Persistent XSS has been found in the OneShield Policy (Dragon Core) framework before 5.1.10. Remote adversaries can inject malicious JavaScript into textboxes decorated with type string, which is subsequently stored to the applicable data store. This can be exploited remotely by both authenticated and unauthenticated users.
Multiple cross-site scripting (XSS) vulnerabilities in admin/admin_login.php in Uiga Fan Club, as downloaded on 20100310, allow remote attackers to inject arbitrary web script or HTML via the (1) admin_name and (2) admin_password parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Cross-site scripting (XSS) vulnerability in index.php (aka the log in page) in SimpleID before 0.6.5 allows remote attackers to inject arbitrary web script or HTML via the s parameter.
An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It has Improper Encoding or Escaping of Output. The branch name on new merge request notification emails isn't escaped, which could potentially lead to XSS issues.
Cross-site scripting (XSS) vulnerability in index.php in emlog version <= pro-1.0.7 allows remote attackers to inject arbitrary web script or HTML via the s parameter.
Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API.
All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and before 1.7.6 are vulnerable to Cross-site Scripting (XSS). This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable - so for this to be utilized in production it would require users to not disable development mode.
Multiple cross-site scripting (XSS) vulnerabilities in HP Project and Portfolio Management Center (PPMC, formerly Mercury IT Governance) 7.1 through SP10 and 7.5 through SP3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
A vulnerability has been identified in Spectrum Power 3 (Corporate User Interface) (All versions <= v3.11), Spectrum Power 4 (Corporate User Interface) (Version v4.75), Spectrum Power 5 (Corporate User Interface) (All versions < v5.50), Spectrum Power 7 (Corporate User Interface) (All versions <= v2.20). The web server could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user does not need to be logged into the web interface in order for the exploitation to succeed.At the stage of publishing this security advisory no public exploitation is known.
Characters in the GET url path are not properly escaped and can be reflected in the server response.
Cross-site scripting (XSS) vulnerability in Emweb Wt before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to "insertions of the URL" that occur during a redirection.
An XSS issue was discovered in app/admincp/template/admincp.header.php in idreamsoft iCMS 7.0.14 via the admincp.php?app=config tab parameter.
Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability in the /goform/activate_process "count" parameter via GET. No authentication is required.
JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22.
Multiple Cross-Site Scripting (XSS) issues in the web interface on DASAN Zhone ZNID GPON 2426A EU version S3.1.285 devices allow a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameter: /zhndnsdisplay.cmd (name), /wlsecrefresh.wl (wlWscCfgMethod, wl_wsc_reg).
Citrix SD-WAN Center 10.2.x before 10.2.1 and NetScaler SD-WAN Center 10.0.x before 10.0.7 allow XSS.
Cross-site scripting (XSS) vulnerability in ProjectSend before r1070 allows remote attackers to inject arbitrary web script or HTML.
Multiple cross-site scripting (XSS) vulnerabilities in UliCMS 2019.2 and 2019.1 allow remote attackers to inject arbitrary web script or HTML via the go parameter to admin/index.php, the go parameter to /admin/index.php?register=register, or the error parameter to admin/index.php?action=favicon.
In Materialize through 1.0.0, XSS is possible via the Toast feature.
XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote unauthenticated attackers to inject arbitrary JavaScript characters by placing a phone call using a specially crafted caller ID number. This can further lead to remote code execution by chaining this vulnerability with a command injection vulnerability also present in FusionPBX.
A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Heidelberg Prinect Archiver v2013 release 1.0.
Misskey before 10.102.4 allows hijacking a user's token.
HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is a XSS protection mechanism.
Snipe-IT before 4.6.14 has XSS, as demonstrated by log_meta values and the user's last name in the API.
HexoEditor v1.1.8-beta is affected by: XSS to code execution.
A spoofing vulnerability exists in Microsoft Azure DevOps Server when it fails to properly handle web requests, aka 'Azure DevOps Server HTML Injection Vulnerability'.
The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache OFBiz are weak to Stored XSS attacks. Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16.11: 1858438, 1858543, 1860595 and 1860616
In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page.
Cross-site scripting (XSS) vulnerability in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via an RSS feed.
Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing. The component is: htdocs/product/stats/card.php. The attack vector is: Victim must click a specially crafted link sent by the attacker.
Cross-site scripting (XSS) vulnerability in ZMI pages that use the manage_tabs_message in Zope 2.11.4, 2.11.2, 2.10.9, 2.10.7, 2.10.6, 2.10.5, 2.10.4, 2.10.2, 2.10.1, 2.12.
A Reflected Cross Site Scripting vulnerability was found in all pki-core 10.x.x versions, where the pki-ca module from the pki-core server. This flaw is caused by missing sanitization of the GET URL parameters. An attacker could abuse this flaw to trick an authenticated user into clicking a specially crafted link which can execute arbitrary code when viewed in a browser.
Cross-site scripting (XSS) vulnerability in the Flag Content module 5.x-2.x before 5.x-2.10 for Drupal allows remote attackers to inject arbitrary web script or HTML via the Reason parameter.
A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
Invoice Plane version 1.5.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in Client's details that can result in execution of javascript code . This vulnerability appears to have been fixed in 1.5.5 and later.
Cross-site scripting (XSS) vulnerability in the Portlet Palette in IBM WebSphere Portal 6.0.1.5 wp6015_008_01 allows remote attackers to inject arbitrary web script or HTML via the search field.
A spoofing vulnerability exists when a Lync Server or Skype for Business Server does not properly sanitize a specially crafted request, aka 'Skype for Business and Lync Spoofing Vulnerability'.
A reflected cross-site scripting vulnerability in Jenkins build-metrics Plugin allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.
A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server and Team Foundation Server do not properly sanitize user provided input, aka 'Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability'. This CVE ID is unique from CVE-2019-0866, CVE-2019-0867, CVE-2019-0868, CVE-2019-0870.
Cross-site scripting (XSS) vulnerability in CFNetwork in Apple Safari before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via a crafted text/plain file.
An issue was discovered in OpenTSDB 2.3.0. There is XSS in parameter 'json' to the /q URI.
An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. When creating a trial account, it is possible to inject XSS in the Alias field, allowing the attacker to retrieve the admin's cookie and take over the account.
ASG technologies ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to Cross Site Scripting (XSS).
ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf of the user. The component is: File: src/mod_auth_openidc.c, Line: 3109. The fixed version is: 2.3.10.2.
Spiceworks Desktop before 2015-12-01 has XSS via an SNMP response.
Multiple cross-site scripting (XSS) vulnerabilities in eTek Systems Hit Counter 2.0 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) inc/login.php, (3) admin/index.php, and (4) admin/forgot.php.
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
A reflected cross-site scripting vulnerability in Jenkins Wall Display Plugin 0.6.34 and earlier allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the plain editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
QuickBox Pro v2.4.8 contains a cross-site scripting (XSS) vulnerability at "adminuseredit.php?usertoedit=XSS", as the user supplied input for the value of this parameter is not properly sanitized.