A vulnerability in the web-based management interface of Cisco Adaptive Security Appliance (ASA) 9.5(1) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvd82064.

In Simple Food Website 1.0, a moderation can put the Cross Site Scripting Payload in any of the fields on http://127.0.0.1:1234/food/admin/all_users.php like Full Username, etc .This causes stored xss.

An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.

Multiple Authenticated (administrator or higher user role) Persistent Cross-Site Scripting (XSS) vulnerabilities in TMS-Plugins wpDataTables plugin <= 2.1.27 on WordPress via &data-link-text, &data-link-url, &data, &data-shortcode, &data-star-num vulnerable parameters.

Shopwind <=v3.4.2 was discovered to contain a stored cross-site scripting (XSS) vulnerability.

Zurmo 3.1.1 Stable allows a Cross-Site Scripting (XSS) attack with a base64-encoded SCRIPT element within a data: URL in the returnUrl parameter to default/toggleCollapse.

Ecommerce-project-with-php-and-mysqli-Fruits-Bazar- 1.0 is vulnerable to Cross Site Scripting (XSS) in \admin\add_cata.php via the ctg_name parameters.

Multiple cross-site scripting (XSS) vulnerabilities in the Maestro module 7.x-1.x before 7.x-1.4 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via a (1) Role or (2) Organic Group name.

Authenticated (editor or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Export All URLs plugin <= 4.1 at WordPress.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Adam Skaat Countdown & Clock (WordPress plugin) countdown-builder allows Stored XSS.This issue affects Countdown & Clock (WordPress plugin): from n/a through 2.3.2.

Multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Promotion Slider plugin <= 3.3.4 at WordPress.

Multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in DynamicWebLab's WordPress Team Manager plugin <= 1.6.9 at WordPress.

Authenticated (admin user role) Persistent Cross-Site Scripting (XSS) in Mark Daniels Night Mode plugin <= 1.0.0 on WordPress via vulnerable parameters: &ntmode_page_setting[enable-me], &ntmode_page_setting[bg-color], &ntmode_page_setting[txt-color], &ntmode_page_setting[anc_color].

XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_title parameter. Someone must login to conduct the attack.

A cross-site scripting (XSS) flaw was found in how an organization name is displayed in Satellite 5, before 5.8. A user able to change an organization's name could exploit this flaw to perform XSS attacks against other Satellite users.

Water-billing-management-system v1.0 is affected by: Cross Site Scripting (XSS) via /wbms/classes/Users.php?f=save, firstname.

Survey Sparrow Enterprise Survey Software 2022 has a Stored cross-site scripting (XSS) vulnerability in the Signup parameter.

The gridelements (aka Grid Elements) extension through 7.6.1, 8.x through 8.7.0, 9.x through 9.7.0, and 10.x through 10.2.0 extension for TYPO3 allows XSS.

A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code through a crafted 'action' parameter. This is fixed in 1.3.8, 2.1.2, and 2.2.2.

Automotive Shop Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via /asms/classes/Master.php?f=save_product, name.

SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and delete (theme) data, which could result in Stored Cross-Site Scripting (XSS) attack.

A cross-site scripting (XSS) vulnerability in /omps/seller of Online Market Place Site v1.0 allows attackers to execute arbitrary web cripts or HTML via a crafted payload injected into the Page parameter.

Badminton Center Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via /bcms/classes/Master.php?f=save_court_rental.

In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters formseq and formid in interface\orders\find_order_popup.php leads to multiple cross-site scripting (XSS) vulnerabilities.

Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary script.

An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user.

Cross-Site Scripting (XSS) vulnerability in Muneeb's WP Slider Plugin <= 1.4.5 at WordPress.

Multiple Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerabilities in Adam Skaat's Countdown & Clock plugin <= 2.3.2 at WordPress via &ycd-countdown-width, &ycd-progress-height, &ycd-progress-width, &ycd-button-margin-top, &ycd-button-margin-right, &ycd-button-margin-bottom, &ycd-button-margin-left, &ycd-circle-countdown-before-countdown, &ycd-circle-countdown-after-countdown vulnerable parameters.

Authenticated (subscriber or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Messages For WordPress <= 2.1.10 at WordPress.

XXL-Job v2.3.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via /xxl-job-admin/jobinfo.

Authenticated (contributor or higher user role) Reflected Cross-Site Scripting (XSS) vulnerability in 2J Slideshow Team's Slideshow, Image Slider by 2J plugin <= 1.3.54 at WordPress.

An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.

A stored Cross-site Scripting (XSS) vulnerability was identified in the Data Import functionality of OpenCTI through 5.2.4. An attacker can abuse the vulnerability to upload a malicious file that will then be executed by a victim when they open the file location.

Octech Oempro 4.7 through 4.11 allow stored XSS by an authenticated user. The FolderName parameter of the Media.CreateFolder command is vulnerable.

Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 does not sanitize a rest/commonlog/report/template name field, which allows a 'Reports Only' user to inject malicious JavaScript while creating a new report. Additionally, IWSVA implements incorrect access control that allows any authenticated, remote user (even with low privileges like 'Auditor') to create or modify reports, and consequently take advantage of this XSS vulnerability. The JavaScript is executed when victims visit reports or auditlog pages.

PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/event_edit.php edit_id parameter.

ChatBot App with Suggestion in PHP/OOP v1.0 is vulnerable to Cross Site Scripting (XSS) via /simple_chat_bot/classes/Master.php?f=save_response.

Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege.

Cross-site scripting (XSS) vulnerability in plugins/markdown_plugin/_markdown.plugin.php in b2evolution before 6.8.5 allows remote authenticated users to inject arbitrary web script or HTML via a javascript: URL.

A potential security vulnerability has been identified in certain HPE FlexNetwork and FlexFabric switch products. The vulnerability could be remotely exploited to allow cross site scripting (XSS). HPE has made the following software updates to resolve the vulnerability. HPE FlexNetwork 5130EL_7.10.R3507P02 and HPE FlexFabric 5945_7.10.R6635.

Tieba-Cloud-Sign v4.9 was discovered to contain a cross-site scripting (XSS) vulnerability via the function strip_tags.

An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration helpurl settings allowed stored XSS.

nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). An attacker (role customer) can inject javascript code to First name or Last name at Customer Info.

Jenkins SiteMonitor Plugin 0.6 and earlier does not escape URLs of sites to monitor in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSphere Service Registry and Repository (WSRR) 7.0.x before 7.0.0.5 and 7.5.x before 7.5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the HTTP User-Agent header.

A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

Jenkins Job Generator Plugin 1.22 and earlier does not escape the name and description of Generator Parameter and Generator Choice parameters on Job Generator jobs' Build With Parameters views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

A stored cross-site scripting (XSS) vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to cause JavaScript code to be stored in LXCA which may then be executed in the user's web browser. The JavaScript code is not executed on LXCA itself.

jc21.com Nginx Proxy Manager before 2.9.17 allows XSS during item deletion.