ORY Hydra before v1.0.0-rc.3+oryOS.9 has Reflected XSS via the oauth2/fallbacks/error error_hint parameter.
qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?type=[XSS] parameter.
Error reporting within Rendertron 1.0.0 allows reflected Cross Site Scripting (XSS) from invalid URLs.
PHP Scripts Mall Responsive Video News Script has XSS via the Search Bar. This might, for example, be leveraged for HTML injection or URL redirection.
The bws-linkedin plugin before 1.0.5 for WordPress has multiple XSS issues.
An issue was discovered in PHPMyWind 5.5. The method parameter of the data/api/oauth/connect.php page has a reflected Cross-site Scripting (XSS) vulnerability.
A reflected cross-site scripting vulnerability exists on the customer cart checkout page of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by sending a victim a crafted URL that results in malicious javascript execution in the victim's browser.
A vulnerability has been found in HumHub up to 1.0.1 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting (Reflected). The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.1 is able to address this issue. It is recommended to upgrade the affected component.
Adobe Experience Manager version 6.4 and ealier have a Reflected Cross-site Scripting vulnerability. Successful exploitation could lead to Sensitive Information disclosure in the context of the current user.
Verydows 2.0 has XSS via the index.php?c=main a parameter, as demonstrated by an a=index[XSS] value.
Certain NETGEAR devices are affected by reflected XSS. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15.
includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages.
The liveforms plugin before 3.4.0 for WordPress has XSS.
Cross-site scripting (XSS) vulnerability in the Java Management Console in Blue Coat ProxySG before SGOS 4.3.4.1, 5.x before SGOS 5.4.5.1, 5.5 before SGOS 5.5.4.1, and 6.x before SGOS 6.1.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a reflected cross site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
A vulnerability was found in Gwolle Guestbook Plugin 1.7.4. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to basic cross site scripting. The attack may be initiated remotely.
A vulnerability, which was classified as problematic, has been found in Alpine PhotoTile for Instagram Plugin 1.2.7.7. Affected by this issue is some unknown functionality. The manipulation leads to basic cross site scripting. The attack may be launched remotely.
The ad-buttons plugin before 2.3.2 for WordPress has XSS.
An issue was discovered in Joomla! before 3.9.3. Inadequate filtering on URL fields in various core components could lead to an XSS vulnerability.
The adsense-plugin (aka Google AdSense) plugin before 1.44 for WordPress has multiple XSS issues.
The rating-bws plugin before 0.2 for WordPress has multiple XSS issues.
The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCCWP_CreateCustomFieldPage.php custom-field-css parameter.
Adobe Experience Manager Forms versions 6.3-6.5 have a reflected cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
The subscriber plugin before 1.3.5 for WordPress has multiple XSS issues.
The htaccess plugin before 1.7.6 for WordPress has multiple XSS issues.
The rimons-twitter-widget plugin before 1.3 for WordPress has XSS.
An issue was discovered in PHPMyWind 5.5. The username parameter of the /install/index.php page has a stored Cross-site Scripting (XSS) vulnerability, as demonstrated by admin/login.php.
The wp-live-chat-support plugin before 7.1.05 for WordPress has XSS.
The weblibrarian plugin before 3.4.8.5 for WordPress has XSS via front-end short codes.
Cross-site scripting vulnerability in WP Statistics version 12.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
In CmsEasy 7.0, there is XSS via the ckplayer.php autoplay parameter.
The booking-sms plugin before 1.1.0 for WordPress has XSS.
The kama-clic-counter plugin before 3.5.0 for WordPress has XSS.
A mitigation bypass to prevent cross-site scripting (XSS) exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Successful exploitation of this vulnerability would result in an attacker being able to bypass the `escapeURL()` function and execute a malicious XSS payload.
In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD self-service password reset and MFA token.
Stored XSS in Invision Power Board versions 3.3.1 - 3.4.8 leads to Remote Code Execution.
The pdf-print plugin before 1.9.4 for WordPress has multiple XSS issues.
The Backup Guard plugin before 1.1.47 for WordPress has multiple XSS issues.
This issue was addressed with improved checks. This issue is fixed in macOS Catalina 10.15, watchOS 6, iOS 13, tvOS 13. Processing maliciously crafted web content may lead to a cross site scripting attack.
A vulnerability classified as problematic has been found in Elefant CMS 1.3.12-RC. Affected is an unknown function. The manipulation of the argument username leads to basic cross site scripting (Persistent). It is possible to launch the attack remotely. Upgrading to version 1.3.13 is able to address this issue. It is recommended to upgrade the affected component.
The sender plugin before 1.2.1 for WordPress has multiple XSS issues.
The event-notifier plugin before 1.2.1 for WordPress has XSS via the loading animation.
The promobar plugin before 1.1.1 for WordPress has multiple XSS issues.
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. XSS can occur via a link on an error page.
The avada theme before 5.1.5 for WordPress has stored XSS.
An issue was discovered in Joomla! before 3.9.3. Inadequate parameter handling in JavaScript code (core.js writeDynaList) could lead to an XSS attack vector.
skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter.
An issue was discovered in PHP Scripts Mall API Based Travel Booking 3.4.7. There is Reflected XSS via the flight-results.php d2 parameter.
The share-on-diaspora plugin before 0.7.2 for WordPress has reflected XSS in share URL parameters.
A validation issue was addressed with improved logic. This issue is fixed in Safari 13.0.1, iOS 13.1 and iPadOS 13.1, iCloud for Windows 10.7, tvOS 13, iCloud for Windows 7.14, iTunes 12.10.1 for Windows. Processing maliciously crafted web content may lead to universal cross site scripting.