An issue was discovered in DouCo DouPHP 1.5 20181221. admin/product.php?rec=update has XSS via the name parameter.
Codologic Codoforum through 4.8.4 allows a DOM-based XSS. While creating a new topic as a normal user, it is possible to add a poll that is automatically loaded in the DOM once the thread/topic is opened. Because session cookies lack the HttpOnly flag, it is possible to steal authentication cookies and take over accounts.
UCMS 1.4.7 has XSS via the description parameter in an index.php list_editpost action.
Certain NETGEAR devices are affected by reflected XSS. This affects JNR1010v2 before 1.1.0.46, JR6150 before 1.0.1.10, JWNR2010v5 before 1.1.0.46, PR2000 before 1.0.0.20, R6050 before 1.0.1.10, R6220 before 1.1.0.60, WNDR3700v5 before 1.1.0.50, WNR1000v4 before 1.1.0.46, WNR2020 before 1.1.0.46, and WNR2050 before 1.1.0.46.
cPanel before 74.0.8 allows self XSS in the WHM Security Questions interface (SEC-433).
PHP Scripts Mall Website Seller Script 2.0.5 has XSS via a Profile field such as Company Address, a related issue to CVE-2018-15896.
A vulnerability was found in Thomson TCW710 ST5D.10.05 and classified as problematic. Affected by this issue is some unknown functionality of the file /goform/RgDdns. The manipulation of the argument DdnsHostName with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
In Impact and Lineage Analysis in SAP Data Services, version 4.2, the management console does not sufficiently validate user-controlled inputs, which results in Cross-Site Scripting (XSS) vulnerability.
The Reporting Addon (aka Reports Addon) through 2019-01-02 for CUBA Platform through 6.10.x has Persistent XSS via the "Reports > Reports" name field.
Cross-site scripting (XSS) vulnerability in the Smart Trim module 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors involving the field settings form.
Ruckus ZoneFlex R310 104.0.0.0.1347 devices allow Stored XSS via the SSID field on the Configuration > Radio 2.4G > Wireless X screen (after a successful login to the super account).
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/product_category.php?rec=update has XSS via the cat_name parameter.
PHP Scripts Mall Advance B2B Script 2.1.4 has stored Cross-Site Scripting (XSS) via the FIRST NAME or LAST NAME field.
PHP Scripts Mall Basic B2B Script 2.0.9 has HTML injection via the First Name or Last Name field.
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/page.php?rec=edit has XSS via the page_name parameter.
Frog CMS 0.9.5 has XSS via the admin/?/layout/edit/1 Body field.
cPanel before 70.0.23 has Stored XSS via an WHM Edit DNS Zone action (SEC-410).
A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.
PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has HTML injection via the First Name field.
In SAP Business Objects Business Intelligence Platform, 4.00, 4.10, 4.20, 4.30, the Central Management Console (CMC) does not sufficiently encode user controlled inputs which results in Cross-Site Scripting.
Cross-site scripting (XSS) vulnerability in Oracle Reports Web Cartridge (RWCGI60) in the Workflow Cartridge component, as used in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.3; Application Server 9.0.4.3, 10.1.2.0.2, and 10.1.2.2; Collaboration Suite 10.1.2; and Oracle E-Business Suite and Applications 11.5.10CU2; allows remote authenticated users to inject arbitrary HTML or web script via the genuser parameter to rwcgi60, aka OWF01.
Cross-site scripting (XSS) vulnerability in Microsoft Excel Services on SharePoint Server 2010 SP2 and 2013 SP1, Office Web Apps 2010 SP2, Excel Web App 2010 SP2, Office Web Apps Server 2013 SP1, and SharePoint Foundation 2013 SP1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, aka "Microsoft Office Web Apps XSS Spoofing Vulnerability."
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/nav.php?rec=update has XSS via the nav_name parameter.
Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 has XSS via the Administrator/add_pictures.php article ID.
A cross-site scripting (XSS) vulnerability in the JOC Cockpit component of SOS JobScheduler 1.11 and 1.13.2 allows attackers to inject arbitrary web script or HTML via JSON properties available from the REST API.
PHP Scripts Mall Entrepreneur Job Portal Script 3.0.1 has stored Cross-Site Scripting (XSS) via the Full Name field.
Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 has XSS via the Administrator/users.php user ID.
A potential security vulnerability has been identified in HPE Onboard Administrator. The vulnerability could be remotely exploited to allow Reflected Cross Site Scripting. HPE has made the following software updates and mitigation information to resolve the vulnerability in HPE Onboard Administrator. * OA 4.95 (Linux and Windows).
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php.
Cross site scripting vulnerability in McAfee Network Security Management (NSM) Prior to 9.1 update 6 Mar 2020 Update allows attackers to unspecified impact via unspecified vectors.
OpenTrade through 0.2.0 has a DOM-based XSS vulnerability that is executed when an administrator attempts to delete a message that contains JavaScript.
An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. Reflected XSS exists in the carbon part of the product.
cPanel before 74.0.8 allows self stored XSS on the Security Questions login page (SEC-446).
The advanced-custom-fields (aka Elliot Condon Advanced Custom Fields) plugin before 5.7.8 for WordPress has XSS by authors.
ampforwp_save_steps_data in the AMP for WP plugin before 0.9.97.21 for WordPress allows stored XSS.
SAP Solution Manager, 7.10, 7.20, Incident Management Work Center allows an attacker to upload a malicious script as an attachment and this could lead to possible Cross-Site Scripting.
Reflected Cross-Site Scripting (nonpersistent) allows an attacker to craft a specific URL, which contains Java script that will be executed on the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, or BMXP342030H PLC client browser.
cPanel before 74.0.8 allows self XSS in the Site Software Moderation interface (SEC-434).
A vulnerability, which was classified as problematic, has been found in Thomson TCW710 ST5D.10.05. This issue affects some unknown processing of the file /goform/wlanPrimaryNetwork. The manipulation of the argument ServiceSetIdentifier with the input ><script>alert(1)</script> as part of POST Request leads to basic cross site scripting (Persistent). The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-126695.
CubeCart 6.2.2 has Reflected XSS via a /{ADMIN-FILE}/ query string.
A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.
An issue was discovered in DouCo DouPHP 1.5 20181221. admin/system.php?rec=update has XSS via the site_name parameter.
SAP Business One, 9.2, 9.3, browser access does not sufficiently encode user controlled inputs, which results in a Cross-Site Scripting (XSS) vulnerability.
Multiple cross-site scripting (XSS) vulnerabilities in Cisco FireSight Management Center (MC) 5.4.1.3 and 6.0 allow remote authenticated users to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuv73338.
Multiple cross-site scripting (XSS) vulnerabilities in Cisco FireSight Management Center (MC) 5.3.1.5 and 5.4.x through 5.4.1.3 allow remote authenticated users to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuu28922.
PHP Scripts Mall Consumer Reviews Script 4.0.3 has HTML injection via the search box.
cPanel before 74.0.8 allows self XSS in WHM Style Upload interface (SEC-437).
An issue was discovered in YzmCMS 5.2. XSS exists via the admin/content/search.html searinfo parameter.
Rhymix CMS 1.9.8.1 allows XSS via an index.php?module=admin&act=dispModuleAdminFileBox SVG upload.
IBM Rational Team Concert 5.0 through 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 154135.