EspoCRM 6.1.6 and prior suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied avatar images. This issue was fixed in version 6.1.7 of the product.
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed on the Preference page as well as while sending an email when a malicious payload was inserted inside the Email Signature in the Preference page. The attacker could insert malicious JavaScript inside his email signature, which fires when the victim replies or forwards the mail, thus helping him steal victims' cookies (hence compromising their accounts).
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed inside the title and breadcrumb of a newly formed entity available to all the users. A malicious user can inject JavaScript in these values of an entity, thus stealing user cookies when someone visits the publicly accessible link.
An issue was discovered in EspoCRM before 5.6.9. Stored XSS in the body of an Article was executed when a victim opens articles received through mail. This Article can be formed by an attacker using the Knowledge Base feature in the tab list. The attacker could inject malicious JavaScript inside the body of the article, thus helping him steal victims' cookies (hence compromising their accounts).
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a attacker sends an attachment to admin with malicious JavaScript in the filename. This JavaScript executed when an admin selects the particular file from the list of all attachments. The attacker could inject the JavaScript inside the filename and send it to users, thus helping him steal victims' cookies (hence compromising their accounts).
Reflected XSS exists in client/res/templates/global-search/name-field.tpl in EspoCRM 5.3.6 via /#Account in the search panel.
Stored XSS exists in views/fields/wysiwyg.js in EspoCRM 5.3.6 via a /#Email/view saved draft message.
Cross-site scripting (XSS) vulnerability in EspoCRM allows remote authenticated users to inject arbitrary web script or HTML via the Name field in a new account.
An issue was discovered in EspoCRM before 5.6.6. There is stored XSS due to lack of filtration of user-supplied data in Create Task. A malicious attacker can modify the parameter name to contain JavaScript code.
EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the api/v1/Document functionality for storing documents in the account tab. An attacker can upload a crafted file that contains JavaScript code in its name. This code will be executed when a user opens a page of any profile with this.
An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create User. A malicious attacker can modify the firstName and lastName to contain JavaScript code.
EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. A malicious attacker can inject JavaScript code in the body parameter during api/v1/KnowledgeBaseArticle knowledge-base record creation.
An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create Case. A malicious attacker can modify the firstName and lastName to contain JavaScript code.
Stored XSS in EspoCRM before 5.6.4 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The attack begins by storing a new stream message containing an XSS payload. The stored payload can then be triggered by clicking a malicious link on the Notifications page.
Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious JavaScripting in the browser.
Cross-site scripting (XSS) vulnerability in EspoCRM before 2.6.0 allows remote attackers to inject arbitrary web script or HTML via the desc parameter in an errors action to install/index.php.
Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
OpenWrt 21.02.1 allows XSS via the Port Forwards Add Name screen.
Synacor Zimbra Collaboration Suite (ZCS) before 8.7.10 has Persistent XSS.
GeniXCMS 1.0.2 has XSS triggered by an authenticated user who submits a page, as demonstrated by a crafted oncut attribute in a B element.
The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the charset of a previously uploaded file.
geminabox (aka Gem in a Box) before 0.13.6 has XSS, as demonstrated by uploading a gem file that has a crafted gem.homepage value in its .gemspec file.
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in modules/Base/Dashboard/Dashboard_0.php, which allows remote attackers to inject arbitrary web script or HTML via a crafted tab_name parameter.
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.x before 7.0.0.2 CF25 and 8.x before 8.0.0.1 CF8 allows remote authenticated users to inject arbitrary web script or HTML by leveraging improper tagging functionality.
Studio 42 elFinder through 2.1.31 allows XSS via an SVG document.
Microsoft SharePoint Server 2013 Service Pack 1 allows an elevation of privilege vulnerability when it fails to properly sanitize a specially crafted web request to an affected SharePoint server, aka "Microsoft SharePoint XSS Vulnerability".
A potential security vulnerability has been identified with certain HP InkJet printers. The vulnerability could be exploited to allow cross-site scripting (XSS). Affected products and versions include: HP DeskJet 2600 All-in-One Printer series model numbers 4UJ28B, V1N01A - V1N08A, Y5H60A - Y5H80A; HP DeskJet Ink Advantage 2600 All-in-One Printer series model numbers V1N02A - V1N02B, Y5Z00A - Y5Z04B; HP DeskJet Ink Advantage 5000 All-in-One Printer series model numbers M2U86A - M2U89B; HP DeskJet Ink Advantage 5200 All-in-One Printer series model numbers M2U76A - M2U78B; HP ENVY 5000 All-in-One Printer series model numbers M2U85A - M2U85B, M2U91A - M2U94B, Z4A54A - Z4A74A; HP ENVY Photo 6200 All-in-One Printer series model numbers K7G18A-K7G26B, K7S21B, Y0K13D - Y0K15A; HP ENVY Photo 7100 All-in-One Printer series model numbers 3XD89A, K7G93A-K7G99A, Z3M37A - Z3M52A; HP ENVY Photo 7800 All-in-One Printer series model numbers K7R96A, K7S00A - K7S10D, Y0G42D - Y0G52B; HP Ink Tank Wireless 410 series model numbers Z4B53A - Z4B55A, Z6Z95A - Z6Z99A, 4DX94A - 4DX95A, 4YF79A, Z7A01A; HP OfficeJet 5200 All-in-One Printer series model numbers M2U75A, M2U81A-M2U84B, Z4B12A - Z4B14A, Z4B27A - Z4B29A; HP Smart Tank Wireless 450 series model numbers Z4B56A, Z6Z96A - Z6Z98A.
A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code.
MiniCMS v1.11 was discovered to contain a cross-site scripting (XSS) vulnerability via /mc-admin/page-edit.php.
Cross-site scripting vulnerability in Cybozu Garoon 4.6.0 to 4.10.1 allows remote authenticated attackers to inject arbitrary web script or HTML via the application 'Cabinet'.
NETGEAR R7000 devices before 1.0.11.126 are affected by stored XSS.
Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the (1) title or (2) version or (3) author_name parameter in manifest.json. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files.
A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Service List Section in login panel.
Cross-site scripting (XSS) vulnerability in Allen Disk 1.6 allows remote authenticated users to inject arbitrary web script or HTML persistently by uploading a crafted HTML file. The attack vector is the content of this file, and the filename must be specified in the PATH_INFO to readfile.php.
Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML via the description parameter. This issue exists in core\admin\ajax\pages\save-revision.php and core\admin\modules\pages\revisions.php. Low-privileged (administrator) users can attack high-privileged (Developer) users.
Various resources in Atlassian Fisheye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file.
The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters.
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Vehicle Service Management System 1.0 via the Settings Section in login panel.
This cross-site scripting (XSS) vulnerability in Music Station allows remote attackers to inject and execute scripts on the administrator’s management console. To fix this vulnerability, QNAP recommend updating Music Station to their latest versions.
HPE has identified a cross site scripting (XSS) vulnerability in HPE CentralView Fraud Risk Management earlier than version CV 6.1. This issue is resolved in HF16 for HPE CV 6.1 or subsequent version.
Cross-site scripting vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Replication Manager before 8.5.2-00 allows authenticated remote users to execute arbitrary JavaScript code.
A stored cross-site scripting (XSS) vulnerability in GilaCMS v1.11.4 allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file.
JeeCMS 1.0.1 contains a stored cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the commentText parameter.
The Agenda component in Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in modules/Utils/RecordBrowser/RecordBrowserCommon_0.php, which allows remote attackers to inject arbitrary web script or HTML via a crafted meeting description parameter.
In MODX Revolution before 2.5.7, a user with resource edit permissions can inject an XSS payload into the title of any post via the pagetitle parameter to connectors/index.php.
A Remote Cross-Site Scripting (XSS) vulnerability in HPE LoadRunner v12.53 and earlier and HPE Performance Center version v12.53 and earlier was found.
An information disclosure vulnerability exists when Microsoft SharePoint software fails to properly sanitize a specially crafted requests, aka "Microsoft SharePoint Reflective XSS Vulnerability".
A Remote Cross-Site Scripting vulnerability in HPE Project and Portfolio Management (PPM) version v9.30, v9.31, v9.32, v9.40 was found.
uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) via the input box of the statistical code.