Cross-site scripting (XSS) vulnerability in the tpl_mediaFileList function in inc/template.php in DokuWiki before 2012-01-25b allows remote attackers to inject arbitrary web script or HTML via the ns parameter in a medialist action to lib/exe/ajax.php.
Tad Book3 editing book function does not filter special characters. Unauthenticated attackers can remotely inject JavaScript syntax and execute stored XSS attacks.
Cross-site scripting (XSS) vulnerability in login.fcc in CA SiteMinder R6 SP6 before CR7 and R12 SP3 before CR8 allows remote attackers to inject arbitrary web script or HTML via the postpreservationdata parameter.
Multiple cross-site scripting (XSS) vulnerabilities in PHPKIT 1.6.1 R2 and earlier allow remote attackers to inject arbitrary web script or HTML via multiple vectors in (1) login/profile.php, (2) login/userinfo.php, (3) admin/admin.php, (4) imcenter.php, and the (5) referer statistics, the (6) HTML title element and (7) logo alt attributes in forum postings, and the (8) Homepage field in the Guestbook.
HESK before 3.1.10 allows reflected XSS.
A reflected cross-site scripting (XSS) vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console and it is possible to insert a vulnerable malicious button.
Cross-site scripting (XSS) vulnerability in search.php in Support Incident Tracker (aka SiT!) 3.65 allows remote attackers to inject arbitrary web script or HTML via the search_string parameter.
myfactory.FMS before 7.1-912 allows XSS via the UID parameter.
The Unicorn framework before 0.36.1 for Django allows XSS via a component. NOTE: this issue exists because of an incomplete fix for CVE-2021-42053.
Cross-site scripting (XSS) vulnerability in index.php in Plogger Beta 2 and earlier allows remote attackers to inject arbitrary web script or HTML via the searchterms parameter.
Subscription-Manager v1.0 /main.js has a cross-site scripting (XSS) vulnerability in the machineDetail parameter.
Multiple cross-site scripting (XSS) vulnerabilities in netmri/config/userAdmin/login.tdf in Infoblox NetMRI 6.0.2.42, 6.1.2, 6.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) eulaAccepted or (2) mode parameter.
Cross Site Scripting (XSS) in Sourcecodester The Electric Billing Management System 1.0 by oretnom23, allows attackers to execute arbitrary code via the about page.
Cross-site scripting (XSS) vulnerability in pretty-bar.php in Pretty Link Lite plugin before 1.5.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the slug parameter, a different vulnerability than CVE-2011-5191.
Multiple cross-site scripting (XSS) vulnerabilities in the Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 allow remote attackers to inject arbitrary web script or HTML via crafted input to a PHP script, as demonstrated by admin/update/settings/ and certain other files.
Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.26, and other versions before 1.0.0, allow remote attackers to inject arbitrary web script or HTML via the URL to (1) e107_images/thumb.php or (2) rate.php, (3) resend_name parameter to e107_admin/users.php, and (4) link BBCode in user signatures.
Cross-site scripting (XSS) vulnerability in ztemp/view_compiled/Theme/theme_admin_setasdefault.php in the theme module in Zikula Application Framework 1.3.0 build 3168, 1.2.7, and probably other versions allows remote attackers to inject arbitrary web script or HTML via the themename parameter in the setasdefault action to index.php.
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.
NeDi 1.9C is vulnerable to XSS because of an incorrect implementation of sanitize() in inc/libmisc.php. This function attempts to escape the SCRIPT tag from user-controllable values, but can be easily bypassed, as demonstrated by an onerror attribute of an IMG element as a Devices-Config.php?sta= value.
Cross-site scripting (XSS) vulnerability in search.asp in rwAuction Pro 4.0 and 5.0 allows remote attackers to inject arbitrary web script or HTML via the searchtxt parameter.
Multiple cross-site scripting (XSS) vulnerabilities in glFusion before 1.2.2.pl4 allow remote attackers to inject arbitrary web script or HTML via the (1) subject parameter to profiles.php; (2) address1, (3) address2, (4) calendar_type, (5) city, (6) state, (7) title, (8) url, or (9) zipcode parameter to calendar/index.php; (10) title or (11) url parameter to links/index.php; or (12) PATH_INFO to admin/plugins/mediagallery/xppubwiz.php/.
Multiple cross-site scripting (XSS) vulnerabilities in jwplayer.swf in the smart-flv plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) link or (2) playerready parameter.
An issue was discovered in Secudos Qiata FTA 1.70.19. The comment feature allows persistent XSS that is executed when reading transfer comments or the global notice board.
Insufficient Input Validation in the search functionality of Wordpress plugin Out-of-the-Box prior to 1.20.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack.
Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.
The Ultimate FAQ plugin before 1.8.30 for WordPress allows XSS via Display_FAQ to Shortcodes/DisplayFAQs.php.
When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign.
Cross-site scripting (XSS) vulnerability in TikiWiki before 1.9.1.1 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.
Cross-site scripting (XSS) vulnerability in advancedtext.php in Advanced Text Widget plugin before 2.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.
Insufficient Input Validation in the search functionality of Wordpress plugin Lets-Box prior to 1.15.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack.
Cross-site scripting (XSS) vulnerability in manager/assets/fileapi/FileAPI.flash.image.swf in MODX Revolution 2.3.2-pl allows remote attackers to inject arbitrary web script or HTML via the callback parameter.
Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.
Cross-site scripting (XSS) vulnerability in SAP/BW/DOC/METADATA in SAP NetWeaver allows remote attackers to inject arbitrary web script or HTML via the page parameter.
Insufficient policy enforcement in iOSWeb in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
Cross-site scripting (XSS) vulnerability in themeweb.aspx in Microsoft Office SharePoint Server 2010 Gold and SP1 and SharePoint Foundation 2010 Gold and SP1 allows remote attackers to inject arbitrary web script or HTML via JavaScript sequences in a URL, aka "XSS in themeweb.aspx Vulnerability."
In Materialize through 1.0.0, XSS is possible via the Autocomplete feature.
Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 allow remote attackers to inject arbitrary web script or HTML via the (1) searchType and (2) searchString parameters, a different vulnerability than CVE-2010-3274.
An issue was discovered in Navigate CMS through 2.8.7. It allows XSS because of a lack of purify calls in lib/packages/structure/structure.class.php.
Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Infrastructure). Supported versions that are affected are 8.0.6-8.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Financial Services Analytical Applications Infrastructure, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Analytical Applications Infrastructure accessible data as well as unauthorized read access to a subset of Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache httpd before 1.3.35-dev and Apache httpd 2.0.x before 2.0.56-dev allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps.
Multiple cross-site scripting (XSS) vulnerabilities in Zabbix before 1.8.10 allow remote attackers to inject arbitrary web script or HTML via the gname parameter (aka host groups name) to (1) hostgroups.php and (2) usergrps.php, the update action to (3) hosts.php and (4) scripts.php, and (5) maintenance.php.
Multiple cross-site scripting (XSS) vulnerabilities in the Classipress theme before 3.1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) twitter_id parameter related to the Twitter widget and (2) facebook_id parameter related to the Facebook widget.
Cross-site scripting (XSS) vulnerability in lazyest-backup.php in the Lazyest Backup plugin before 0.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xml_or_all parameter.
Cross-site scripting (XSS) vulnerability in toos/permissions/dialogs/access/entity/types/group_combination.php in concrete5-legacy 5.6.4.0 and below allows remote attackers to inject arbitrary web script or HTML via the cID parameter.
Multiple cross-site scripting (XSS) vulnerabilities in Pulse Pro CMS 1.7.2 allow remote attackers to inject arbitrary web script or HTML via the (1) d parameter in a blocks action and (2) post_id parameter in an edit-post action to index.php.
Cross-site scripting (XSS) vulnerability in view/frontend-head.php in the Flowplayer plugin before 1.2.12 for WordPress allows remote attackers to inject arbitrary web script or HTML via the URI.
Cross Site Scripting (XSS).vulnerability exists in Online DJ Booking Management System 1.0 in view-booking-detail.php.
Cross-site scripting (XSS) vulnerability in the s2Member Pro plugin before 111220 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s2member_pro_authnet_checkout[coupon] parameter (aka Coupon Code field).
Multiple cross-site scripting (XSS) vulnerabilities in Parallels Plesk Small Business Panel 10.2.0 allow remote attackers to inject arbitrary web script or HTML via crafted input to a PHP script, as demonstrated by smb/app/available/id/apscatalog/ and certain other files.