Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.
Cross-site scripting (XSS) vulnerability in modules/Base/Lang/Administrator/update_translation.php in EPESI in Telaxus/EPESI 1.8.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) original or (2) new parameter.
twmap v2.91_v4.33 is affected by a Cross Site Scripting (XSS) vulnerability. In file list.php, the exit function will terminate the script and print the message to the user. The message will contain $_REQUEST then there is a XSS vulnerability.
ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Cross Site Scripting (XSS). The "macros" feature of the document editor allows malicious cross site scripting payloads to be used.
A vulnerability has been identified in Polarion ALM (All versions < V21 R2 P2), Polarion WebClient for SVN (All versions). A cross-site scripting is present due to improper neutralization of data sent to the web page through the SVN WebClient in the affected product. An attacker could exploit this to execute arbitrary code and extract sensitive information by sending a specially crafted link to users with administrator privileges.
A Cross Site Scripting (XSS) vulnerability exists in Codex before 1.4.0 via Notebook/Page name field, which allows malicious users to execute arbitrary code via a crafted http code in a .json file.
The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 5.5 due to insufficient input sanitization and output escaping on the 'save_content_front' function that uses print_r on the user-supplied $_REQUEST values . This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PHPJabbers Hotel Booking System v4.0 is vulnerable to Cross-Site Scripting (XSS) vulnerabilities in the "name, plugin_sms_api_key, plugin_sms_country_code, title, plugin_sms_api_key" parameters.
youtube-php-mirroring (last update Jun 9, 2017) is affected by a Cross Site Scripting (XSS) vulnerability in file ytproxy/index.php.
The WOPI API integration for Vereign Collabora CODE through 4.2.2 does not properly restrict delivery of JavaScript to a victim's browser, and lacks proper MIME type access control, which could lead to XSS that steals account credentials via cookies or local storage. The attacker must first obtain an API access token, which can be accomplished if the attacker is able to upload a .docx or .odt file. The associated API endpoints for exploitation are /wopi/files and /wopi/getAccessToken.
manage (last update Oct 24, 2017) is affected by a Cross Site Scripting (XSS) vulnerability in Application/Home/Controller/GoodsController.class.php. The exit function will terminate the script and print a message which have values from $_POST.
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.
The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in versions up to, and including, 3.1.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UpSolution Impreza – WordPress Website and WooCommerce Builder allows Reflected XSS.This issue affects Impreza – WordPress Website and WooCommerce Builder: from n/a through 8.17.4.
Elcomplus SmartPTT is vulnerable when an attacker injects JavaScript code into a specific parameter that can executed upon accessing the dashboard or the main page.
Cross-site scripting (XSS) vulnerability in the Roles Based Provisioning Module 4.0.2 before Field Patch D for Novell Identity Manager (aka IDM) allows remote attackers to inject arbitrary web script or HTML via a taskDetail taskId.
GLPI is a free asset and IT management software package. In versions prior to 10.0.18, a malicious link can be crafted to perform a reflected XSS attack on the search page. If the anonymous ticket creation is enabled, this attack can be performed by an unauthenticated user. Version 10.0.18 contains a fix for the issue.
Cross-site scripting (XSS) issue in Accounting app of Odoo Enterprise 13.0 through 15.0, allows remote attackers who are able to control the contents of accounting journal entries to inject arbitrary web script in the browser of a victim.
Cross Site Scripting (XSS) vulnerability exists in Maccms v10 via link_Name parameter.
OX App Suite through 7.10.5 allows XSS via an unknown system message in Chat.
On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, if the REST call invoked does not exist, an error will be triggered containing the invalid method previously invoked. The response sent to the user isn't sanitized in this case. An attacker can leverage this issue by including arbitrary HTML or JavaScript code as a parameter, aka XSS.
Cross-site scripting (XSS) vulnerability in ProjectSend (formerly cFTP) before commit 6c3710430be26feb5371cb0377e5355d6f9a27ca allows remote attackers to inject arbitrary web script or HTML via the Description field in My account Name updated, related to home.php and actions-log.php.
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module.
Leanote 2.7.0 is vulnerable to Cross Site Scripting (XSS) in the markdown type note. This leads to remote code execution with payload : <video src=x onerror=(function(){require('child_process').exec('calc');})();>
Cross-site scripting (XSS) vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd.
Wechat-php-sdk v1.10.2 is affected by a Cross Site Scripting (XSS) vulnerability in Wechat.php.
In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS.
OX App Suite through 7.10.5 allows XSS via NIFF (Notation Interchange File Format) data.
Cross-site scripting (XSS) vulnerability in the GlobalProtect external interface in Palo Alto Networks PAN-OS before 6.1.18, 7.x before 7.0.16, 7.1.x before 7.1.11, and 8.x before 8.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Cross-site Scripting (XSS) - DOM in GitHub repository librenms/librenms prior to 23.9.1.
WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the listar_permissoes.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the msg_e parameter. This vulnerability is fixed in 3.2.8.
Workerman-ThinkPHP-Redis (last update Mar 16, 2018) is affected by a Cross Site Scripting (XSS) vulnerability. In file Controller.class.php, the exit function will terminate the script and print the message to the user. The message will contain $_GET{C('VAR_JSONP_HANDLER')] then there is a XSS vulnerability.
SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows XSS.
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8.
Multiple cross-site scripting (XSS) vulnerabilities in glFusion before 1.2.2.pl4 allow remote attackers to inject arbitrary web script or HTML via the (1) subject parameter to profiles.php; (2) address1, (3) address2, (4) calendar_type, (5) city, (6) state, (7) title, (8) url, or (9) zipcode parameter to calendar/index.php; (10) title or (11) url parameter to links/index.php; or (12) PATH_INFO to admin/plugins/mediagallery/xppubwiz.php/.
The Zoorum Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the zoorum_set_options() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
ILIAS 7.21 and 8.0_beta1 through 8.2 is vulnerable to reflected Cross-Site Scripting (XSS).
nZEDb v0.4.20 is affected by a Cross Site Scripting (XSS) vulnerability in www/pages/api.php. The exit function will terminate the script and print the message which has the input $_GET['t'].
Multiple cross-site scripting (XSS) vulnerabilities in Kodak InSite 6.5 to 8.0 allow remote attackers to inject arbitrary web script via the (1) "paramFile" parameter to /Site/Troubleshooting/DiagnosticReport.asp, or (2) "paramFile" parameter to /Site/Troubleshooting/SpeedTest.asp.
Multiple cross-site scripting (XSS) vulnerabilities in the token processing system (pki-tps) in Red Hat Certificate System (RHCS) 8.1 and possibly Dogtag Certificate System 9 and 10 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) tus/ or (2) tus/tus/.
Cross Site Scripting (XSS) vulnerability exits in Anchor CMS <=0.12.7 in posts.php. Attackers can use the posts column to upload the title and content containing malicious code to achieve the purpose of obtaining the administrator cookie, thereby achieving other malicious operations.
YurunProxy v0.01 is affected by a Cross Site Scripting (XSS) vulnerability in src/Client.php. The exit function will terminate the script and print a message which have values from the socket_read.
AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kunal Nagar Custom 404 Pro allows Stored XSS.This issue affects Custom 404 Pro: from n/a through 3.10.0.
A vulnerability, which was classified as problematic, has been found in BestWebSoft Contact Form Plugin 3.51 on WordPress. Affected by this issue is the function cntctfrm_display_form/cntctfrm_check_form of the file contact_form.php. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 3.52 is able to address this issue. The patch is identified as 642ef1dc1751ab6642ce981fe126325bb574f898. It is recommended to upgrade the affected component. VDB-225002 is the identifier assigned to this vulnerability.
totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /home.asp.
pictshare v1.5 is affected by a Cross Site Scripting (XSS) vulnerability in api/info.php. The exit function will terminate the script and print the message which has $_REQUEST['hash'].
SakuraPanel v1.0.1.1 is affected by a Cross Site Scripting (XSS) vulnerability in /master/core/PostHandler.php. The exit function will terminate the script and print the message $data['proxy_name'].
A Cross Site Scripting (XSS) vulnerability exists in Exrick XMall Admin Panel as of 11/7/2021 via the GET parameter in product-add.jsp.