admin/themes/default/items/tag-form.php in Omeka before 2.6.1 allows XSS by adding or editing a tag.
OX App Suite 7.10.4 and earlier allows XSS via a crafted distribution list (payload in the common name) that is mishandled in the scheduling view.
Reflected Cross-Site Scripting (XSS) exists in the Stock Take module in SLiMS 8 Akasia 8.3.1 via an admin/modules/stock_take/index.php?keywords= URI.
An issue was discovered in Eventum 3.5.0. /htdocs/post_note.php has XSS via the garlic_prefix parameter.
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to impersonate the user who manages the charging station or carry out actions on their behalf when crafted malicious parameters are submitted to the charging station web server.
In JetBrains TeamCity before 2020.2.2, XSS was potentially possible on the test history page.
JavaMelody through 1.60.0 has XSS via the counter parameter in a clear_counter action to the /monitoring URI.
MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button.
Persistent Cross-Site Scripting (XSS) vulnerability in the "Categories" feature in SeedDMS (formerly LetoDMS and MyDMS) before 5.1.8 allows remote attackers to inject arbitrary web script or HTML via the name field.
Cross-site scripting in handle.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "options[sysname]" parameter.
An issue was discovered in OpenTSDB 2.3.0. There is XSS in parameter 'json' to the /q URI.
Cross-Site Scripting (XSS) vulnerability in every page that includes the "action" URL parameter in SeedDMS (formerly LetoDMS and MyDMS) before 5.1.8 allows remote attackers to inject arbitrary web script or HTML via the action parameter.
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.
Several resources in Atlassian Fisheye and Crucible before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in linked issue keys.
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing users by placing JavaScript in their usernames.
An issue was discovered in js/designer/move.js in phpMyAdmin before 4.8.2. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted database name to trigger an XSS attack when that database is referenced from the Designer feature.
An issue was discovered in the tagDiv Newspaper theme 10.3.9.1 for WordPress. It allows XSS via the wp-admin/admin-ajax.php td_block_id parameter in a td_ajax_block API call.
A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 through the File Manager feature.
RSA Authentication Manager Operation Console, versions 8.3 P1 and earlier, contains a stored cross-site scripting vulnerability. A malicious Operations Console administrator could potentially exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface. When other Operations Console administrators open the affected page, the injected scripts could potentially be executed in their browser.
A vulnerability in the web admin component of Mitel MiVoice Office 400, versions R5.0 HF3 (v8839a1) and earlier, could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack, due to insufficient validation for the start.asp page. A successful exploit could allow the attacker to execute arbitrary scripts to access sensitive browser-based information.
A Reflected Cross-Site Scripting vulnerability in McAfee Policy Auditor prior to 6.5.2 allows a remote unauthenticated attacker to inject arbitrary web script or HTML via the UID request parameter. The malicious script is reflected unmodified into the Policy Auditor web-based interface which could lead to the extract of end user session token or login credentials. These may be used to access additional security-critical applications or conduct arbitrary cross-domain requests.
PHP Scripts Mall Olx Clone 3.4.2 has XSS.
The vCenter Server contains a reflected cross-site scripting vulnerability due to a lack of input sanitization. An attacker may exploit this issue to execute malicious scripts by tricking a victim into clicking a malicious link.
An XSS issue was discovered in the language switcher module in Joomla! 1.6.0 through 3.8.8 before 3.8.9. In some cases, the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the current page URL.
Entrust Datacard Syntera CS 5.x has XSS via the name field of "Domain or Computer Name" in the login page.
TP-Link Archer C1200 1.13 Build 2018/01/24 rel.52299 EU devices have XSS via the PATH_INFO to the /webpages/data URI.
In TrendNet TW100-S4W1CA 2.3.32, it is possible to inject arbitrary JavaScript into the router's web interface via the "echo" command.
In OSS-RC systems of the release 18B and older customer documentation browsing libraries under ALEX are subject to Cross-Site Scripting. This problem is completely resolved in new Ericsson library browsing tool ELEX used in systems like Ericsson Network Manager. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Ericsson Network Manager is a new generation OSS system which OSS-RC customers shall upgrade to
Reflected XSS in wordpress plugin hero-maps-pro v2.1.0
Craft CMS before 3.6.13 has an XSS vulnerability.
SysAid 20.4.74 allows XSS via the KeepAlive.jsp stamp parameter without any authentication.
An issue was discovered in Jirafeau before 3.4.1. The "search file by link" form is affected by reflected XSS that could allow, by targeting an administrator, stealing a session and gaining administrative privileges.
OX App Suite 7.8.4 and earlier allows Directory Traversal.
In Apache wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1, JS code created in WYSIWYG editor will be executed on display.
1CDN is open-source file sharing software. In 1CDN before commit f88a2730fa50fc2c2aeab09011f6f142fd90ec25, there is a basic cross-site scripting vulnerability that allows an attacker to inject /<script>//code</script> and execute JavaScript code on the client side.
A cross-site scripting (XSS) vulnerability in the View Filters page (view_filters_page.php) in MantisBT 2.1.0 through 2.15.0 allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted PATH_INFO.
Imperavi Redactor 3 in Angular Redactor 1.1.6, when HTML content mode is used, allows stored XSS, as demonstrated by an onerror attribute of an IMG element, a related issue to CVE-2018-7035.
In JetBrains TeamCity before 2020.2.3, reflected XSS was possible on several pages.
Knowage (formerly SpagoBI) 6.1.1 allows XSS via the name or description field to the "Olap Schemas' Catalogue" catalogue.
PHP Scripts Mall Auditor Website 2.0.1 has XSS via the lastname or firstname parameter.
A reflected cross-site script vulnerability in GitLab before versions 13.11.6, 13.12.6 and 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on their behalf if they clicked it
A Reflected Cross Site Scripting (XSS) vulnerability exists in Adrenalin HRMS 5.4.0. An attacker can input malicious JavaScript code in /RPT/SSRSDynamicEditReports.aspx via 'ReportId' parameter.
Boostnote v0.11.7 allows XSS during highlighting of Markdown text, as demonstrated by an onerror attribute of an IMG element.
Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's password.
TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS.
Cross-site scripting in File Manager in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript in the permissions window by placing JavaScript in users' usernames.
Cross-site scripting in Text Editor in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "filename" URL parameter.
Cross-site scripting in the web application taskbar in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the user's username.
Wfilter ICF 5.0.117 contains a cross-site scripting (XSS) vulnerability. An attacker in the same LAN can craft a packet with a malicious User-Agent header to inject a payload in its logs, where an attacker can take over the system by through its plugin-running function.
RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser.