A Cross-Site Scripting (XSS) issue was discovered in php-calendar before 2017-03-03. The vulnerability exists due to insufficient filtration of user-supplied data (errorMsg) passed to the "php-calendar-master/error.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
A vulnerability, which was classified as problematic, was found in sproctor php-calendar. This affects an unknown part of the file index.php. The manipulation of the argument $_SERVER['PHP_SELF'] leads to cross site scripting. It is possible to initiate the attack remotely. The name of the patch is a2941109b42201c19733127ced763e270a357809. It is recommended to apply a patch to fix this issue. The identifier VDB-215445 was assigned to this vulnerability.
Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2.0.7 and 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) fields[website] parameter in the post comments feature in articles/a-primer-to-symphony-2s-default-theme/ or (2) send-email[recipient] parameter to about/. NOTE: some of these details are obtained from third party information.
Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php, or (4) tiki-rename_page.php.
The TechRadar app 1.1 for Confluence Server allows XSS via the Title field of a Radar.
On F5 BIG-IP 12.1.0-12.1.3.1, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1, carefully crafted URLs can be used to reflect arbitrary content into GeoIP lookup responses, potentially exposing clients to XSS.
Cross-site scripting (XSS) vulnerability in forgot.php in AudioShare 2.0.2 allows remote attackers to inject arbitrary web script or HTML via the email parameter.
Multiple cross-site scripting (XSS) vulnerabilities in Concrete5 5.7.3.1.
Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page.
Cross-site scripting (XSS) vulnerability in the theme_adium_append_message function in empathy-theme-adium.c in the Adium theme in libempathy-gtk in Empathy 3.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted alias (aka nickname) in a /me event, a different vulnerability than CVE-2011-3635.
Cross-site scripting (XSS) vulnerability in WebAccess in Novell GroupWise 8.x before 8.0 SP2 allows remote attackers to inject arbitrary web script or HTML via a crafted message, related to "replies."
Cross-site scripting (XSS) vulnerability in Products_Results.php in PowerStore 3.0 allows remote attackers to inject arbitrary web script or HTML via the totalRows_WADAProducts parameter.
Cross-site scripting (XSS) vulnerability in the Ajax WebMail interface in AXIGEN Mail Server before 7.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting (XSS) vulnerability in KENT-WEB WEB FORUM 5.1 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to cookies.
Cross-site scripting (XSS) vulnerability in the HTML-Template-Pro module before 0.9507 for Perl allows remote attackers to inject arbitrary web script or HTML via template parameters, related to improper handling of > (greater than) and < (less than) characters.
Cross-site scripting (XSS) vulnerability in admin/sources/classes/bbcode/custom/defaults.php in Invision Power Board (IP.Board) 3.1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Multiple cross-site scripting (XSS) vulnerabilities in libraries/display_export.lib.php in phpMyAdmin 3.4.x before 3.4.9 allow remote attackers to inject arbitrary web script or HTML via crafted URL parameters, related to the export panels in the (1) server, (2) database, and (3) table sections.
The Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.1 does not properly escape certain characters in a Python exception-message template, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via an HTTP response.
Multiple cross-site scripting (XSS) vulnerabilities in the Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 3.5.1 before 3.5.1-021 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Multiple cross-site scripting (XSS) vulnerabilities in Prestashop before 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) address or (2) relativ_base_dir parameter to modules/mondialrelay/googlemap.php; the (3) relativ_base_dir, (4) Pays, (5) Ville, (6) CP, (7) Poids, (8) Action, or (9) num parameter to prestashop/modules/mondialrelay/googlemap.php; (10) the num_mode parameter to modules/mondialrelay/kit_mondialrelay/RechercheDetailPointRelais_ajax.php; (11) the Expedition parameter to modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php; or the (12) folder or (13) name parameter to admin/ajaxfilemanager/ajax_save_text.php.
Multiple cross-site scripting (XSS) vulnerabilities in Hotaru.php in the Search plugin 1.3 for Hotaru CMS allow remote attackers to inject arbitrary web script or HTML via the (1) SITE_NAME parameter to admin_index.php, or the (2) return and (3) search parameters to index.php. NOTE: some of these details are obtained from third party information.
Cross-site scripting (XSS) vulnerability in the new_Twitter_sign_button function in nextend-Twitter-connect.php in the Nextend Twitter Connect plugin before 1.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirect_to parameter. NOTE: this may overlap CVE-2015-4413.
@github/paste-markdown is an npm package for pasting markdown objects. A self Cross-Site Scripting vulnerability exists in the @github/paste-markdown before version 0.3.4. If the clipboard data contains the string `<table>`, a **div** is dynamically created, and the clipboard content is copied into its **innerHTML** property without any sanitization, resulting in improper execution of JavaScript in the browser of the victim (the user who pasted the code). Users directed to copy text from a malicious website and paste it into pages that utilize this library are affected. This is fixed in version 0.3.4. Refer the to the referenced GitHub Advisory for more details including an example exploit.
Cross-site scripting (XSS) vulnerability in View.pm in BackupPC 3.0.0, 3.1.0, 3.2.0, 3.2.1, and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the num parameter in a view action to index.cgi, related to the log file viewer, a different vulnerability than CVE-2011-3361.
Multiple cross-site scripting (XSS) vulnerabilities in news.php in SimpNews 2.47.03 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) layout and (2) sortorder parameters.
Multiple cross-site scripting (XSS) vulnerabilities in LabWiki 1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) from parameter to index.php or the (2) page_no parameter to recentchanges.php.
Cross-site scripting (XSS) vulnerability in the Morning Coffee theme before 3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php.
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.
easymon version 1.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in Endpoint where monitoring is mounted that can result in Reflected XSS that affects Firefox. Can be used to steal cookies, depending on the cookie settings.. This attack appear to be exploitable via The victim must click on a crafted URL that contains the XSS payload. This vulnerability appears to have been fixed in 1.4.1 and later.
Cross-site scripting (XSS) vulnerability exists in the Wordpress admin panel when the Broken Link Checker plugin before 1.10.9 is installed.
Multiple SQL injection vulnerabilities in symphony/content/content.publish.php in Symphony CMS 2.2.3 and possibly other versions before 2.2.4 allow remote authenticated users with Author permissions to execute arbitrary SQL commands via the filter parameter to (1) symphony/publish/comments or (2) symphony/publish/images. NOTE: this issue can be leveraged to perform cross-site scripting (XSS) attacks via error messages. NOTE: some of these details are obtained from third party information.
Multiple cross-site scripting (XSS) vulnerabilities in Parallels Plesk Small Business Panel 10.2.0 allow remote attackers to inject arbitrary web script or HTML via crafted input to a PHP script, as demonstrated by smb/app/available/id/apscatalog/ and certain other files.
Cross-site scripting (XSS) vulnerability in the overlay files tab in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted application, related to cloning.
Cross-site scripting (XSS) vulnerability in the Slider Revolution (revslider) plugin 4.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the client_action parameter in a revslider_ajax_action action to wp-admin/admin-ajax.php.
Cross-site scripting (XSS) vulnerability in the quick edit function in xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.8.5 allows remote attackers to inject arbitrary web script or HTML via the content of a post.
Cross-site scripting (XSS) vulnerability in Remote Development Services (RDS) in Adobe ColdFusion 8.0 through 9.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 CF29, 8.0.0 before 8.0.0.1 CF19, and 8.5.0 before CF08 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2015-4993.
adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
yourls is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in IBM Tivoli Federated Identity Manager (TFIM) 6.2.2 before FP16 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
Multiple cross-site scripting (XSS) vulnerabilities in Synology Disk Station 2.x before DSM3.0-1337 allow remote attackers to inject arbitrary web script or HTML by connecting to the FTP server and providing a crafted (1) USER or (2) PASS command, which is written by the FTP logging module to a web-interface log window, related to a "web commands injection" issue.
Cross-site scripting (XSS) vulnerability in the new_fb_sign_button function in nextend-facebook-connect.php in Nextend Facebook Connect plugin before 1.5.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirect_to parameter.
Chamilo 1.11.14 allows stored XSS via main/install/index.php and main/install/ajax.php through the port parameter.
Cross-site scripting (XSS) vulnerability in HP AssetCenter 5.0x through AC_5.03, and AssetManager 5.1x through AM_5.12 and 5.2x through AM_5.22, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Multiple cross-site scripting (XSS) vulnerabilities in rekonq 0.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) a URL associated with a nonexistent domain name, related to webpage.cpp, aka a "universal XSS" issue; (2) unspecified vectors related to webview.cpp; and the about: views for (3) favorites, (4) bookmarks, (5) closed tabs, and (6) history.
Joplin before 2.0.9 allows XSS via button and form in the note body.
Cross-site scripting (XSS) vulnerability in the Splash Portal in Cloud4Wi before 5.9.7 allows remote attackers to inject arbitrary web script or HTML via the recoveryMessage parameter to the default URI.
eClinicalWorks Population Health (CCMR) suffers from a cross site scripting vulnerability in login.jsp which allows remote unauthenticated users to inject arbitrary javascript via the strMessage parameter.
Cross-site scripting (XSS) vulnerability in the print_object function in lib/datalib.php in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3, when a developer debugging script is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors involving object states.
OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and an App Loader relative URL is used.