Apache Superset up to and including 1.1 does not sanitize titles correctly on the Explore page. This allows an attacker with Explore access to save a chart with a malicious title, injecting html (including scripts) into the page.
Ovation Dynamic Content 1.10.1 for Elementor allows XSS via the post_title parameter.
Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename.
Plone CMS until version 5.2.4 has a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the file upload functionality. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript in the context of the victim's browser if the victim opens a vulnerable page containing an XSS payload.
The Filemanager in CMS Made Simple 2.2.13 has stored XSS via a .pxd file, as demonstrated by m1_files[] to admin/moduleinterface.php.
The express-cart package through 1.1.10 for Node.js allows Reflected XSS (for an admin) via a user input field for product options. NOTE: the vendor states that this "would rely on an admin hacking his/her own website.
CASAP Automated Enrollment System 1.0 is affected by cross-site scripting (XSS) in users.php. An attacker can steal a cookie to perform user redirection to a malicious website.
Add event in calendar function in the 101EIP system does not filter special characters in specific fields, which allows remote authenticated users to inject JavaScript and perform a stored XSS attack.
An issue was discovered in ZenTao 11.5.1. There is an XSS (stored) vulnerability that leads to the capture of other people's cookies via the Rich Text Box.
Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can escalate their privileges if they get access to the Panel session of an admin user. Visitors without Panel access can use the attack vector if the site allows changing site data from a frontend form. Kirby 3.5.7 patches the vulnerability. As a partial workaround, site administrators can protect against attacks from visitors without Panel access by validating or sanitizing provided data from the frontend form.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webclient of Siemens AG Polarion could allow an attacker to exploit a persistent XSS vulnerability. This issue affects: Siemens AG Polarion All versions < 19.2.
Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. Prior to version 8.13.8, malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to version 8.13.8 to receive a patch. There are no known workarounds aside from upgrading.
TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When settings for _backend layouts_ are not properly encoded, the corresponding grid view is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. TYPO3 versions 9.5.29, 10.4.18, 11.3.1 contain a patch for this vulnerability.
Cross-site scripting (XSS) vulnerability in the Host Client in VMware vSphere Hypervisor (aka ESXi) 5.5 and 6.0 allows remote authenticated users to inject arbitrary web script or HTML via a crafted VM.
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack.
Ampache is an open source web based audio/video streaming application and file manager. Due to a lack of input filtering versions 4.x.y are vulnerable to code injection in random.php. The attack requires user authentication to access the random.php page unless the site is running in demo mode. This issue has been resolved in 4.4.3.
Sourcecodester Messaging Web Application 1.0 is vulnerable to stored XSS. If a sender inserts valid scripts into the chat, the script will be executed on the receiver chat.
A Cross Site Scripting (XSS) vulnerability exists in Rumble Mail Server 0.51.3135 via the username parameter.
Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Circles application is upgraded to 0.21.3, 0.20.10 or 0.19.14 to resolve this issue. As a workaround users may use a browser that has support for Content-Security-Policy. A notable exemption is Internet Explorer which does not support CSP properly.
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-article-mailed.php by adding a question mark (?) followed by the payload.
TYPO3 is an open source PHP based web content management system. Versions 9.0.0 through 9.5.28, 10.0.0 through 10.4.17, and 11.0.0 through 11.3.0 have a cross-site scripting vulnerability. When _Page TSconfig_ settings are not properly encoded, corresponding page preview module (_Web>View_) is vulnerable to persistent cross-site scripting. A valid backend user account is needed to exploit this vulnerability. TYPO3 versions 9.5.29, 10.4.18, 11.3.1 contain a patch for this issue.
Cross-site scripting (XSS) vulnerability in the Asset module's edit vocabulary page in Liferay Portal 7.0.0 through 7.3.4, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 9, allows remote attackers to inject arbitrary web script or HTML via the (1) _com_liferay_journal_web_portlet_JournalPortlet_name or (2) _com_liferay_document_library_web_portlet_DLAdminPortlet_name parameter.
OpenPLC runtime V3 through 2016-03-14 allows stored XSS via the Device Name to the web server's Add New Device page.
haml-coffee is a JavaScript templating solution. haml-coffee mixes pure template data with engine configuration options through the Express render API. More specifically, haml-coffee supports overriding a series of HTML helper functions through its configuration options. A vulnerable application that passes user controlled request objects to the haml-coffee template engine may introduce RCE vulnerabilities. Additionally control over the escapeHtml parameter through template configuration pollution ensures that haml-coffee would not sanitize template inputs that may result in reflected Cross Site Scripting attacks against downstream applications. There is currently no fix for these issues as of the publication of this CVE. The latest version of haml-coffee is currently 1.14.1. For complete details refer to the referenced GHSL-2021-025.
Stored cross-site scripting (XSS) was possible in protection plan details. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035
In firmware version 4.50 of Zyxel XGS2210-52HP, multiple stored cross-site scripting (XSS) issues allows remote authenticated users to inject arbitrary web script via an rpSys.html Name or Location field.
MartDevelopers Inc iResturant v1.0 allows Stored XSS by placing a payload in the username field during a login attempt. When an administrator looks at the log of failed logins, the XSS payload will be executed.
An XSS vulnerability exists in several IoT devices from CHIYU Technology, including SEMAC, Biosense, BF-630, BF-631, and Webpass due to a lack of sanitization on the component if.cgi - username parameter.
Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to inject arbitrary web script or HTML by attaching a crafted HTML file to a ticket.
Cross site scripting (XSS) vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.7.100 allows a remote attacker to highjack an active DLP ePO administrator session by convincing the logged in administrator to click on a carefully crafted link in the case management part of the DLP ePO extension.
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/manage-versions.php by adding a question mark (?) followed by the payload.
The EditableTable WordPress plugin through 0.1.4 does not sanitise and escape any of the Table and Column fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/report-article-printed.php by adding a question mark (?) followed by the payload.
In JetBrains TeamCity before 2021.1.2, stored XSS is possible.
XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field
Reflected XSS in admin/manage-templates.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.
The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS (injecting arbitrary web script or HTML) in admin/edit-field.php by adding a question mark (?) followed by the payload.
A reflected cross-site scripting (XSS) vulnerability in \lib\packages\themes\themes.php of Navigate CMS v2.9.4 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.
In JetBrains TeamCity before 2020.2.3, stored XSS was possible on several pages.
Gurock TestRail before 7.2.4 mishandles HTML escaping.
In LibreNMS < 21.3.0, a stored XSS vulnerability was identified in the API Access page due to insufficient sanitization of the $api->description variable. As a result, arbitrary Javascript code can get executed.
Microstrategy Web 10.4 is vulnerable to Stored XSS in the HTML Container and Insert Text features in the window, allowing for the creation of a new dashboard. In order to exploit this vulnerability, a user needs to get access to a shared dashboard or have the ability to create a dashboard on the application.
Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the site name.
Veeam ONE Reporter 9.5.0.3201 allows XSS via the Add/Edit Widget with a crafted Caption field to setDashboardWidget in CommonDataHandlerReadOnly.ashx.
Nagios XI 5.6.11 allows XSS via the account/main.php theme parameter.
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, XSS in the domain parameter allows a low-privilege user to achieve root access via the email list page.
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__MONITORING__CONFIG__ADDRESS, or SM2__C__MONITORING__CONFIG__ADDRESS.
Reflected XSS in admin/manage-fields.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.
Multiple storage XSS vulnerabilities were discovered on BF-430, BF-431 and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of sanitization of the input on the components man.cgi, if.cgi, dhcpc.cgi, ppp.cgi.
Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the transaction description field. The JavaScript code is executed during deletion of a transaction link.