AeroCMS v0.0.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability via view_all_comments.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comments text field.
Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names.
The updater plugin before 1.35 for WordPress has multiple XSS issues.
The zendesk-help-center plugin before 1.0.5 for WordPress has multiple XSS issues.
The pdf-print plugin before 1.9.4 for WordPress has multiple XSS issues.
The visitors-online plugin before 1.0.0 for WordPress has multiple XSS issues.
S-CMS PHP v1.0 has XSS in 4.edu.php via the S_id parameter.
The bws-smtp plugin before 1.1.0 for WordPress has multiple XSS issues.
On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP APM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of F5 BIG-IP Guided Configuration that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'filter[AutoExecuteCmd]' parameter value in the view filter (filter.php) because proper filtration is omitted.
Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a license file upload mechanism. Lack of input sanitization of the upload mechanism is leads to stored XSS.
An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default.
The spotim-comments plugin before 4.0.4 for WordPress has multiple XSS issues.
Alist v2.1.0 and below was discovered to contain a cross-site scripting (XSS) vulnerability via /i/:data/ipa.plist.
The gd-rating-system plugin before 2.1 for WordPress has XSS in log.php.
element-plus 2.0.5 is vulnerable to Cross Site Scripting (XSS) via el-table-column.
The newstatpress plugin before 1.2.5 for WordPress has multiple stored XSS issues.
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS can occur via OpenGraph data.
Teampass 2.1.26 allows reflected XSS via the index.php PATH_INFO.
PKP Vendor Open Journal System v2.4.8 to v3.3.8 allows attackers to perform reflected cross-site scripting (XSS) attacks via crafted HTTP headers.
Multiple cross-site scripting (XSS) vulnerabilities in BarracudaDrive before 6.7.2 allow remote attackers to inject arbitrary web script or HTML via the (1) role parameter to roles.lsp, (2) name parameter to user.lsp, (3) path parameter to wizard/setuser.lsp, (4) host parameter to tunnelconstr.lsp, or (5) newpath parameter to wfsconstr.lsp in rtl/protected/admin/.
Cross-site scripting vulnerability in Zero-channel BBS Plus v0.7.4 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors.
Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a file upload mechanism. Lack of input sanitization in the upload mechanism leads to reflected XSS.
The contact-form-7-sms-addon plugin before 2.4.0 for WordPress has XSS.
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'eid' (aka Event ID) parameter value in the view download (download.php) because proper filtration is omitted.
The pagination plugin before 1.0.7 for WordPress has multiple XSS issues.
The contact-form-multi plugin before 1.2.1 for WordPress has multiple XSS issues.
Bootstrap v3.1.11 and v3.3.7 was discovered to contain a cross-site scripting (XSS) vulnerability via the Title parameter in /vendor/views/add_product.php.
The MinervaNeue Skin in MediaWiki from 2019-11-05 to 2019-12-13 (1.35 and/or 1.34) mishandles certain HTML attributes, as demonstrated by IMG onmouseover= (impact is XSS) and IMG src=http (impact is disclosing the client's IP address). This can occur within a talk page topical header that is viewed within a mobile (MobileFrontend) context.
A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Connect ONSITE before 19.49.1500.0 allows remote attackers to inject arbitrary web script or HTML via the brandUrl parameter.
A reflected cross-site scripting (XSS) vulnerability in Chamilo LMS v1.11.13 allows attackers to execute arbitrary web scripts or HTML via user interaction with a crafted URL.
Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a URL /cgi-bin endpoint. The URL parameters are not correctly sanitized, leading to reflected XSS.
Certain NETGEAR devices are affected by reflected XSS. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15.
Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product.
Cross-site scripting (XSS) vulnerability in details_view.php in PHP Booking Calendar 10e allows remote attackers to inject arbitrary web script or HTML via the page_info_message parameter.
Cross-site scripting (XSS) vulnerability in SRX Web Authentication (webauth) in Juniper Junos 11.4 before 11.4R11, 12.1X44 before 12.1X44-D34, 12.1X45 before 12.1X45-D25, 12.1X46 before 12.1X46-D20, and 12.1X47 before 12.1X47-D10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Multiple cross-site scripting (XSS) vulnerabilities in Mobotix IP Network Cameras M1 1.9.4.7 and M10 2.0.5.2, and other versions before 2.2.3.18 for M10/D10 and 3.0.3.31 for M22, allow remote attackers to inject arbitrary web script or HTML via URL-encoded values in (1) the query string to help/help, (2) the get_image_info_abspath parameter to control/eventplayer, and (3) the source_ip parameter to events.tar.
Cross Site Scripting (XSS) vulnerability in objects/function.php in function getDeviceID in WWBN AVideo through 11.6, via the yptDevice parameter to view/include/head.php.
The Monitoring Console app configured in Distributed mode allows for a Reflected XSS in a query parameter in Splunk Enterprise versions before 8.1.4. The Monitoring Console app is a bundled app included in Splunk Enterprise, not for download on SplunkBase, and not installed on Splunk Cloud Platform instances. Note that the Cloud Monitoring Console is not impacted.
The rsvp plugin before 2.3.8 for WordPress has persistent XSS via the note field on the attendee-list screen.
The gnucommerce plugin before 1.4.2 for WordPress has XSS.
ZEROF Web Server 2.0 allows /admin.back XSS.
The simple-job-board plugin before 2.4.4 for WordPress has reflected XSS via keyword search.
Cosmetics and Beauty Product Online Store v1.0 was discovered to contain multiple reflected cross-site scripting (XSS) attacks via the search parameter under the /cbpos/ app.
Cross-site scripting vulnerability in ASSETBASE 8.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting vulnerability in WBCE CMS 1.1.10 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
NetIQ Access Manager 4.2.2 and 4.3.x before 4.3.1+, when configured as an Identity Server, has XSS in the AssertionConsumerServiceURL field of a signed AuthnRequest in a samlp:AuthnRequest document.
The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the IP parameter found in the ~/includes/class-wp-statistics-ip.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5.
Money Transfer Management System Version 1.0 allows an attacker to inject JavaScript code in the URL and then trick a user into visit the link in order to execute JavaScript code.
An XSS issue was discovered in MantisBT before 2.25.3. Improper escaping of a Plugin name allows execution of arbitrary code (if CSP allows it) in manage_plugin_page.php and manage_plugin_uninstall.php when a crafted plugin is installed.