Cross-site scripting (XSS) vulnerability in admin/nav/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
Vulnerability in the Oracle Application Express component of Oracle Database Server. Supported versions that are affected are 5.1-19.2. Easily exploitable vulnerability allows low privileged attacker having SQL Workshop privilege with network access via HTTP to compromise Oracle Application Express. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express accessible data as well as unauthorized read access to a subset of Oracle Application Express accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
eramba c2.8.1 and Enterprise before e2.19.3 allows XSS via a crafted filename for a file attached to an object. For example, the filename has a complete XSS payload followed by the .png extension.
Nifty Project Management Web Application 2020-08-26 allows XSS, via Add Task, that is rendered upon a Project Home visit. Note: It has been argued that this is not reproducible. "The original issue was that the task would be created and an alert would be shown on the screen. Now the task would be created, but the alert won't be executed as those attributes are now stripped.
The Analysis Report in Hitachi Vantara Pentaho through 7.x - 8.x contains a stored Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'Display Name' parameter. Remediated in >= 9.1.0.1
In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a "Calendar -> New Event" action.
Cross Site Scripting (XSS) vulneraiblity in LimeSurvey 4.2.5 on textbox via the Notifications & data feature.
SmartStream Transaction Lifecycle Management (TLM) Reconciliation Premium (RP) <3.1.0 allows XSS. This was fixed in TLM RP 3.1.0.
IBM Team Concert 4.0, 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119529.
A remote stored xss vulnerability was discovered in HPE KVM IP Console Switches version(s): G2 4x1Ex32 Prior to 2.8.3.
The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI.
The Admin CP in vBulletin 5.6.3 allows XSS via a Junior Member Title to User Title Manager.
NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Content."
Create-Project Manager 1.07 has Multi Persistent Cross-site Scripting and HTML injection in via Online chat, Social feed,Message(title-tag), Add new client (all-tags).
Spiceworks Version <= 7.5.00107 is affected by XSS. Any name typed on Custom Groups function is vulnerable to stored XSS as they displayed on http://127.0.0.1/inventory/groups/ without output sanitization.
NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Configuration."
If exploited, this stored cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later.
Cross Site Scripting (XSS) vulnerability in LavaLite-CMS 5.8.0 via the Menu Links feature.
Michael-design iChat Realtime PHP Live Support System 1.6 has persistent Cross-site Scripting via chat,text-filed tags.
webTareas v2.1 is affected by Cross Site Scripting (XSS) on "Search."
Cross Site Scripting (XSS) vulnerability in PublicCMS 4.0 to get an admin cookie when the Administrator reviews submit case.
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.
Cross Site Scripting (XSS) vulnerabiity exists in LavaLite CMS 5.8.0 via the Menu Blocks feature, which can be bypassed by using HTML event handlers, such as "ontoggle,".
Crossi Site Scripting (XSS) vulnerability in PbootCMS 2.0.3 in admin.php.
Fork CMS Content Management System v5.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the `Displayname` field when using the `Add`, `Edit` or `Register' functions. This vulnerability allows attackers to execute arbitrary web scripts or HTML.
Jenkins computer-queue-plugin Plugin 1.5 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
Jenkins Deployer Framework Plugin 1.2 and earlier does not escape the URL displayed in the build home page, resulting in a stored cross-site scripting vulnerability.
Jenkins ECharts API Plugin 4.7.0-3 and earlier does not escape the parser identifier when rendering charts, resulting in a stored cross-site scripting vulnerability.
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "List Description" field under the "Edit A List" module.
Jenkins chosen-views-tabbar Plugin 1.2 and earlier does not escape view names in the dropdown to select views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to configure views.
JeeCMS 1.0.1 contains a stored cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the commentText parameter.
Akaunting v1.3.17 was discovered to contain a stored cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Company Name input field.
A cross-site scripting (XSS) vulnerability in RGCMS v1.06 allows attackers to obtain the administrator's cookie via a crafted payload in the Name field under the Message Board module
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Edit Values" field under the "Configure Attributes" module.
IBM Emptoris Strategic Supply Management Platform 10.0.0.x through 10.1.1.x is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 118839.
Cross Site Scripting vulnerability in GetSimpleCMS 3.4.0a in admin/snippets.php via (1) Add Snippet and (2) Save snippets.
A Remote Cross-Site Scripting (XSS) vulnerability in HPE LoadRunner v12.53 and earlier and HPE Performance Center version v12.53 and earlier was found.
A cross site scripting (XSS) vulnerability in the /domains/cost-by-owner.php component of Domainmod 4.13 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the "or Expiring Between" parameter.
A stored cross site scripting (XSS) vulnerability in /app/config/of S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
Jenkins Brakeman Plugin 0.12 and earlier did not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability exploitable by users able to control the Brakeman post-build step input data.
Maccms 10 contains a cross-site scripting (XSS) vulnerability in the Editing function under the Member module. This vulnerability is exploited via a crafted payload in the nickname text field.
A stored cross site scripting (XSS) vulnerability in the web_attr_2 field of Eyoucms v1.4.1 allows authenticated attackers to execute arbitrary web scripts or HTML.
Cross Site Scripting (XSS) vulnerability in CMS Made Simple 2.2.14 in "Extra" via 'News > Article" feature.
A stored cross site scripting (XSS) vulnerability in the web_copyright field of Eyoucms v1.4.1 allows authenticated attackers to execute arbitrary web scripts or HTML.
Cross Site Scripting (XSS) vulnerability in GetSimpleCMS 3.4.0a in admin/edit.php.
Pbootcms v2.0.3 is vulnerable to Cross Site Scripting (XSS) via admin.php.
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability.
A stored cross-site scripting (XSS) vulnerability in /ucms/index.php?do=list_edit of UCMS 1.4.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the title, key words, description or content text fields.
WTCMS 1.0 contains a reflective cross-site scripting (XSS) vulnerability in the keyword search function under the background articles module.
Jenkins Timestamper Plugin 1.11.1 and earlier does not sanitize HTML formatting of its output, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.