An issue was discovered in the GlobalBlocking extension in MediaWiki before 1.40.2. For a Special:GlobalBlock?uselang=x-xss URI, i18n-based XSS can occur via the parentheses message. This affects subtitle links in buildSubtitleLinks.
Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Injection.
pfSense CE through 2.6.0 and pfSense Plus before 22.05 allow XSS in the WebGUI via URL Table Alias URL parameters.
Cross-site scripting (XSS) vulnerability in Cybozu Office 6, 7, and 8 before 8.1.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to the "address book and user list functions."
A stored Cross-Site Scripting (XSS) vulnerability exists in the parisneo/lollms-webui application due to improper validation of uploaded files in the profile picture upload functionality. Attackers can exploit this vulnerability by uploading malicious HTML files containing JavaScript code, which is executed when the file is accessed. This vulnerability is remotely exploitable via Cross-Site Request Forgery (CSRF), allowing attackers to perform actions on behalf of authenticated users and potentially leading to unauthorized access to sensitive information within the Lollms-webui application.
Cross-site scripting (XSS) vulnerability in Microsoft Office SharePoint Server 2010 Gold and SP1, and SharePoint Foundation 2010, allows remote attackers to inject arbitrary web script or HTML via the URI, aka "XSS in SharePoint Calendar Vulnerability."
joyplus-cms 1.6.0 has XSS in admin_player.php, related to manager/index.php "system manage" and "add" actions.
A vulnerability has been found in Bdtask G-Prescription Gynaecology & OBS Consultation Software 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /Venue_controller/edit_venue/ of the component Edit Venue Page. The manipulation of the argument Venue map leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256045 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Cross-site scripting (XSS) vulnerability in HP Operations 9.10 on UNIX platforms allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting (XSS) vulnerability in Vanilla Forums before 2.0.17.6 allows remote attackers to inject arbitrary web script or HTML via the p parameter to an unspecified component, a different vulnerability than CVE-2011-0526.
Multiple cross-site scripting (XSS) vulnerabilities in Apache Archiva 1.0 through 1.2.2, and 1.3.x before 1.3.5, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting vulnerability in the API 404 page on Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary JavaScript via a modified URL path.
A vulnerability within the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victims browser in the context of the affected interface.
Multiple cross-site scripting (XSS) vulnerabilities in the Web UI in Xymon before 4.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Multiple cross-site scripting (XSS) vulnerabilities in the DataDynamics.Reports.Web class library in GrapeCity Data Dynamics Reports before 1.6.2084.14 allow remote attackers to inject arbitrary web script or HTML via (1) the reportName or (2) uniqueId parameter to CoreViewerInit.js, or the (3) uniqueId or (4) traceLevel parameter to CoreController.js, as reachable by CoreHandler.ashx.
Cross-site scripting (XSS) vulnerability in framework/source/resource/qx/test/jsonp_primitive.php in QooxDoo 1.3 and possibly other versions, as used in eyeOS 2.2 and 2.3, and possibly other products allows remote attackers to inject arbitrary web script or HTML via the callback parameter.
The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.
Knowage (formerly SpagoBI) 6.1.1 allows XSS via the name field to the "Business Model's Catalogue" catalogue.
Cross-site scripting (XSS) vulnerability in the logon page in Remote Desktop Web Access (RD Web Access) in Microsoft Windows Server 2008 R2 and R2 SP1 allows remote attackers to inject arbitrary web script or HTML via the URI, aka "Remote Desktop Web Access Vulnerability."
A vulnerability was identified in 1000 Projects Sales Management System 1.0. This issue affects some unknown processing of the file /superstore/admin/sales.php. The manipulation of the argument ssalescat leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Cross-Site Scripting (XSS) vulnerability in the Django MarkdownX project, affecting version 4.0.2. An attacker could store a specially crafted JavaScript payload in the upload functionality due to lack of proper sanitisation of JavaScript elements.
Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the `element` method in `app/routes.py` does not validate the user-controlled `src_type` and `element_url` variables and passes them to the `send` method which sends a `GET` request on lines 339-343 in `requests.py`. The returned contents of the URL are then passed to and reflected back to the user in the `send_file` function on line 484, together with the user-controlled `src_type`, which allows the attacker to control the HTTP response content type leading to a cross-site scripting vulnerability. An attacker could craft a special URL to point to a malicious website and send the link to a victim. The fact that the link would contain a trusted domain (e.g. from one of public Whoogle instances) could be used to trick the user into clicking the link. The malicious website could, for example, be a copy of a real website, meant to steal a person’s credentials to the website, or trick that person in another way. Version 0.8.4 contains a patch for this issue.
Cross-site scripting (XSS) vulnerability in the Users module in Zikula before 1.2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: it is possible that this overlaps CVE-2011-0535.
Multiple Cross-Site Scripting (XSS) vulnerabilities in Hubzilla 7.0.3 and earlier allows remote attacker to include arbitrary web script or HTML via the rpath parameter.
Multiple cross-site scripting (XSS) vulnerabilities in Adobe Acrobat Reader Plugin before 8.0.0, and possibly the plugin distributed with Adobe Reader 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2, for Mozilla Firefox, Microsoft Internet Explorer 6 SP1, Google Chrome, Opera 8.5.4 build 770, and Opera 9.10.8679 on Windows allow remote attackers to inject arbitrary JavaScript and conduct other attacks via a .pdf URL with a javascript: or res: URI with (1) FDF, (2) XML, and (3) XFDF AJAX parameters, or (4) an arbitrarily named name=URI anchor identifier, aka "Universal XSS (UXSS)."
Multiple cross-site scripting (XSS) vulnerabilities in ModX Evolution before 1.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) installer or (2) image editor.
Cross-site scripting (XSS) vulnerability in Windows Event Log SmartConnector in HP ArcSight Connector Appliance before 6.1 allows remote attackers to inject arbitrary web script or HTML via the Windows XP variable in a file.
Cross-site scripting (XSS) vulnerability in the SafeHTML function in the toStaticHTML API in Microsoft Internet Explorer 7 and 8, Office SharePoint Server 2007 SP2, Office SharePoint Server 2010 Gold and SP1, Groove Server 2010 Gold and SP1, Windows SharePoint Services 3.0 SP2, and SharePoint Foundation 2010 Gold and SP1 allows remote attackers to inject arbitrary web script or HTML via unspecified strings, aka "toStaticHTML Information Disclosure Vulnerability" or "HTML Sanitization Vulnerability."
Cross-site scripting (XSS) vulnerability in Google Search Appliance before 5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting (XSS) vulnerability in the Wikis component in IBM Lotus Connections 3.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to the "Confirm New Page scene."
An XSS issue was discovered in InvoicePlane 1.5.10 via the "Quote PDF Password(Optional)" field.
Cross-site scripting (XSS) vulnerability in QNAP QTS 4.3.3 build 20180126, QTS 4.3.4 build 20180315, and their earlier versions could allow remote attackers to inject arbitrary web script or HTML.
REDDOXX MailDepot 2033 (aka 2.3.3022) allows XSS via an incoming HTML e-mail message.
Cross-site scripting (XSS) vulnerability in the UI in IBM Rational Build Forge 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the mod parameter to the fullcontrol program. NOTE: some of these details are obtained from third party information.
A vulnerability in the web-based management interface of Cisco WAP150 Wireless-AC/N Dual Radio Access Point with Power over Ethernet (PoE) and WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCve57076.
A vulnerability in the web-based management interface of Cisco Tetration Analytics could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a customized link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive browser-based information.
The Ericom PowerTerm WebConnect 6.0 login portal can unsafely write an XSS payload from the AppPortal cookie into the page.
Multiple cross-site scripting (XSS) vulnerabilities in the IBM Web Interface for Content Management (aka WEBi) 1.0.4 before FP3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-1242.
Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code via plugins/ExtendedFileManager/backend.php.
Cross-site scripting (XSS) vulnerability in HP Systems Insight Manager (SIM) before 6.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting (XSS) vulnerability on the HP Photosmart D110 and B110; Photosmart Plus B210; Photosmart Premium C310, Fax All-in-One, and C510; and ENVY 100 D410 printers allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.
Multiple cross-site scripting (XSS) vulnerabilities in PivotX 2.2.0, and possibly other versions before 2.2.2, allow remote attackers to inject arbitrary web script or HTML via the (1) color parameter to includes/blogroll.php or (2) src parameter to includes/timwrapper.php.
Cross-site scripting (XSS) vulnerability in HP Diagnostics 7.5x and 8.0x before 8.05.54.225 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
Vanilla Forums 2.0.17.1 through 2.0.17.5 has XSS in /vanilla/index.php via the p parameter.
Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) 2.4.x before 2.4.10 and 3.x before 3.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Orthanc versions before 1.12.2 are affected by a reflected cross-site scripting (XSS) vulnerability. The vulnerability was present in the server's error reporting.
SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information.
Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability in Mati Skiba @ Rav Messer's Ravpage plugin <= 2.16 at WordPress.
Multiple cross-site scripting (XSS) vulnerabilities in Best Practical Solutions RT 2.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.