Multiple cross-site scripting (XSS) vulnerabilities in OpenCMS OAMP Comments Module 1.0.1 allow remote attackers to inject arbitrary web script or HTML via the name field in a comment, and other unspecified vectors.
Cross-site scripting (XSS) vulnerability in system/workplace/admin/workplace/sessions.jsp in Alkacon OpenCMS 7.0.3 allows remote attackers to inject arbitrary web script or HTML via the searchfilter parameter, a different vector than CVE-2008-1510.
Cross-site scripting (XSS) vulnerability in system/workplace/admin/accounts/users_list.jsp in Alkacon OpenCMS 7.0.3 allows remote attackers to inject arbitrary web script or HTML via the (1) searchfilter or (2) listSearchFilter parameter.
Cross-site scripting (XSS) vulnerability in the Logfile Viewer Settings function in system/workplace/admin/workplace/logfileview/logfileViewSettings.jsp in Alkacon OpenCms 7.0.3 and 7.0.4 allows remote attackers to inject arbitrary web script or HTML via the filePath.0 parameter in a save action, a different vector than CVE-2008-1045.
Cross-site scripting (XSS) vulnerability in the file tree navigation function in system/workplace/views/explorer/tree_files.jsp in Alkacon OpenCMS 7.0.3 allows remote attackers to inject arbitrary web script or HTML via the resource parameter.
Multiple cross-site scripting (XSS) vulnerabilities in Alkacon OpenCms 9.5.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) homelink parameter to system/modules/org.opencms.workplace.help/jsptemplates/help_head.jsp, (2) workplaceresource parameter to system/workplace/locales/en/help/index.html, (3) path parameter to system/workplace/views/admin/admin-main.jsp, (4) mode parameter to system/workplace/views/explorer/explorer_files.jsp, or (5) query parameter in a search action to system/modules/org.opencms.workplace.help/elements/search.jsp.
Multiple cross-site scripting (XSS) vulnerabilities in Alkacon OpenCms before 8.5.2 allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to system/workplace/views/admin/admin-main.jsp or the (2) requestedResource parameter to system/login/index.html.
In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the search engine.
In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the Login form.
In system/workplace/ in Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple Reflected and Stored XSS issues in the management interface.
Cross-site scripting (XSS) vulnerability in Alkacon OpenCms before 6.0.3 allows remote attackers to inject arbitrary web script or HTML via the username in the login page.
Cross-site scripting (XSS) vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the 'Mercury' template. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to a victim and partially take control of their browsing session.
In “OpenCMS”, versions 10.5.0 to 11.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Sitemap functionality. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field.
An arbitrary file upload vulnerability in the component /workplace#!explorer of Alkacon OpenCMS v15.0 allows attackers to execute arbitrary code via uploading a crafted PNG file.
Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in the “title” field.
A stored cross-site scripting (XSS) vulnerability in alkacon-OpenCMS v11.0.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field under the Upload Image module.
Cross-site scripting (XSS) vulnerability in the gallery function in Alkacon OpenCMS 10.5.3 allows remote attackers to inject arbitrary web script or HTML via a malicious SVG image.
A stored cross-site scripting (XSS) vulnerability in Alkacon OpenCMS v17.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the image parameter under the Create/Modify article function.
Cross Site Scripting vulnerability in Create/Modify article function in Alkacon OpenCMS 17.0 allows remote attacker to inject javascript payload via image title sub-field in the image field
Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user having the roles of gallery editor or VFS resource manager will have the permission to upload images in the .svg format containing JavaScript code. The code will be executed the moment another user accesses the image.
The all-in-one-wp-security-and-firewall plugin before 4.2.0 for WordPress has multiple XSS issues.
JetBrains TeamCity before 2021.2.1 was vulnerable to reflected XSS.
Cross-site scripting (XSS) vulnerability in HP SiteScope 9.54, 10.13, 11.01, and 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Planon before Live Build 41 has XSS.
Multiple cross-site scripting (XSS) vulnerabilities in Redmine 0.8.5 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Multiple cross-site scripting (XSS) vulnerabilities in Cherry-Design Photopad 1.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) id or (2) data[title] parameters in an edit action to files.php, or (3) id parameter in a view action to gallery.php.
Cross-site scripting (XSS) vulnerability in SolutionSearch.do in ManageEngine ServiceDesk Plus (SDP) before 8012 allows remote attackers to inject arbitrary web script or HTML via the searchText parameter.
Cross-site scripting (XSS) vulnerability in search.php in AR Web Content Manager (AWCM) 2.1, 2.2, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the search parameter.
The Chamber Dashboard Business Directory plugin 3.2.8 for WordPress allows XSS.
Cross-site scripting (XSS) vulnerability in Canon IT Solutions Inc. ACCESSGUARDIAN 3.0.14 and earlier, and 3.5.6 and earlier, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to authentication.
Cross-site scripting (XSS) vulnerability in cwhp/device.center.do in the Help servlet in Cisco CiscoWorks Common Services 3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the device parameter, aka Bug ID CSCto12704.
Cross-site scripting (XSS) vulnerability in the tibbr web server, as used in TIBCO tibbr 1.0.0 through 1.5.0 and tibbr Service 1.0.0 through 1.5.0, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
SAP NetWeaver Enterprise Portal - versions 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability.This reflected cross-site scripting attack can be used to non-permanently deface or modify displayed content of portal Website. The execution of the script content by a victim registered on the portal could compromise the confidentiality and integrity of victim’s web browser.
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.4, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html located before a ? (question mark) in a query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1578.
Cross-site scripting (XSS) vulnerability in CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine in the Common Services Device Center in Cisco Unified Operations Manager (CUOM) before 8.6 allows remote attackers to inject arbitrary web script or HTML via the tag parameter, aka Bug ID CSCto12712.
Cross-site scripting (XSS) vulnerability in actions/add.php in InTerra Blog Machine 1.84, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the subject parameter to post_url/edit.
The quotes-collection plugin before 2.0.6 for WordPress has XSS via the wp-admin/admin.php?page=quotes-collection page parameter.
Cross-site scripting (XSS) vulnerability in the Randomizer module 5.x through 5.x-1.0 and 6.x through 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting (XSS) vulnerability in the Installation Verification Test (IVT) application in the Install component in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting (XSS) vulnerability in RSA Data Loss Prevention (DLP) Enterprise Manager 8.x before 8.5 SP1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Multiple cross-site scripting (XSS) vulnerabilities in RoboHelp 7 and 8, and RoboHelp Server 7 and 8, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to (1) wf_status.htm and (2) wf_topicfs.htm in RoboHTML/WildFireExt/TemplateStock/.
Cross-site scripting (XSS) vulnerability in Adobe ColdFusion before 9.0.1 CHF1 allows remote attackers to inject arbitrary web script or HTML via an id parameter containing a JavaScript onLoad event handler for a BODY element, related to a "tag body" attack. NOTE: this was originally reported as affecting 9.0.1 CHF1 and earlier.
PHPShop through 0.8.1 has XSS.
A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function. Due to a lack of controller validation in "path" parameter, an attacker can execute malicious JavaScript code.
The leenkme plugin before 2.6.0 for WordPress has stored XSS via facebook_message, facebook_linkname, facebook_caption, facebook_description, default_image, or _wp_http_referer.
Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) 5.x before 5.0.1 allows remote attackers to inject arbitrary web script or HTML via malformed XML comments.
Cross-site scripting (XSS) vulnerability in admin/system.html in Openfiler 2.3 allows remote attackers to inject arbitrary web script or HTML via the device parameter.
Multiple cross-site scripting (XSS) vulnerabilities in include/html/header.php in TaskFreak! 0.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1) sContext, (2) sort, (3) dir, and (4) show parameters in a save action to index.php; the (5) dir and (6) show parameters to print_list.php; and the (7) HTTP referer header to rss.php. NOTE: some of these details are obtained from third party information.
Cross-site scripting (XSS) vulnerability in WeblyGo 5.0 Pro/LE, 5.02 Pro/LE, 5.03 Pro/LE, 5.04 Pro/LE, and 5.10 Pro/LE allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting (XSS) vulnerability in Cybozu Office 6, 7, and 8 before 8.1.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to the "address book and user list functions."