A vulnerability in the web framework of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by convincing a user to access a malicious link or by intercepting a user request and injecting malicious code into the request. An exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvd76324. Known Affected Releases: 2.2(9.76) and 2.3(1).
In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
A reflected Cross-site Scripting (XSS) vulnerability in web proxy disclaimer response web pages in Fortinet FortiOS 5.6.0, 5.4.0 to 5.4.5, 5.2.0 to 5.2.11 allows an unauthenticated attacker to inject arbitrary web script or HTML in the context of the victim's browser via sending a maliciously crafted URL to the victim.
The "Smart related articles" extension 1.1 for Joomla! has XSS in dialog.php (n_art,type in GET Method).
IdentityServer IdentityServer4 through 2.4 has stored XSS via the httpContext to the host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext method, which can be triggered by viewing a log. NOTE: the software maintainer disputes that this is a vulnerability because the request logger is not part of IdentityServer but only our development test host
Gridea v0.8.0 has an XSS vulnerability through which the Nodejs module can be called to achieve arbitrary code execution, as demonstrated by child_process.exec and the "<img src=# onerror='eval(new Buffer(" substring.
Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Simple Subscription Website 1.0 via the id parameter in plan_application.
OpenIDM through 4.0.0 and 4.5.0 is vulnerable to persistent cross-site scripting (XSS) attacks within the Admin UI, as demonstrated by a crafted Managed Object Name.
A vulnerability in the web portal of the Cisco Prime Collaboration Provisioning (PCP) Tool could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affected system. More Information: CSCvc90312. Known Affected Releases: 12.1.
An issue was discovered in Contiki Operating System 3.0. A Persistent XSS vulnerability is present in the MQTT/IBM Cloud Config page (aka mqtt.html) of cc26xx-web-demo. The cc26xx-web-demo features a webserver that runs on a constrained device. That particular page allows a user to remotely configure that device's operation by sending HTTP POST requests. The vulnerability consists of improper input sanitisation of the text fields on the MQTT/IBM Cloud config page, allowing for JavaScript code injection.
Cross-site scripting (XSS) vulnerability in SVG file handling in Lutim 0.7.1 and earlier allows remote attackers to inject arbitrary web script.
An issue was discovered in certain Apple products. iOS before 11 is affected. Safari before 11 is affected. iCloud before 7.0 on Windows is affected. iTunes before 12.7 on Windows is affected. tvOS before 11 is affected. The issue involves the "WebKit" component. A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via crafted web content that incorrectly interacts with the Application Cache policy.
A "data:" URL loaded in a new tab did not inherit the Content Security Policy (CSP) of the original page, allowing for bypasses of the policy including the execution of JavaScript. In prior versions when "data:" documents also inherited the context of the original page this would allow for potential cross-site scripting (XSS) attacks. This vulnerability affects Firefox < 57.
A vulnerability, which was classified as problematic, has been found in sileht bird-lg. This issue affects some unknown processing of the file templates/layout.html. The manipulation of the argument request_args leads to cross site scripting. The attack may be initiated remotely. The name of the patch is ef6b32c527478fefe7a4436e10b96ee28ed5b308. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216479.
A vulnerability has been found in SimpleRisk and classified as problematic. This vulnerability affects the function checkAndSetValidation of the file simplerisk/js/common.js. The manipulation of the argument title leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 20220306-001 is able to address this issue. The name of the patch is 591405b4ed160fbefc1dca1e55c5745079a7bb48. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216472.
Pixie 1.0.4 allows an admin/index.php s=login&m= XSS attack.
JavaScript in the "about:webrtc" page is not sanitized properly being assigned to "innerHTML". Data on this page is supplied by WebRTC usage and is not under third-party control, making this difficult to exploit, but the vulnerability could possibly be used for a cross-site scripting (XSS) attack. This vulnerability affects Firefox < 55.
A cross-site scripting (XSS) vulnerability in MantisBT before 2.1.1 allows remote attackers to inject arbitrary HTML or JavaScript (if MantisBT's CSP settings permit it) by modifying 'window_title' in the application configuration. This requires privileged access to MantisBT configuration management pages (i.e., administrator access rights) or altering the system configuration file (config_inc.php).
inc/PMF/Faq.php in phpMyFAQ before 2.9.7 has XSS in the question field.
sourcebans-pp (SourceBans++) 1.5.4.7 has XSS in admin.comms.php via the rebanid parameter.
Both global and Room chat are vulnerable to XSS attack in Apache OpenMeetings 3.2.0.
A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.
Novell iManager 2.7.x before 2.7 SP7 Patch 10 HF1 and NetIQ iManager 3.x before 3.0.3.1 have a persistent XSS vulnerability in Framework.
An issue was discovered in the GlobalWatchlist extension in MediaWiki through 1.36.2. The rev-deleted-user and ntimes messages were not properly escaped and allowed for users to inject HTML and JavaScript.
A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.
A vulnerability was found in ctrlo lenio. It has been declared as problematic. This vulnerability affects unknown code of the file views/task.tt of the component Task Handler. The manipulation of the argument site.org.name/check.name/task.tasktype.name/task.name leads to cross site scripting. The attack can be initiated remotely. The name of the patch is 698c5fa465169d6f23c6a41ca4b1fc9a7869013a. It is recommended to apply a patch to fix this issue. VDB-216214 is the identifier assigned to this vulnerability.
A cross-site scripting (XSS) vulnerability in view_filters_page.php in MantisBT before 2.2.1 allows remote attackers to inject arbitrary JavaScript via the 'view_type' parameter.
There is reflected XSS in TOPdesk before 5.7.6 and 6.x and 7.x before 7.03.019.
Multiple Cross-Site Scripting (XSS) issues were discovered in INTER-Mediator 5.5. The vulnerabilities exist due to insufficient filtration of user-supplied data (c and cred) passed to the "INTER-Mediator-master/Auth_Support/PasswordReset/resetpassword.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
XSS in Agora-Project 3.2.2 exists with an index.php?disconnect=1&msgNotif[]=[XSS] attack.
An issue was discovered in contexts_wurfl (for TYPO3) before 0.4.2. The vulnerability exists due to insufficient filtration of user-supplied data in the "force_ua" HTTP GET parameter passed to the "/contexts_wurfl/Library/wurfl-dbapi-1.4.4.0/check_wurfl.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
An XSS issue in the /goform/WifiBasicSet endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute malicious payloads via the WifiName POST parameter.
Cross Site Scripting (XSS).vulnerability exists in Online DJ Booking Management System 1.0 in view-booking-detail.php.
Multiple Cross-Site Scripting (XSS) issues were discovered in EPESI 1.8.1.1. The vulnerabilities exist due to insufficient filtration of user-supplied data (tooltip_id, callback, args, cid) passed to the EPESI-master/modules/Utils/Tooltip/req.php URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
There is a cross-site scripting vulnerability in django-epiceditor 0.2.3 via crafted content in a form field.
SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS.
Cross site scripting (XSS) vulnerability in Sourcecodester Online Covid Vaccination Scheduler System v1 by oretnom23, allows attackers to execute arbitrary code via the lid parameter to /scheduler/addSchedule.php.
Cross-site scripting (XSS) vulnerability in the image upload function in Piwigo before 2.8.6 allows remote attackers to inject arbitrary web script or HTML via a crafted image filename.
Cross-site scripting (XSS) vulnerability in httpd on ASUS RT-N56U, RT-N66U, RT-AC66U, RT-N66R, RT-AC66R, RT-AC68U, RT-AC68R, RT-N66W, RT-AC66W, RT-AC87R, RT-AC87U, RT-AC51U, RT-AC68P, RT-N11P, RT-N12+, RT-N12E B1, RT-AC3200, RT-AC53U, RT-AC1750, RT-AC1900P, RT-N300, and RT-AC750 routers with firmware before 3.0.0.4.380.7378; RT-AC68W routers with firmware before 3.0.0.4.380.7266; and RT-N600, RT-N12+ B1, RT-N11P B1, RT-N12VP B1, RT-N12E C1, RT-N300 B1, and RT-N12+ Pro routers with firmware before 3.0.0.4.380.9488 allows remote attackers to inject arbitrary JavaScript by requesting filenames longer than 50 characters.
Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to backup-edit.php; (2) title or (3) menu parameter to edit.php; or (4) path or (5) returnid parameter to filebrowser.php in admin/. NOTE: the path parameter in admin/upload.php vector is already covered by CVE-2012-6621.
A vulnerability in the web application interface of the Cisco Identity Services Engine (ISE) portal could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of an affected system. More Information: CSCvd49141. Known Affected Releases: 2.1(102.101).
A vulnerability classified as problematic has been found in studygolang. This affects an unknown part of the file static/js/topics.js. The manipulation of the argument contentHtml leads to cross site scripting. It is possible to initiate the attack remotely. The name of the patch is 0fb30f9640bd5fa0cae58922eac6c00bb1a94391. It is recommended to apply a patch to fix this issue. The identifier VDB-216477 was assigned to this vulnerability.
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Cross Site Scripting (XSS).
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as problematic has been found in Th3-822 Rapidleech. This affects the function zip_go of the file classes/options/zip.php. The manipulation of the argument archive leads to cross site scripting. It is possible to initiate the attack remotely. The patch is named 885a87ea4ee5e14fa95801eca255604fb2e138c6. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218295. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
An issue was discovered in Kaltura server Lynx-12.11.0. The vulnerability exists due to insufficient filtration of user-supplied data passed to the "admin_console/web/tools/SimpleJWPlayer.php" URL, the "admin_console/web/tools/AkamaiBroadcaster.php" URL, the "admin_console/web/tools/bigRedButton.php" URL, and the "admin_console/web/tools/bigRedButtonPtsPoc.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
A vulnerability was found in EELV Newsletter Plugin 2.x on WordPress. It has been rated as problematic. Affected by this issue is the function style_newsletter of the file lettreinfo.php. The manipulation of the argument email leads to cross site scripting. The attack may be launched remotely. The name of the patch is 3339b42316c5edf73e56eb209b6a3bb3e868d6ed. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-230660.
An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. This is a reflected Cross Site Scripting vulnerability which affects the raceMasterList.jsp page within the Patient Portal. Inserted payload is rendered within the Patient Portal and the raceMasterList.jsp page does not require authentication. The vulnerability can be used to extract sensitive information or perform attacks against the user's browser. The vulnerability affects the raceMasterList.jsp page and the following parameter: race.
A vulnerability in the web framework of Cisco SocialMiner could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affected system. More Information: CSCve15285. Known Affected Releases: 11.5(1).
Cross-site scripting (XSS) vulnerability in the Marekkis Watermark plugin 0.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the pfad parameter to wp-admin/options-general.php. NOTE: some of these details are obtained from third party information.
An issue was discovered in AbanteCart before 1.3.2. It allows DOM Based XSS.