The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters.
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted javascript URI.
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings.
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing.
The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.
CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.
FatFreeCRM version <=0.14.1, >=0.15.0 <=0.15.1, >=0.16.0 <=0.16.3, >=0.17.0 <=0.17.2, ==0.18.0 contains a Cross Site Scripting (XSS) vulnerability in commit 6d60bc8ed010c4eda05d6645c64849f415f68d65 that can result in Javascript execution. This attack appear to be exploitable via Content with Javascript payload will be executed on end user browsers when they visit the page. This vulnerability appears to have been fixed in 0.18.1, 0.17.3, 0.16.4, 0.15.2, 0.14.2.
easymon version 1.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in Endpoint where monitoring is mounted that can result in Reflected XSS that affects Firefox. Can be used to steal cookies, depending on the cookie settings.. This attack appear to be exploitable via The victim must click on a crafted URL that contains the XSS payload. This vulnerability appears to have been fixed in 1.4.1 and later.
app/tools/mac-lookup/index.php in phpIPAM 1.3.1 has Reflected XSS on /tools/mac-lookup/ via the mac parameter.
FreeBSD CVSweb version 2.x contains a Cross Site Scripting (XSS) vulnerability in all pages that can result in limited impact--CVSweb is anonymous & read-only. It might impact other sites on same domain. This attack appears to be exploitable via victim must load specially crafted url. This vulnerability appears to have been fixed in 3.x.
GLPi 9.5.4 does not sanitize the metadata. This way its possible to insert XSS into plugins to execute JavaScript code.
MiniCMS version 1.1 contains a Cross Site Scripting (XSS) vulnerability in http://example.org/mc-admin/page.php?date={payload} that can result in code injection.
Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contains a Cross Site Scripting (XSS) vulnerability in unit.html and testsDOH/_base/loader/i18n-exhaustive/i18n-test/unit.html and testsDOH/_base/i18nExhaustive.js in the DOH that can result in Victim attacked through their browser - deliver malware, steal HTTP cookies, bypass CORS trust. This attack appear to be exploitable via Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. This vulnerability appears to have been fixed in 1.14.
OpenEMR version 5.0.0 contains a Cross Site Scripting (XSS) vulnerability in open-flash-chart.swf and _posteddata.php that can result in . This vulnerability appears to have been fixed in 5.0.0 Patch 2 or higher.
The jDownloads extension before 3.2.59 for Joomla! has XSS.
EasyCMS 1.3 has XSS via the s POST parameter (aka a search box value) in an index.php?s=/index/search/index.html request.
An issue was discovered in PhreeBooksERP before 2017-02-13. The vulnerability exists due to insufficient filtration of user-supplied data in the "form" HTTP GET parameter passed to the "PhreeBooksERP-master/extensions/ShippingMethods/ups/label_mgr/js_include.php" and "PhreeBooksERP-master/extensions/ShippingMethods/yrc/label_mgr/js_include.php" URLs. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. NOTE: these js_include.php files do not exist in the SourceForge "stable release" (aka R37RC1).
ILIAS before 5.1.26, 5.2.x before 5.2.15, and 5.3.x before 5.3.4, due to inconsistencies in parameter handling, is vulnerable to various instances of reflected cross-site-scripting.
An issue was discovered in ionize through 1.0.8. The vulnerability exists due to insufficient filtration of user-supplied data in the "path" HTTP GET parameter passed to the "ionize-master/themes/admin/javascript/tinymce/jscripts/tiny_mce/plugins/codemirror/dialog.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
WordPress version 4.8 + contains a Cross Site Scripting (XSS) vulnerability in plugins.php or core wordpress on delete function that can result in An attacker can perform client side attacks which could be from stealing a cookie to code injection. This attack appear to be exploitable via an attacker must craft an URL with payload and send to the user. Victim need to open the link to be affected by reflected XSS. .
A cross-site scripting vulnerability exists in Jenkins CppNCSS Plugin 1.1 and earlier in AbstractProjectAction/index.jelly that allow an attacker to craft links to Jenkins URLs that run arbitrary JavaScript in the user's browser when accessed.
Cross-site scripting (XSS) vulnerability in Zoho ManageEngine EventLog Analyzer 11.12 allows remote attackers to inject arbitrary web script or HTML via the import logs feature.
Zend Debugger in Zend Server before 9.1.3 has XSS, aka ZSR-2455.
Cross-site scripting (XSS) vulnerability in the search feature in the Forum plugin before 2.7.1 for Geeklog allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, probably related to (1) public_html/index.php, (2) config.php, and (3) functions.inc.
GitLab 12.1 through 12.8.1 allows XSS. A cross-site scripting vulnerability was present in a particular view relating to the Grafana integration.
An issue was discovered in the Users (aka Front-end user management) plugin 1.4.5 for October CMS. XSS exists in the name field.
Akiee version 0.0.3 contains a XSS leading to code execution due to the use of node integration vulnerability in "Details" of a task is not validated that can result in XSS leading to abritrary code execution. This attack appear to be exploitable via The attacker tricks the victim into opening a crafted markdown.
PHP cebe markdown parser version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in all distributed parsers allowing a malicious crafted script to be executed that can result in the lose of user data and sensitive user information. This attack can be exploited by crafting a three backtick wrapped payload with a character in front: L: "```<script>alert();</script>```". NOTE: This has been argued as a non-issue (see references) since it is not the parser's job to sanitize malicious code from a parsed document
Cross-site scripting (XSS) vulnerability in /application/controller/admin/theme.php in LimeSurvey 3.6.2+180406 allows remote attackers to inject arbitrary web script or HTML via the changes_cp parameter to the index.php/admin/themes/sa/templatesavechanges URI.
Multiple reflected cross-site scripting (XSS) vulnerabilities in OpenEMR before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) patient parameter to interface/main/finder/finder_navigation.php; (2) key parameter to interface/billing/get_claim_file.php; (3) formid or (4) formseq parameter to interface/orders/types.php; (5) eraname, (6) paydate, (7) post_to_date, (8) deposit_date, (9) debug, or (10) InsId parameter to interface/billing/sl_eob_process.php; (11) form_source, (12) form_paydate, (13) form_deposit_date, (14) form_amount, (15) form_name, (16) form_pid, (17) form_encounter, (18) form_date, or (19) form_to_date parameter to interface/billing/sl_eob_search.php; (20) codetype or (21) search_term parameter to interface/de_identification_forms/find_code_popup.php; (22) search_term parameter to interface/de_identification_forms/find_drug_popup.php; (23) search_term parameter to interface/de_identification_forms/find_immunization_popup.php; (24) id parameter to interface/forms/CAMOS/view.php; (25) id parameter to interface/forms/reviewofs/view.php; or (26) list_id parameter to library/custom_template/personalize.php.
Services/Form/classes/class.ilDateDurationInputGUI.php and Services/Form/classes/class.ilDateTimeInputGUI.php in ILIAS 5.1.x through 5.3.x before 5.3.4 allow XSS via an invalid date.
An issue was discovered in XYHCMS 3.5. It has XSS via the test parameter to index.php.
qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970bac21095358449) contains a Cross Site Scripting (XSS) vulnerability in history command, qute://history page that can result in Via injected JavaScript code, a website can steal the user's browsing history. This attack appear to be exploitable via the victim must open a page with a specially crafted <title> attribute, and then open the qute://history site via the :history command. This vulnerability appears to have been fixed in fixed in v1.3.3 (4c9360237f186681b1e3f2a0f30c45161cf405c7, to be released today) and v1.4.0 (5a7869f2feaa346853d2a85413d6527c87ef0d9f, released later this week).
Multiple cross-site scripting (XSS) vulnerabilities in the security log in the BulletProof Security plugin before .49 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified HTML header fields to (1) 400.php, (2) 403.php, or (3) 403.php.
Cross-site scripting (XSS) vulnerability in the JoomShopping (com_joomshopping) component before 4.3.1 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the user_name parameter to index.php.
Multiple cross-site scripting (XSS) vulnerabilities in Academic Web Tools (AWT YEKTA) 1.4.3.1, and 1.4.2.8 and earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) query string to login.php and the (2) glb_sid parameter to hta/htmlarea.js.php, and allow remote authenticated users to inject arbitrary web script or HTML via an unspecified field in room.php.
Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view's OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client's name will cause users interacting with it will execute payload. This attack appear to be exploitable via The victim must be tricked to click an opaque link to the web view that runs the XSS payload. A malicious version virtually indistinguishable from a normal link.. This vulnerability appears to have been fixed in 4.2.6, 4.3.0.
GlobalProtect Portal Login page in Palo Alto Networks PAN-OS before 8.1.4 allows an unauthenticated attacker to inject arbitrary JavaScript or HTML.
Grails Fields plugin version 2.2.7 contains a Cross Site Scripting (XSS) vulnerability in Using the display tag that can result in XSS . This vulnerability appears to have been fixed in 2.2.8.
Lantronix SecureLinx Spider (SLS) 2.2+ devices have XSS in the auth.asp login page.
The CATALooK.netStore module through 7.2.8 for DNN (formerly DotNetNuke) allows XSS via the /ViewEditGoogleMaps.aspx PortalID or CATSkin parameter, or the /ImageViewer.aspx link or desc parameter.
Cross-site scripting (XSS) vulnerability in imagegen.ashx in Percipient Studios ImageGen before 2.9.0 for Umbraco CMS allows remote attackers to inject arbitrary web script or HTML via the font parameter.
Chamilo 1.9.4 has Multiple XSS and HTML Injection Vulnerabilities: blog.php and announcements.php.
Chamilo 1.9.4 has XSS due to improper validation of user-supplied input by the chat.php script.
An issue was discovered in Zoho ManageEngine EventLog Analyzer 11.12. A Cross-Site Scripting vulnerability allows a remote attacker to inject arbitrary web script or HTML via the search functionality (the search box of the Dashboard).
XSS exists in Flexense DiskSavvy Enterprise from v10.4 to v10.7.
An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser.