DOM based Cross-site scripting (XSS) vulnerability in the Bridge theme before 11.2 for WordPress allows remote attackers to inject arbitrary JavaScript.
Multiple cross-site scripting (XSS) vulnerabilities in eintragen.php in GaesteChaos 0.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) gastname or (2) gastwohnort parameters.
OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of ``jQuery.html()``, there are a whole host of cross-site scripting possibilities with specially crafted input to a variety of fields. This issue is patched in version 5.11.0. There are no known workarounds aside from upgrading.
Cross-site scripting vulnerability in GROWI (v4.2 Series) versions prior to v4.2.3 allows remote attackers to inject an arbitrary script via unspecified vectors.
Multiple cross-site scripting (XSS) vulnerabilities in Mavili Guestbook, as released in November 2007, allow remote attackers to inject arbitrary web script or HTML via the id parameter to (1) approve.asp, (2) delete.asp, (3) edit.asp, or (4) edit2.asp.
Cross-site Scripting (XSS) vulnerability in the search functionality of AlCoda NetBiblio WebOPAC allows an unauthenticated user to craft a reflected Cross-Site Scripting attack. This issue affects: AlCoda NetBiblio WebOPAC versions prior to 4.0.0.320; versions later than 4.0.0.328. This issue does not affect: AlCoda NetBiblio WebOPAC version 4.0.0.335 and later versions.
In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/timelog/_list.html.erb via crafted column data.
XSS (persistent) on the Intelbras Wireless N 150Mbps router with firmware WRN 240 allows attackers to steal wireless credentials without being connected to the network, related to userRpm/popupSiteSurveyRpm.htm and userRpm/WlanSecurityRpm.htm. The attack vector is a crafted ESSID, as demonstrated by an "airbase-ng -e" command.
The out function in controllers/member/Login.php in dayrui FineCms 5.0.11 has XSS related to the Referer HTTP header with Internet Explorer.
Cross Site Scripting (XSS) vulnerability exists in Sourcecodester News247 CMS 1.0 via the search function in articles.
Cross-site scripting (XSS) vulnerability in the Web component in IBM Cognos TM1 before 9.5.2 FP3 and 10.1 before 10.1 FP1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance because the comment field is not part of the MISP synchronisation.
DokuWiki through 2017-02-19c has stored XSS when rendering a malicious RSS or Atom feed, in /inc/parser/xhtml.php. An attacker can create or edit a wiki that uses RSS or Atom data from an attacker-controlled server to trigger JavaScript execution. The JavaScript can be in an author field, as demonstrated by the dc:creator element.
IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 127579.
An issue was discovered in Squiz Matrix before 5.3.6.1 and 5.4.x before 5.4.1.3. There are multiple reflected Cross-Site Scripting (XSS) issues in Matrix WYSIWYG plugins.
Multiple cross-site scripting (XSS) vulnerabilities in the Brother MFC-9970CDW printer with firmware L (1.10) allow remote attackers to inject arbitrary web script or HTML via the (1) id or (2) val parameter to admin/admin_main.html; (3) id, (4) val, or (5) arbitrary parameter name (QUERY_STRING) to admin/profile_settings_net.html; or (6) kind or (7) arbitrary parameter name (QUERY_STRING) to fax/general_setup.html, a different vulnerability than CVE-2013-2507 and CVE-2013-2670.
ONOS versions 1.8.0, 1.9.0, and 1.10.0 are vulnerable to XSS.
CrushFTP before 7.8.0 and 8.x before 8.2.0 has XSS.
IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 126234.
In Redmine before 3.2.6 and 3.3.x before 3.3.3, stored XSS is possible by using an SVG document as an attachment.
Cross-site scripting (XSS) vulnerability in the redirect function in functions.php in MyBB (aka MyBulletinBoard) 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter in a removesubscriptions action to moderation.php, related to use of the ajax option to request a JavaScript redirect. NOTE: this can be leveraged to execute PHP code and bypass cross-site request forgery (CSRF) protection.
Cross-site scripting (XSS) vulnerability in the GlobalProtect internal and external gateway interface in Palo Alto Networks PAN-OS before 6.1.18, 7.0.x before 7.0.17, 7.1.x before 7.1.12, and 8.0.x before 8.0.3 allows remote attackers to inject arbitrary web script or HTML via vectors related to improper request parameter validation.
Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL.
Cross-site scripting (XSS) vulnerability in KENT-WEB ACCESS REPORT 5.02 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to tag embedding.
PHPJabbers Star Rating Script 4.0 has stored XSS via a rating item.
PHPJabbers File Sharing Script 1.0 has stored XSS in the comments section.
Cross-site scripting (XSS) vulnerability in header.php in Open Guestbook 0.5 allows remote attackers to inject arbitrary web script or HTML via the title parameter.
A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the affected system. The vulnerability is due to insufficient input validation of some parameters that are passed to the web server of the affected system. An attacker could exploit this vulnerability by convincing a user to follow a malicious link or by intercepting a user request and injecting malicious code into the request. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web interface or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvf51241, CSCvf51261.
Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.17, as used in Horde Groupware Webmail Edition before 4.0.8, allow remote attackers to inject arbitrary web script or HTML via the (1) tasks view or (2) search view.
A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php.
An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $f_database, $f_db_username, and $f_admin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP.
Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) Software could allow a remote attacker to inject arbitrary values into DCNM configuration parameters, redirect a user to a malicious website, inject malicious content into a DCNM client interface, or conduct a cross-site scripting (XSS) attack against a user of the affected software. Cisco Bug IDs: CSCvf40477, CSCvf63150, CSCvf68218, CSCvf68235, CSCvf68247.
IBM Tivoli Endpoint Manager (for Lifecycle/Power/Patch) Platform and Applications is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 123678.
Multiple cross-site scripting (XSS) vulnerabilities in admin/index.php in Metinfo 5.3.18 allows remote attackers to inject arbitrary web script or HTML via the (1) class1 parameter or the (2) anyid parameter.
Multiple cross-site scripting (XSS) vulnerabilities in Subrion CMS 2.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) multi_title parameter to blocks/add/; (2) cost, (3) days, or (4) title[en] parameter to plans/add/; (5) name or (6) title[en] parameter to fields/group/add/ in admin/manage/; or (7) f[accounts][fullname] or (8) f[accounts][username] parameter to advsearch/. NOTE: This might overlap CVE-2011-5211. NOTE: it was later reported that the f[accounts][fullname] and f[accounts][username] vectors might also affect 2.2.2.
XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletId.
Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via some parameter to usersearch.php.
Cross-site scripting (XSS) vulnerability in oc-admin/ajax/ajax.php in OSClass before 2.3.5 allows remote attackers to inject arbitrary web script or HTML via the id parameter in an enable_category action to index.php.
Cross-site scripting (XSS) vulnerability in concrete/elements/collection_add.php in concrete5-legacy 5.6.4.0 and below allows remote attackers to inject arbitrary web script or HTML via the mode parameter.
Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) Software could allow a remote attacker to inject arbitrary values into DCNM configuration parameters, redirect a user to a malicious website, inject malicious content into a DCNM client interface, or conduct a cross-site scripting (XSS) attack against a user of the affected software. Cisco Bug IDs: CSCvf40477, CSCvf63150, CSCvf68218, CSCvf68235, CSCvf68247.
An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled.
A vulnerability in the web framework code of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected software. The vulnerability is due to insufficient input validation of some parameters that are passed to the web server of the affected software. An attacker could exploit this vulnerability by convincing a user of the web interface to access a malicious link or by intercepting a user request for the affected web interface and injecting malicious code into the request. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web interface or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvb09516.
In MODX Revolution 2.5.7, the "key" and "name" parameters in the System Settings module are vulnerable to XSS. A malicious payload sent to connectors/index.php will be triggered by every user, when they visit this module.
A vulnerability in the web-based UI of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to execute a cross-frame scripting (XFS) attack. The vulnerability exists because the affected software does not provide sufficient protections for HTML inline frames (iframes). An attacker could exploit this vulnerability by directing a user of the affected software to an attacker-controlled web page that contains a malicious HTML inline frame. A successful exploit could allow the attacker to conduct click-jacking or other types of client-side browser attacks. Cisco Bug IDs: CSCve60993.
ASUS RT-N14UHP devices before 3.0.0.4.380.8015 have a reflected XSS vulnerability in the "flag" parameter.
An exploitable cross site scripting (XSS) vulnerability exists in the filter functionality of the delayed_job_web rails gem version 1.4. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attacker can phish an authenticated user to trigger this vulnerability.
XSS exists in Liferay Portal before 7.0 CE GA4 via a login name, password, or e-mail address.
Cross-site scripting (XSS) vulnerability in blogs/blog1.php in b2evolution 4.1.3 allows remote attackers to inject arbitrary web script or HTML via the message body.
XSS exists in Liferay Portal before 7.0 CE GA4 via a bookmark URL.
A vulnerability in Cisco WebEx Meeting Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of an affected system. The vulnerability is due to insufficient input validation of some parameters that are passed to the web server of the affected system. An attacker could exploit this vulnerability by convincing a user to follow a malicious link or by intercepting a user request and injecting malicious code into the request. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web interface or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvf78635,, CSCvg52440.