Mobile Safari in Apple iOS before 7 does not prevent HTML interpretation of a document served with a text/plain content type, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading a file.
Multiple cross site scripting attacks were found in the Identity Manager Plug-in, hosted on iManager 2.7.7.7, before Identity Manager 4.6.1. In certain scenarios it was possible to execute arbitrary JavaScript code in the context of vulnerable application, via user.Context in the Object Selector, via vdtData in the Version discovery and via nextFrame in the Object Inspector and via Host GUID in the System details plugins.
Cross-site scripting (XSS) vulnerability in the RealURL Management (realurlmanagement) extension 0.3.4 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Novell iManager 2.7.x before 2.7 SP7 Patch 10 HF1 and NetIQ iManager 3.x before 3.0.3.1 have a persistent XSS vulnerability in Framework.
ILIAS before 5.2.3 has XSS via SVG documents.
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 before CP 1644 has XSS.
A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 through the Add Users feature.
Reflected and stored Cross-Site Scripting (XSS, CWE-79) vulnerabilities in Directory Server (aka Enterprise Server Administration web UI) and ESMAC (aka Enterprise Server Monitor and Control) in Micro Focus Enterprise Developer and Enterprise Server 2.3 and earlier, 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9 allow remote authenticated attackers to bypass protection mechanisms (CWE-693) and other security features.
Multiple cross-site scripting (XSS) vulnerabilities in WebCenter in WatchGuard WSM and Fireware before 11.8 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.
A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the 'magmi-git-master/magmi/web/ajax_gettime.php' URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
A Cross-Site Scripting (XSS) was discovered in 'wallacepos v1.4.1'. The vulnerability exists due to insufficient filtration of user-supplied data (token) passed to the 'wallacepos-master/myaccount/resetpassword.php' URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
Cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite (ZCS) before 8.7.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
OpenIDM through 4.0.0 and 4.5.0 is vulnerable to reflected cross-site scripting (XSS) attacks within the Admin UI, as demonstrated by the _sortKeys parameter to the authzRoles script under managed/user/.
A Cross-Site Scripting vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to execute unauthorized code or commands via the applicationSearch parameter in the FortiView functionality.
In Pivotal Single Sign-On for PCF (1.3.x versions prior to 1.3.4 and 1.4.x versions prior to 1.4.3), certain pages allow code to be injected into the DOM environment through query parameters, leading to XSS attacks.
Cross-site scripting (XSS) vulnerability in File Station of QNAP QTS 4.2.6 build 20171026, QTS 4.3.3 build 20170727 and earlier allows remote attackers to inject arbitrary web script or HTML.
Cross-site scripting (XSS) vulnerability in the Javascript and CSS Optimizer extension before 1.1.14 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
The xss_clean function in CodeIgniter before 2.1.4 might allow remote attackers to bypass an intended protection mechanism and conduct cross-site scripting (XSS) attacks via an unclosed HTML tag.
Cross-site scripting (XSS) vulnerability in FlipBuilder Flip PDF allows remote attackers to inject arbitrary web script or HTML via the currentHTMLURL parameter.
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
Cross-site scripting (XSS) vulnerability in HP XP P9000 Command View Advanced Edition Suite Software 7.x before 7.5.0-02 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
PHP Scripts Mall Citysearch / Hotfrog / Gelbeseiten Clone Script 2.0.1 has Reflected XSS via the srch parameter, as demonstrated by restaurants-details.php.
The UMA product with software V200R001 has a cross-site scripting (XSS) vulnerability due to insufficient input validation. An attacker could craft malicious links or scripts to launch XSS attacks.
Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.0.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL.
NetIQ Privileged Account Manager before 3.1 Patch Update 3 allowed cross site scripting attacks via the "type" and "account" parameters of json requests.
Multiple Cross-Site Scripting (XSS) were discovered in 'openeclass Release_3.5.4'. The vulnerabilities exist due to insufficient filtration of user-supplied data (meeting_id, user) passed to the 'openeclass-master/modules/tc/webconf/webconf.php' URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
Cross-site scripting (XSS) vulnerability in dereferer.php in A Really Simple Chat (ARSC) 3.3-rc2 allows remote attackers to inject arbitrary web script or HTML via the arsc_link parameter.
An issue was discovered on Humax Digital HG100R 2.0.6 devices. There is XSS on the 404 page.
Palo Alto Networks PAN-OS before 7.0.15 has XSS in the GlobalProtect external interface via crafted request parameters, aka PAN-SA-2017-0011 and PAN-70674.
inc/PMF/Faq.php in phpMyFAQ before 2.9.7 has XSS in the question field.
A logic issue was addressed with improved validation. This issue is fixed in iOS 12.2, Safari 12.1. Enabling the Safari Reader feature on a maliciously crafted webpage may lead to universal cross site scripting.
Cross-site scripting (XSS) vulnerability in the Local Management Interface (LMI) in IBM Security Network Protection on XGS 5100 devices with firmware 5.1 before 5.1.0.6 and 5.1.1 before 5.1.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 allows remote attackers to inject arbitrary web script or HTML via the application 'Mail'.
Multiple potential reflected XSS issues exist in NetIQ iManager versions before 2.7.7 Patch 10 HF2 and 3.0.3.2.
In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" parameter.
trollepierre/tdm before 2017-04-13 is vulnerable to a reflected XSS in tdm-master/webhook.php (challenge parameter).
In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering leads to XSS in the template manager component.
Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration.
Cross-site scripting (XSS) vulnerability in the web interface in HP ArcSight Enterprise Security Manager (ESM) before 5.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Heartland Payment Systems Payment Gateway PHP SDK hps/heartland-php v2.8.17 is vulnerable to a reflected XSS in examples/consumer-authentication/cruise.php via the URI, as demonstrated by the cavv parameter.
Cross-site scripting (XSS) vulnerability in the management interface on Cisco Wireless LAN Controller (WLC) devices allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCuf77810.
A OAuth application in NetIQ Access Manager 4.3 before 4.3.2 and 4.2 before 4.2.4 allowed cross site scripting attacks due to unescaped "description" field that could be specified by the provider.
Cross-site scripting (XSS) vulnerability in HP SiteScope 9.x, 10.x, and 11.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting (XSS) vulnerability in the Administrator report page on Cisco Web Security Appliance (WSA) devices allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCus40627.
foreman before version 1.16.0 is vulnerable to a stored XSS in organizations/locations assignment to hosts. Exploiting this requires a user to actively assign hosts to an organization that contains html in its name which is visible to the user prior to taking action.
A Cross-Site Scripting (XSS) was discovered in 'SocialNetwork v1.2.1'. The vulnerability exists due to insufficient filtration of user-supplied data (mail) passed to the 'SocialNetwork-andrea/app/template/pw_forgot.php' URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
Cross-site scripting (XSS) vulnerability in the share link function of File Station of QNAP 4.2.6 build 20171026, QTS 4.3.3 build 20170727 and earlier allows remote attackers to inject arbitrary web script or HTML.
A Cross-site Scripting (XSS) vulnerability exists in the All in One SEO Pack plugin before 2.0.3.1 for WordPress via the Search parameter.
EMC Isilon OneFS (versions prior to 8.1.0.1, versions prior to 8.0.1.2, versions prior to 8.0.0.6, version 7.2.1.x) is impacted by a reflected cross-site scripting vulnerability that may potentially be exploited by malicious users to compromise the affected system.
Multiple cross-site scripting (XSS) vulnerabilities in Adobe Acrobat Reader Plugin before 8.0.0, and possibly the plugin distributed with Adobe Reader 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2, for Mozilla Firefox, Microsoft Internet Explorer 6 SP1, Google Chrome, Opera 8.5.4 build 770, and Opera 9.10.8679 on Windows allow remote attackers to inject arbitrary JavaScript and conduct other attacks via a .pdf URL with a javascript: or res: URI with (1) FDF, (2) XML, and (3) XFDF AJAX parameters, or (4) an arbitrarily named name=URI anchor identifier, aka "Universal XSS (UXSS)."