A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/index.php URI.
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/users_import.php URI.
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/index.php URI.
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/edit_group.php URI.
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/preferences.php URI.
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/permissions.php URI.
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/my_images.php URI.
A cross-site scripting (XSS) vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/user_activity.php URI.
Cross-site scripting (XSS) vulnerability in Bitweaver 2.0.2 allows remote attackers to inject arbitrary web script or HTML via the URL parameter to (1) edit.php and (2) list.php in articles/; (3) list_blogs.php and (4) rankings.php in blogs/; (5) calendar/index.php; (6) calendar.php, (7) index.php, and (8) list_events.php in events/; (9) index.php and (10) list_galleries.php in fisheye/; (11) liberty/list_content.php; (12) newsletters/edition.php; (13) pigeonholes/list.php; (14) recommends/index.php; (15) rss/index.php; (16) stars/index.php; (17) users/remind_password.php; (18) wiki/orphan_pages.php; and (19) stats/index.php, different vectors than CVE-2007-0526 and CVE-2005-4379. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Multiple cross-site scripting (XSS) vulnerabilities in Bitweaver 2.0.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) users/register.php or (2) search/index.php, or an editcomments action in (3) wiki/index.php or (4) forums/index.php. NOTE: the error parameter to users/login.php is covered by CVE-2006-3103.
Multiple cross-site scripting (XSS) vulnerabilities in Bitweaver 2.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) stats/index.php or (2) newsletters/edition.php or the (3) username parameter to users/remind_password.php, (4) days parameter to stats/index.php, (5) login parameter to users/register.php, or (6) highlight parameter.
Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher plugin 1.0.8 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: (1) Title, (2) Favicon, (3) Meta Description, (4) Subscribe Form (Name field label, Last name field label, Email field label), (5) Contact Form (Name field label and Email field label), and (6) Social Links (Facebook Page URL, Twitter Page URL, Instagram Page URL, YouTube Page URL, Linkedin Page URL, Google+ Page URL, RSS URL).
A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/blocks/blocks/edit/8.
Subrion CMS v4.2.1 allows XSS via the panel/phrases/ VALUE parameter.
OpenWrt 21.02.1 allows XSS via the Port Forwards Add Name screen.
WTCMS 1.0 contains a stored cross-site scripting (XSS) vulnerability in the link field under the background menu management module.
A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/file-manager/attachments/edit/4.
Xiuno BBS 4.0.0 has XSS in the adminpage sitename parameter.
An improper neutralization of input vulnerability in Fortinet FortiADC 5.3.3 and earlier may allow an attacker to execute a stored Cross Site Scripting (XSS) via a field in the traffic group interface.
geminabox (aka Gem in a Box) before 0.13.6 has XSS, as demonstrated by uploading a gem file that has a crafted gem.homepage value in its .gemspec file.
A cross-site scripting (XSS) vulnerability in the /bumph/getDraftListPage?type interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
Cross Site Scripting vulnerability in sayski ForestBlog 20241223 allows a remote attacker to escalate privileges via the article editing function.
Wowza Streaming Engine 4.8.0 and earlier from multiple authenticated XSS vulnerabilities via the (1) customList%5B0%5D.value field in enginemanager/server/serversetup/edit_adv.htm of the Server Setup configuration or the (2) host field in enginemanager/j_spring_security_check of the login form. This issue was resolved in Wowza Streaming Engine 4.8.5.
Prima Systems FlexAir, Versions 2.3.38 and prior. Parameters sent to scripts are not properly sanitized before being returned to the user, which may allow an attacker to execute arbitrary code in a user’s browser session in context of an affected site.
An issue was discovered in SIDU 6.0. Because the database name is not strictly filtered, the attacker can insert a name containing an XSS Payload, leading to stored XSS.
In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page.
Studio 42 elFinder through 2.1.31 allows XSS via an SVG document.
A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/taxonomy/vocabularies.
An issue was discovered in PHP Scripts Mall Investment MLM Software 2.0.2. Stored XSS was found in the the My Profile Section. This is due to lack of sanitization in the Edit Name section.
The CM Pop-Up Banners for WordPress plugin before 1.7.3 does not sanitise and escape some of its popup fields, which could allow high privilege users such as Contributors to perform Cross-Site Scripting attacks.
Cross-site scripting (XSS) vulnerability in the safe_html filter in Products.PortalTransforms in Plone 2.1 through 4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-2422.
A cross site scripting (XSS) vulnerability in S-CMS PHP v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Copyright text box under Basic Settings.
Cross-Site Scripting (XSS) vulnerability has been identified in Micro Focus Operations Manager i, versions 10.60, 10.61, 10.62. The vulnerability could be remotely exploited to allow Cross-Site Scripting (XSS).
In Philips Tasy EMR, Tasy EMR Versions 3.02.1744 and prior, the software incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
In DbNinja 3.2.7, the Add Host function of the Manage Hosts pages has a Stored Cross-site Scripting (XSS) vulnerability in the User Name field.
A stored cross-site scripting (XSS) vulnerability has been reported to affect multiple versions of QTS. If exploited, this vulnerability may allow an attacker to inject and execute scripts on the administrator console. To fix this vulnerability, QNAP recommend updating QTS to the latest version.
A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code.
On BIG-IP (AFM, PEM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, an undisclosed TMUI pages for AFM and PEM Subscriber management are vulnerable to a stored cross-site scripting (XSS) issue. This is a control plane issue only and is not accessible from the data plane. The attack requires a malicious resource administrator to store the XSS.
MiniCMS v1.11 was discovered to contain a cross-site scripting (XSS) vulnerability via /mc-admin/page-edit.php.
SUAP V2 allows XSS during the update of user information.
Stored XSS vulnerability via IMG element at "Filename" of Filemanager in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users.
An issue was discovered in MyWebSQL 3.7. The Add User function of the User Manager pages has a Stored Cross-site Scripting (XSS) vulnerability in the User Name Field.
A cross-site scripting (XSS) vulnerability in the common/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
A vulnerability was found in Likeshop up to 2.5.7 and classified as problematic. This issue affects some unknown processing of the file /admin of the component Merchandise Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The identifier VDB-267449 was assigned to this vulnerability.
NETGEAR R7000 devices before 1.0.11.126 are affected by stored XSS.
In BlackCat CMS 1.2, backend/settings/ajax_save_settings.php allows remote authenticated users to conduct XSS attacks via the Website header or Website footer field.
ClassCMS 4.8 is vulnerable to Cross Site Scripting (XSS) in class/admin/channel.php.
IBM Business Process Manager 8.5.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 127477.
A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Service List Section in login panel.