A cross-site scripting (XSS) vulnerability in the AlgolPlus Advanced Order Export For WooCommerce plugin 3.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the view/settings-form.php woe_post_type parameter.
Cross-site scripting (XSS) vulnerability in the mycode_parse_video function in inc/class_parser.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via vectors related to Yahoo video URLs.
The Permalink Manager Lite WordPress plugin before 2.2.15 and Permalink Manager Pro WordPress plugin before 2.2.15 do not sanitise and escape query parameters before outputting them back in the debug page, leading to a Reflected Cross-Site Scripting issue
Cross-site scripting (XSS) vulnerability in ThemeBeans Blooog theme 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the jQuery parameter to assets/js/jplayer.swf.
The Nimble Page Builder WordPress plugin before 3.2.2 does not sanitise and escape the preview-level-guid parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
Sunnet eHRD, a human training and development management system, contains vulnerability of Cross-Site Scripting (XSS), attackers can inject arbitrary command into the system and launch XSS attack.
The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 printer is vulnerable to Reflected XSS in /home.jsp. The vulnerable parameter is openSI. NOTE: this is fixed in the latest version.
The Migration, Backup, Staging WordPress plugin before 0.9.70 does not sanitise and escape the sub_page parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting
GitLab 9.3 through 12.8.1 allows XSS. A cross-site scripting vulnerability was found when viewing particular file types.
A cross-site scripting (XSS) vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote attacker to potentially obtain access to an ePO administrator's session by convincing the attacker to click on a carefully crafted link. This would lead to limited ability to alter some information in ePO due to the area of the User Interface the vulnerability is present in.
Cross-site Scripting (XSS) - Generic in GitHub repository hestiacp/hestiacp prior to 1.5.9.
The Header Footer Code Manager plugin <= 1.1.16 for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_REQUEST['page'] parameter.
Reflected cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote attacker to inject an arbitrary script via unspecified vectors.
D-Link DIR-100 4.03B07: cli.cgi XSS
A cross-site-scripting (XSS) vulnerability exists when Active Directory Federation Services (ADFS) does not properly sanitize user inputs, aka 'Microsoft Active Directory Federation Services Cross-Site Scripting Vulnerability'.
GitLab 12.1 through 12.8.1 allows XSS. The merge request submission form was determined to have a stored cross-site scripting vulnerability.
The Advanced Product Labels for WooCommerce WordPress plugin before 1.2.3.7 does not sanitise and escape the tax_color_set_type parameter before outputting it back in the berocket_apl_color_listener AJAX action's response, leading to a Reflected Cross-Site Scripting
The Caldera Forms WordPress plugin before 1.9.7 does not validate and escape the cf-api parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting
An issue was discovered in Munkireport before 5.3.0.3923. An unauthenticated actor can send a custom XSS payload through the /report/broken_client endpoint. The payload will be executed by any authenticated users browsing the application. This concerns app/views/listings/default.php.
MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp.
The NewStatPress WordPress plugin before 1.3.6 does not properly escape the whatX parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
An XSS vulnerability resides in the hostname field of the diag_ping.php page in pfsense before 2.4.5 version. After passing inputs to the command and executing this command, the $result variable is not sanitized before it is printed.
An XSS issue was discovered in tooltip/tooltip.js in PrimeTek PrimeFaces 7.0.11. In a web application using PrimeFaces, an attacker can provide JavaScript code in an input field whose data is later used as a tooltip title without any input validation.
The Essential Addons for Elementor Lite WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the settings parameter found in the ~/includes/Traits/Helper.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 5.0.8.
A vulnerability has been identified in SICAM MMU (All versions < V2.05), SICAM SGU (All versions), SICAM T (All versions < V2.18). The web server could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link.
The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the ~/includes/class-template-designer.php file, in versions up to and including 3.0.9. This makes it possible for attackers with no privileges to execute the endpoint and add malicious JavaScript to a vulnerable WordPress site.
cPanel before 84.0.20 allows stored self-XSS via the HTML file editor (SEC-535).
GitLab 12.1 through 12.8.1 allows XSS. A cross-site scripting vulnerability was present in a particular view relating to the Grafana integration.
The myCred WordPress plugin before 1.7.8 does not sanitise and escape the user parameter before outputting it back in the Points Log admin dashboard, leading to a Reflected Cross-Site Scripting
An access issue was addressed with improved access restrictions. This issue is fixed in macOS Big Sur 11.0.1. Processing a maliciously crafted document may lead to a cross site scripting attack.
The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 printer is vulnerable to Reflected XSS in the parameter settingId of the settingDialogContent.jsp page. NOTE: this is fixed in the latest version.
SAE IT-systems FW-50 Remote Telemetry Unit (RTU). The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in the output used as a webpage that is served to other users.
An XSS vulnerability in the popup-builder plugin before 3.64.1 for WordPress allows remote attackers to inject arbitrary JavaScript into existing popups via an unsecured ajax action in com/classes/Ajax.php. It is possible for an unauthenticated attacker to insert malicious JavaScript in several of the popup's fields by sending a request to wp-admin/admin-ajax.php with the POST action parameter of sgpb_autosave and including additional data in an allPopupData parameter, including the popup's ID (which is visible in the source of the page in which the popup is inserted) and arbitrary JavaScript which will then be executed in the browsers of visitors to that page. Because the plugin functionality automatically adds script tags to data entered into these fields, this injection will typically bypass most WAF applications.
Librenms 21.11.0 is affected by a Cross Site Scripting (XSS) vulnerability in includes/html/forms/poller-groups.inc.php.
Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) return_url parameter to modules\com_vtiger_workflow\savetemplate.php, or unspecified vectors to (2) deletetask.php, (3) edittask.php, (4) savetask.php, or (5) saveworkflow.php.
The old versions of EXIF Viewer Classic contain a cross-site scripting vulnerability caused by improper handling of EXIF meta data. When an image is rendered and crafted EXIF meta data is processed, an arbitrary script may be executed on the web browser. Versions 2.3.2 and 2.4.0 were reported as vulnerable. According to the vendor, the product has been refactored after those old versions and the version 3.0.1 is not vulnerable.
The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 printer is vulnerable to Stored XSS in /TemplateManager/indexExternalLocation.jsp. The vulnerable parameter is map(template_name). NOTE: this is fixed in the latest version.
Multiple cross-site scripting (XSS) vulnerabilities in the SAM web application in Red Hat katello-headpin allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.
GitLab 12.1 through 12.8.1 allows XSS. A stored cross-site scripting vulnerability was discovered when displaying merge requests.
MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp.
A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.
Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 allows remote attackers to inject arbitrary web script or HTML via the title in a mail filter rule.
Cross Site Scripting (XSS) vulnerability exists in cxuucms v3 via the imgurl of /feedback/post/ content parameter.
Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates.
cPanel before 84.0.20 allows self XSS via a temporary character-set specification (SEC-515).
Cross-site scripting (XSS) vulnerability in HP Systems Insight Manager (SIM) before 7.4 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
Cross-site scripting (XSS) vulnerability in application/panel_control in CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
A vulnerability, which was classified as problematic, has been found in Alpine PhotoTile for Instagram Plugin 1.2.7.7. Affected by this issue is some unknown functionality. The manipulation leads to basic cross site scripting. The attack may be launched remotely.
Cross-site scripting (XSS) vulnerability in the Download Manager plugin before 2.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the title field.
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing.