Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp username parameter.
An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via cacheName to SystemCacheDetails.jsp.
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp driver parameter.
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp password parameter.
An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via search to the Users/Group search page.
Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to plugins/clientcontrol/create-bookmark.jsp; the (2) urlName parameter to plugins/clientcontrol/create-bookmark.jsp; the (3) hostname parameter to server-session-details.jsp; or the (4) search parameter to group-summary.jsp.
An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via isTrustStore to Manage Store Contents.
Cross-site scripting (XSS) vulnerability in login.jsp in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to inject arbitrary web script or HTML via the url parameter.
Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test.
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp serverURL parameter.
In Ignite Realtime Openfire 4.5.1 a Stored Cross-site Vulnerability allows an attacker to execute an arbitrary malicious URL via the vulnerable POST parameter searchName", "alias" in the import certificate trusted page
A Reflected XSS vulnerability was discovered in Ignite Realtime Openfire version 4.5.1. The XSS vulnerability allows remote attackers to inject arbitrary web script or HTML via the GET request "searchName", "searchValue", "searchDescription", "searchDefaultValue","searchPlugin", "searchDescription" and "searchDynamic" in server-properties.jsp and security-audit-viewer.jsp
Ignite Realtime Openfire 4.5.1 has a reflected Cross-site scripting vulnerability which allows an attacker to execute arbitrary malicious URL via the vulnerable GET parameter searchName", "searchValue", "searchDescription", "searchDefaultValue","searchPlugin", "searchDescription" and "searchDynamic" in the Server Properties and Security Audit Viewer JSP page
Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Ignite Realtime Openfire 4.6.0 has plugins/clientcontrol/spark-form.jsp Reflective XSS.
Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. Attackers can craft a payload with script tags to execute arbitrary JavaScript in the context of administrative users viewing the nodejs configuration page.
Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS.
Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp users Stored XSS.
Ignite Realtime Openfire 4.6.0 has plugins/dbaccess/db-access.jsp sql Stored XSS.
Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp groupchatJID Stored XSS.
The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.
Multiple cross-site scripting (XSS) vulnerabilities in the Management Center in Cisco FireSIGHT System Software 6.0.0 and 6.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCux40414.
The wp-database-backup plugin before 4.3.1 for WordPress has XSS.
The Locatoraid Store Locator WordPress plugin before 3.9.24 does not sanitise and escape the lpr-search parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Cross-site scripting (XSS) vulnerability in the Security component of Kohana before 3.3.6 allows remote attackers to inject arbitrary web script or HTML by bypassing the strip_image_tags protection mechanism in system/classes/Kohana/Security.php.
An XSS issue was discovered in TreasuryXpress 19191105. Due to the lack of filtering and sanitization of user input, malicious JavaScript can be executed throughout the application. A malicious payload can be injected within the Custom Workflow component and inserted via the Create New Workflow field. As a result, the payload is executed via the navigation bar throughout the application.
In Redmine before 3.2.3, there are stored XSS vulnerabilities affecting Textile and Markdown text formatting, and project homepages.
The fluid-responsive-slideshow plugin before 2.2.7 for WordPress has reflected XSS via the skin parameter.
The ocim-mp3 plugin through 2016-03-07 for WordPress has wp-content/plugins/ocim-mp3/source/pages.php?id= XSS.
Stored Cross-Site Scripting in Easy Address Book Web Server 1.6 version, through the users_admin.ghp file that affects multiple parameters such as (firstname, homephone, lastname, lastname, middlename, workaddress, workcity, workcountry, workphone, workstate, workzip). This vulnerability allows a remote attacker to store a malicious JavaScript payload in the application to be executed when the page is loaded, resulting in an integrity impact.
The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has XSS exploitable via CSRF.
Multiple cross-site scripting (XSS) vulnerabilities in Caloris Planitia Online Quiz System (aka Web Quiz pro), possibly 1.0, allow remote attackers to inject arbitrary web script or HTML via the (1) exam parameter in prequiz.asp or (2) msg parameter in student.asp.
Cross-site scripting (XSS) vulnerability in Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) 1.1 allows remote attackers to inject arbitrary web script or HTML via crafted markup data, aka Bug ID CSCux15489.
The gnucommerce plugin before 0.5.7-BETA for WordPress has XSS.
A stored cross-site scripting (XSS) vulnerability fin Student Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email parameter on the profile.php page.
D-Link DSL-2740E 1.00_BG_20150720 devices are prone to persistent XSS attacks in the username and password fields: a remote unauthenticated user may craft logins and passwords with script tags in them. Because there is no sanitization in the input fields, an unaware logged-in administrator may be a victim when checking the router logs.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS).Ā It was possible to execute malicious JS code on Visual Consoles.Ā This issue affects Pandora FMS: from 700 through 774.
The colorway theme before 3.4.2 for WordPress has XSS via the contactName parameter.
The wp-google-map-plugin plugin before 3.1.2 for WordPress has XSS.
The wp-latest-posts plugin before 3.7.5 for WordPress has XSS.
The fossura-tag-miner plugin before 1.1.5 for WordPress has XSS.
Multiple cross-site scripting (XSS) vulnerabilities in Cisco Emergency Responder 11.5(0.99833.5) allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuy10766.
Cross-site scripting (XSS) vulnerability in the shiro8 (1) category_freearea_ addition_plugin plugin 1.0 and (2) itemdetail_freearea_ addition_plugin plugin 1.0 for EC-CUBE allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Gila CMS before 1.11.6 has reflected XSS via the admin/content/postcategory id parameter, which is mishandled for g_preview_theme.
Cross-site scripting (XSS) vulnerability in log_chat.cgi in Script* Log-Chat before 2.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting (XSS) vulnerability in the "Check available times" function in Cybozu Garoon before 4.2.2.
The Jetpack plugin before 4.0.3 for WordPress has XSS via a crafted Vimeo link.
The option-tree plugin before 2.6.0 for WordPress has XSS via an add_list_item or add_social_links AJAX request.
Cross-site scripting vulnerability in Open Graph for Facebook, Google+ and Twitter Card Tags plugin prior to version 2.2.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
The safe-editor plugin before 1.2 for WordPress has no se_save authentication, with resultant XSS.