Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Custom Product Tabs for WooCommerce plugin <= 1.7.9 on WordPress.
OX App Suite through through 7.10.5 allows XSS via a crafted snippet that has an app loader reference within an app loader URL.
OneNav beta 0.9.12 allows XSS via the Add Link feature. NOTE: the vendor's position is that there intentionally is not any XSS protection at present, because the attack risk is largely limited to a compromised account; however, XSS protection is planned for a future release.
Cross-site scripting (XSS) vulnerability in the user-profile biography section in DotNetNuke (DNN) before 8.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted onclick attribute in an IMG element.
Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter name of the API devices, which may allow an attacker to remotely execute code.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in StreamWeasels Twitch Player plugin <= 2.1.0 versions.
Ogma CMS 0.4 Beta has XSS via the "Footer Text footer" field on the "Theme/Theme Options" screen.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Eric Teubert Archivist – Custom Archive Templates plugin <= 1.7.4 versions.
Cross-site scripting (XSS) vulnerability in the Host Client in VMware vSphere Hypervisor (aka ESXi) 5.5 and 6.0 allows remote authenticated users to inject arbitrary web script or HTML via a crafted VM.
Auth. (admin+) vulnerability in Second2none Service Area Postcode Checker plugin <= 2.0.8 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mehjabin Orthi Interactive SVG Image Map Builder plugin <= 1.0 versions.
A stored XSS vulnerability was discovered in Hotaru CMS v1.7.2 via the admin_index.php?page=settings SITE NAME field (aka SITE_NAME), a related issue to CVE-2011-4709.1.
Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename.
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 website used to control the router is vulnerable to stored cross-site scripting, which may allow an attacker to hijack sessions of users connected to the system.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in GMO Internet Group, Inc. TypeSquare Webfonts for ConoHa plugin <= 2.0.3 versions.
Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to inject arbitrary web script or HTML by attaching a crafted HTML file to a ticket.
btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A Stored Cross Site Scripting (XSS) vunerability exists in Sourcecodeste Vehicle Parking Management System affected version 1.0 is via the add-vehicle.php endpoint.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in namithjawahar Wp-Insert plugin <= 2.5.0 versions.
chaskiq is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in index.php in the Link module 5.x-2.5 for Drupal 5.10 allows remote authenticated users, with "administer content types" privileges, to inject arbitrary web script or HTML via the description parameter (aka the Help field). NOTE: some of these details are obtained from third party information.
bookstack is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format.
Cross-site scripting (XSS) vulnerability in pagesUTF8/auftrag_allgemeinauftrag.jsp in Plunet BusinessManager 4.1 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the (1) QUB and (2) Bez74 parameters.
Auth. (admin+) Stored Cross-site Scripting (XSS) vulnerability in Fullworks Quick Paypal Payments plugin <= 5.7.25 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Podlove Podlove Podcast Publisher plugin <= 3.8.2 versions.
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user that holds the “power” Splunk role can store arbitrary scripts that can lead to persistent cross-site scripting (XSS). The vulnerability affects instances with Splunk Web enabled.
An issue was discovered in Form Tools through 3.0.20. A low-privileged user can trigger Reflected XSS when a viewing a form via the submission_id parameter, e.g., clients/forms/edit_submission.php?form_id=1&view_id=1&submission_id=[XSS].
Senayan Library Management System v9.4.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the component pop_chart.php.
Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /ogmlist?folder= (reflected).
The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did not have any privilege or nonce validation before saving the plugin's setting. As a result, any logged-in user on a vulnerable site could update the settings and store rogue JavaScript on each of its posts and pages.
Cross-site scripting (XSS) vulnerability in AlienVault OSSIM before 5.3 and USM before 5.3 allows remote attackers to inject arbitrary web script or HTML via the back parameter to ossim/conf/reload.php.
IBM Emptoris Strategic Supply Management Platform 10.0 and 10.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 116755.
In JetBrains YouTrack before 2021.2.17925, stored XSS was possible.
Cross-site scripting (XSS) vulnerability in the Web UI in the web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 allows remote authenticated users to inject arbitrary web script or HTML via an embedded string, a different vulnerability than CVE-2016-5975.
Opmantek NMIS before 8.5.12G has XSS via SNMP.
In NCH WebDictate v2.13, persistent Cross Site Scripting (XSS) exists in the Recipient Name field. An authenticated user can add or modify the affected field to inject arbitrary JavaScript.
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a Cross-Site Scripting vulnerability via SVG media files. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /msglist?mbx= (reflected).
Cross-site scripting (XSS) vulnerability in the Web UI in the web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223 FP3, and 9.0.2A before 9.0.2.5224_9.0.2A FP3 allows remote authenticated users to inject arbitrary web script or HTML via an embedded string, a different vulnerability than CVE-2016-5978.
IBM Rational DOORS Next Generation 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1995515.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Bernhard Kux JSON Content Importer plugin <= 1.3.15 versions.
index.php/appointment/insert_patient_add_appointment in Chikitsa Patient Management System 2.0.0 allows XSS.
PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content.
icecoder is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
index.php/admin/add_user in Chikitsa Patient Management System 2.0.0 allows XSS.
Auth. Stored Cross-Site Scripting (XSS) vulnerability in Mr.Vibe vSlider Multi Image Slider for WordPress plugin <= 4.1.2 versions.
IBM Connections 4.0, 4.5, 5.0, and 5.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1998294.