to inject arbitrary web script or HTML via the helpname parameter.
HomeAutomation 3.3.2 is affected by persistent Cross Site Scripting (XSS). XSS vulnerabilities occur when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session.
Multiple cross-site scripting (XSS) vulnerabilities in the Web Administrator in Websense Personal Email Manager 7.1 before Hotfix 4 and Email Security 7.1 before Hotfix 4 allow remote attackers to inject arbitrary web script or HTML via the (1) FileName, (2) IsolatedMessageID, (3) ServerName, (4) Dictionary, (5) Scoring, and (6) MessagePart parameters to web/msgList/viewmsg/actions/msgAnalyse.asp; the (7) Queue, (8) FileName, (9) IsolatedMessageID, and (10) ServerName parameters to actions/msgForwardToRiskFilter.asp and viewHeaders.asp in web/msgList/viewmsg/; and (11) the subject in an e-mail message that is held in a Queue.
Cross-site scripting (XSS) vulnerability in the resume blocktype in Mahara before 1.0.13, and 1.1.x before 1.1.7, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Multiple cross-site scripting (XSS) vulnerabilities in PHPFreeForum 1.0 RC2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) message parameter to error.php, and the (2) nickname and (3) randomid parameters to part/menu.php.
Multiple cross-site scripting (XSS) vulnerabilities in GreenSQL-Console before 0.3.5 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "internal pages."
Cross-site scripting (XSS) vulnerability in index.php in Fritz Berger yet another php photo album - next generation (yappa-ng) 2.3.2 allows remote attackers to inject arbitrary web script or HTML via the album parameter.
An issue was discovered in Concrete CMS through 8.5.5. There is unauthenticated stored XSS in blog comments via the website field.
Multiple cross-site scripting (XSS) vulnerabilities in Gallarific Free Edition allow remote attackers to inject arbitrary web script or HTML via (1) the e-mail address, (2) a comment, which is not properly handled during moderation, and (3) the tag parameter to gallery/tags.php.
Cross-site scripting (XSS) vulnerability in manuals_search.php in ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to inject arbitrary web script or HTML via the manuals_search parameter.
Multiple cross-site scripting (XSS) vulnerabilities in TGS Content Management 0.3.2r2 allow remote attackers to inject arbitrary web script or HTML via the (1) msg and (2) goodmsg parameters to (a) login.php and (b) index.php, and the (3) dir and (4) id parameters to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Cross-site scripting (XSS) vulnerability in OpenID 5.x before 5.x-1.2, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
kimai2 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in the Answers module 5.x-1.x-dev and possibly other 5.x versions, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a Simple Answer to a question.
Cross-site scripting (XSS) vulnerability in Open Source Security Information Management (OSSIM) before 2.1.2 allows remote attackers to inject arbitrary web script or HTML via the option parameter to the default URI (aka the main menu).
Cross-site scripting (XSS) vulnerability in index.cfm in Blue River Interactive Group Sava CMS before 5.0.122 allows remote attackers to inject arbitrary web script or HTML via the keywords parameter in a search action.
Cross-site scripting (XSS) vulnerability in members/profileCommentsResponse.php in Rayzz Photoz allows remote attackers to inject arbitrary web script or HTML via the profileCommentTextArea parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Cross-site scripting (XSS) vulnerability in Resource Library (tjs_reslib) 0.1.0 and earlier extension for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
A vulnerability in the web-based management interface of Cisco UCS Director could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. More Information: CSCvc44344. Known Affected Releases: 6.0(0.0).
Cross-site scripting (XSS) vulnerability in search.php3 (aka search.php) in W-Agora 4.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the bn parameter.
Cross-site scripting (XSS) vulnerability in Dex 5.x-1.0 and earlier and 6.x-1.0-rc1 and earlier, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
A stored cross site scripting (XSS) vulnerability in /admin.php?mod=user&act=addnew of PopojiCMS 1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the E-Mail field.
The ESXi Host Client in VMware ESXi (6.5 before ESXi650-201712103-SG, 5.5 before ESXi600-201711103-SG and 5.5 before ESXi550-201709102-SG) contains a vulnerability that may allow for stored cross-site scripting (XSS). An attacker can exploit this vulnerability by injecting Javascript, which might get executed when other users access the Host Client.
Multiple cross-site scripting (XSS) vulnerabilities in LinPHA before 1.3.3 allow remote attackers to inject arbitrary web script or HTML via (1) ftp/index.php, (2) viewer.php, (3) functions/other.php, (4) include/left_menu.class.php, or (5) plugins/stats/stats_view.php.
Multiple cross-site scripting (XSS) vulnerabilities in Butterfly Organizer 2.0.0 allow remote attackers to inject arbitrary web script or HTML via the (1) mytable parameter to view.php, (2) mytable parameter to viewdb2.php, (3) tablehere parameter to category-rename.php, and (4) letter parameter to module-contacts.php.
In WEMS Limited Enterprise Manager 2.58, input passed to the GET parameter 'email' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML code in a user's browser session in context of an affected site.
The CGI framework in Kaya 0.4.0 allows remote attackers to inject arbitrary HTTP headers and conduct cross-site scripting (XSS) attacks via unspecified vectors.
Cross-site scripting (XSS) vulnerability in index.php in CoronaMatrix phpAddressBook 2.0 allows remote attackers to inject arbitrary web script or HTML via the username parameter.
A reflected XSS vulnerability exists in multiple pages in version 22 of the Gibbon application that allows for arbitrary execution of JavaScript (gibbonCourseClassID, gibbonPersonID, subpage, currentDate, or allStudents to index.php).
Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability.
Multiple cross-site scripting (XSS) vulnerabilities in the user forms in GeniXCMS through 0.0.8 allow remote attackers to inject arbitrary web script or HTML via crafted parameters.
Cross-site scripting (XSS) vulnerability in the RSS reader in Cybozu Garoon 2.0.0 through 2.1.3 allows remote attackers to inject arbitrary web script or HTML via a crafted RSS feed.
Multiple cross-site scripting (XSS) vulnerabilities in checkout.php in Avactis Shopping Cart 1.8.0 and 1.8.1 allow remote attackers to inject arbitrary web script or HTML via the (1) step_id and (2) CHECKOUT_CZ_BLOWFISH_KEY parameters.
Cross-site scripting (XSS) vulnerability in blog/search.aspx in BlogEngine.NET allows remote attackers to inject arbitrary web script or HTML via the q parameter.
Multiple cross-site scripting (XSS) vulnerabilities in forgotPW.php in Library Video Company SAFARI Montage 3.1.x allow remote attackers to inject arbitrary web script or HTML via the (1) school and (2) email parameters.
Cross-site scripting (XSS) vulnerability in phpMyFAQ before 2.0.17 and 2.5.x before 2.5.2, when used with Internet Explorer 6 or 7, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to the search page.
Multiple cross-site scripting (XSS) vulnerabilities in Amiro.CMS 5.4.0.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the status_message parameter to (1) /news, (2) /comment, (3) /forum, (4) /blog, and (5) /tags; the status_message parameter to (6) forum.php, (7) discussion.php, (8) guestbook.php, (9) blog.php, (10) news.php, (11) srv_updates.php, (12) srv_backups.php, (13) srv_twist_prevention.php, (14) srv_tags.php, (15) srv_tags_reindex.php, (16) google_sitemap.php, (17) sitemap_history.php, (18) srv_options.php, (19) locales.php and (20) plugins_wizard.php in _admin/; a crafted IMG BBcode tag in the message body of a (21) forum, (22) guestbook, or (23) comment; (24) the content of an avatar file, which is not properly handled by Internet Explorer; and (25) the loginname parameter (aka username) in _admin/index.php.
Multiple cross-site scripting (XSS) vulnerabilities in WebWorks Help 2.0 through 5.0 in VMware vCenter 4.0 before Update 1 Build 208156; VMware Server 2.0.2; VMware ESX 4.0; VMware Lab Manager 2.x; VMware vCenter Lab Manager 3.x and 4.x before 4.0.1; VMware Stage Manager 1.x before 4.0.1; WebWorks Publisher 6.x through 8.x; WebWorks Publisher 2003; and WebWorks ePublisher 9.0.x through 9.3, 2008.1 through 2008.4, and 2009.x before 2009.3 allow remote attackers to inject arbitrary web script or HTML via (1) wwhelp_entry.html, reachable through index.html and wwhsec.htm, (2) wwhelp/wwhimpl/api.htm, (3) wwhelp/wwhimpl/common/html/frameset.htm, (4) wwhelp/wwhimpl/common/scripts/switch.js, or (5) the window.opener component in wwhelp/wwhimpl/common/html/bookmark.htm, related to (a) unspecified parameters and (b) messages used in topic links for the bookmarking functionality.
Cross-site scripting (XSS) vulnerability in index.php in Nuked-Klan 1.3 beta allows remote attackers to inject arbitrary web script or HTML via the nuked_nude parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Cross-site scripting (XSS) vulnerability in analyse.php in CAcert 20080921, and possibly other versions before 20080928, allows remote attackers to inject arbitrary web script or HTML via the CN (CommonName) field in the subject of an X.509 certificate.
Cross-site scripting (XSS) vulnerability in include/ajax/blogInfo.php in LiveStreet 0.2 allows remote attackers to inject arbitrary web script or HTML via the URI, as demonstrated by a SCRIPT element in an arbitrary parameter such as the asd parameter.
Cross-site scripting (XSS) vulnerability in Ultimate PHP Board (UPB) 2.2.2, 2.2.1, and earlier 2.x versions allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header.
Cross-site scripting (XSS) vulnerability in phpcksec.php in Stefan Ott phpcksec 0.2 allows remote attackers to inject arbitrary web script or HTML via the path parameter.