cPanel before 70.0.23 allows stored XSS via a WHM Synchronize DNS Records action (SEC-377).
MiniCMS V1.10 has XSS via the mc-admin/post-edit.php query string, a related issue to CVE-2018-10296 and CVE-2018-16233.
cPanel before 68.0.27 allows self XSS in WHM Apache Configuration Include Editor (SEC-385).
cPanel before 68.0.27 allows self XSS in the WHM listips interface (SEC-389).
A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.
Jenkins TestNG Results Plugin 554.va4a552116332 and earlier renders the unescaped test descriptions and exception messages provided in test results if certain job-level options are set, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or control test results.
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/mobile.php?rec=system&act=update has XSS via the mobile_name parameter.
cPanel before 70.0.23 allows stored XSS in WHM DNS Cluster (SEC-372).
Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature.
An issue was discovered in 74cms v4.2.111. upload/index.php?c=resume&a=resume_list has XSS via the key parameter.
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/product_category.php?rec=update has XSS via the cat_name parameter.
cPanel before 71.9980.37 allows self XSS in the WHM Backup Configuration interface (SEC-421).
cPanel before 71.9980.37 allows Remote-Stored XSS in WHM Save Theme Interface (SEC-400).
cPanel before 76.0.8 has Stored XSS in the WHM "Reset a DNS Zone" feature (SEC-461).
Frog CMS 0.9.5 has XSS in the admin/?/page/edit/1 body field.
cPanel before 74.0.0 allows stored XSS in the WHM File Restoration interface (SEC-367).
cPanel before 68.0.27 allows self XSS in WHM Spamd Startup Config (SEC-387).
Combodo iTop is an open source web based IT Service Management tool. In affected versions there is a XSS vulnerability on "run query" page when logged as administrator. This has been resolved in versions 2.6.5 and 2.7.5.
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/nav.php?rec=update has XSS via the nav_name parameter.
include/admin/Menu/Ajax.php in Typesetter 5.1 has index.php/Admin/Menu/Ajax?cmd=AddHidden title XSS.
cPanel before 74.0.8 allows self XSS in the WHM "Create a New Account" interface (SEC-428).
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.6.11, 1.12.x before 1.12.2, and 1.13.x before 1.13.3, when Internet Explorer is used and uploads are enabled, or an SVG scripting browser is used and SVG uploads are enabled, allows remote authenticated users to inject arbitrary web script or HTML by editing a wiki page.
SAP NetWeaver Portal, WebDynpro Java, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
The Backpack\CRUD Backpack component before 3.4.9 for Laravel allows XSS via the select field type.
PHP Scripts Mall Basic B2B Script 2.0.9 has HTML injection via the First Name or Last Name field.
SAP Business One, 9.2, 9.3, browser access does not sufficiently encode user controlled inputs, which results in a Cross-Site Scripting (XSS) vulnerability.
SAP Solution Manager, 7.10, 7.20, Incident Management Work Center allows an attacker to upload a malicious script as an attachment and this could lead to possible Cross-Site Scripting.
An XSS issue was found with Psaldownload.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.3R2 before 8.3R2 and Pulse Policy Secure (PPS) 5.4RX before 5.4R2. This is not applicable to PCS 8.1RX or PPS 5.2RX.
MODX Revolution through v2.7.0-pl allows XSS via a document resource (such as pagetitle), which is mishandled during an Update action, a Quick Edit action, or the viewing of manager logs.
An XSS issue has been found in welcome.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.1.x before 8.1R12, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 due to one of the URL parameters not being sanitized properly.
An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the jsmol.php data parameter.
An issue was discovered in GitLab Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
cPanel before 71.9980.37 allows stored XSS in the YUM autorepair functionality (SEC-399).
The woocommerce-jetpack plugin before 3.8.0 for WordPress has XSS in the Products Per Page feature.
cPanel before 70.0.23 allows stored XSS via the cpaddons vendor interface (SEC-391).
The contact-form-to-email plugin before 1.2.66 for WordPress has XSS.
Certain NETGEAR devices are affected by stored XSS. This affects D6100 before 1.0.0.57, DM200 before 1.0.0.50, EX2700 before 1.0.1.32, EX6100v2 before 1.0.1.70, EX6150v2 before 1.0.1.70, EX6200v2 before 1.0.1.62, EX6400 before 1.0.1.78, EX7300 before 1.0.1.78, EX8000 before 1.0.0.114, R6100 before 1.0.1.22, R7500 before 1.0.0.122, R7800 before 1.0.2.42, R8900 before 1.0.3.10, R9000 before 1.0.3.10, WN2000RPTv3 before 1.0.1.26, WN3000RPv3 before 1.0.2.66, WN3100RPv2 before 1.0.0.42, WNDR3700v4 before 1.0.2.96, WNDR4300 before 1.0.2.98, WNDR4300v2 before 1.0.0.54, WNDR4500v3 before 1.0.0.54, and WNR2000v5 before 1.0.0.64.
An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter.
The Chat Anywhere extension 2.4.0 for Chrome allows XSS via crafted use of <<a> in a message, because a danmuWrapper DIV element in chatbox-only\danmu.js is outside the scope of a Content Security Policy (CSP).
index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.
SAP Commerce does not sufficiently validate user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability in storefronts that are based on the product. Fixed in versions (SAP Hybris Commerce, versions 6.2, 6.3, 6.4, 6.5, 6.6, 6.7).
A stored cross site scripting (XSS) vulnerability in NeDi before 1.7Cp3 allows remote attackers to inject arbitrary web script or HTML via User-Chat.php.
The SAML 2.0 service provider of SAP Netweaver AS Java Web Application, 7.50, does not sufficiently encode user controlled inputs, which results in Cross-Site Scripting (XSS) vulnerability.
An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the "add dashboard pages" feature where users can receive a malicious attack through a phished URL, with script executed.
ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 (Web Intelligence DHTML client) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS.
SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.