A vulnerability, which was classified as problematic, has been found in code-projects Blood Bank System 1.0. Affected by this issue is some unknown functionality of the file /prostatus.php. The manipulation of the argument message leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
The Qi Blocks WordPress plugin before 1.4 does not validate and escape some of its Counter block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
The WP-Appbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's appbox shortcode in all versions up to, and including, 4.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. Special:CheckUserLog allows CheckUser XSS because of date mishandling, as demonstrated by an XSS payload in MediaWiki:October.
Cross-site scripting (XSS) vulnerability on Brother HL series printers allows remote attackers to inject arbitrary web script or HTML via the url parameter to etc/loginerror.html.
A vulnerability was detected in code-projects Student Information System 1.0. This vulnerability affects unknown code of the file /profile.php. Performing manipulation of the argument firstname/lastname results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used.
Multiple cross-site scripting (XSS) vulnerabilities in Synametrics SynaMan 4.0 build 1488 via the (1) Main heading or (2) Sub heading fields in the Partial Branding configuration page.
An issue was discovered in EMLsoft 5.4.5. XSS exists via the eml/upload/eml/?action=address&do=edit page.
A weakness has been identified in SohuTV CacheCloud up to 3.2.0. Affected is the function advancedAnalysis of the file src/main/java/com/sohu/cache/web/controller/InstanceController.java. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. The project was informed of the problem early through an issue report but has not responded yet.
The DethemeKit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the De Product Display Widget (countdown feature) in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
joyplus-cms 1.6.0 has XSS via the manager/admin_ajax.php can_search_device array parameter.
In Nessus before 7.1.0, a XSS vulnerability exists due to improper input validation. A remote authenticated attacker could create and upload a .nessus file, which may be viewed by an administrator allowing for the execution of arbitrary script code in a user's browser session. In other scenarios, XSS could also occur by altering variables from the Advanced Settings.
IBM Sterling B2B Integrator Standard Edition 5.2.0 through 5.2.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 141551.
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The WikibaseMediaInfo component is vulnerable to XSS via the caption fields for a given media file.
The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Parallax slider in all versions up to, and including, 5.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘marker_title’, 'notification_content', and 'stt_button_text' parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.3.
A vulnerability was detected in EyouCMS up to 1.7.7. The affected element is an unknown function of the file application/home/model/Ask.php of the component Ask Module. Performing manipulation of the argument content results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. The vendor is "[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8".
Tenable Appliance versions 4.6.1 and earlier have been found to contain a single XSS vulnerability. Utilizing a specially crafted request, an authenticated attacker could potentially execute arbitrary JavaScript code by manipulating certain URL parameters related to offline plugins.
Wolf CMS 0.8.3.1 has XSS in the Snippets tab, as demonstrated by a ?/admin/snippet/edit/1 URI.
An issue was discovered in WeaselCMS v0.3.5. XSS exists via Site Language, Site Title, Site Description, and Site Keywords on the SETTINGS page.
Cross-site scripting (XSS) vulnerability in Attributes functionality in Open-AudIT Community edition before 2.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted attribute name of an Attribute.
Linksys WRT310Nv2 2.0.0.1 is vulnerable to XSS.
Cross-site scripting (XSS) vulnerability in IBM InfoSphere Information Server through 8.5 FP3, 8.7 through FP2, and 9.1 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to the web console.
In the Ban List plugin 1.0 for MyBB, any forum user with mod privileges can ban users and input an XSS payload into the ban reason, which is executed on the bans.php page.
IBM Engineering Requirements Management DOORS Next (IBM Jazz Foundation 7.0.2 to 7.0.2 iFix034, 7.0.3 to 7.0.3 iFix016, and 7.1.0 to 7.1.0 iFix004) is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users on the host network to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
IBM WebSphere Commerce Enterprise V7, V8, and V9 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 142596.
A vulnerability, which was classified as problematic, has been found in otale tale up to 2.0.5. This issue affects the function OptionsService of the file src/main/resources/templates/themes/default/partial/header.html. The manipulation of the argument logo_url leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
A vulnerability was identified in SohuTV CacheCloud up to 3.2.0. This affects the function index of the file src/main/java/com/sohu/cache/web/controller/ServerController.java. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
IBM Jazz Foundation products (IBM Rational DOORS Next Generation 5.0 through 5.0.2 and 6.0 through 6.0.5) are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 139025.
PHP Scripts Mall hotel-booking-script 2.0.4 allows XSS via the First Name, Last Name, or Address field.
DomainMod 4.10.0 has Stored XSS in the "/settings/profile/index.php" new_last_name parameter.
A security vulnerability has been detected in SohuTV CacheCloud up to 3.2.0. Affected by this vulnerability is the function doAppAuditList of the file src/main/java/com/sohu/cache/web/controller/AppManageController.java. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
In SecurityCenter versions prior to 5.7.0, a cross-site scripting (XSS) issue could allow an authenticated attacker to inject JavaScript code into an image filename parameter within the Reports feature area. Properly updated input validation techniques have been implemented to correct this issue.
A Cross Site Scripting (XSS) vulnerability exists in RosarioSIS before 7.6.1 via the xss_clean function in classes/Security.php, which allows remote malicious users to inject arbitrary JavaScript or HTML. An example of affected components are all Markdown input fields.
NETGEAR R7000 devices before 1.0.11.126 are affected by stored XSS.
A vulnerability classified as problematic was found in Mini-Tmall up to 20250211. This vulnerability affects unknown code of the file /admin of the component Admin Name Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
NETGEAR R7000 devices before 1.0.9.88 are affected by stored XSS.
Cross-site scripting (XSS) vulnerability in IBM InfoSphere Optim Data Growth for Oracle E-Business Suite 6.x, 7.x, and 9.x before 9.1.0.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, related to a stored XSS issue.
CVE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Payara Platform Payara Server allows : Remote Code Inclusion.This issue affects Payara Server: from 4.1.2.1919.1 before 4.1.2.191.51, from 5.20.0 before 5.68.0, from 6.0.0 before 6.23.0, from 6.2022.1 before 6.2025.2.
Multiple cross-site scripting (XSS) vulnerabilities in the help pages in Web\Content\Help\ in the Web Client in IBM Cognos Command Center (aka Star Command Center or Star Analytics) before 10.1, when Internet Explorer is used, allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
XSS in Artica Pandora FMS before 7.0 NG 723 allows an attacker to execute arbitrary code via a crafted "refr" parameter in a "/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=" call.
DomainMod 4.10.0 has Stored XSS in the "/settings/profile/index.php" new_first_name parameter.
Certain NETGEAR devices are affected by stored XSS. This affects EAX20 before 1.0.0.48, EAX80 before 1.0.1.64, EX3700 before 1.0.0.90, EX3800 before 1.0.0.90, EX6120 before 1.0.0.64, EX6130 before 1.0.0.44, EX7500 before 1.0.0.72, R7960P before 1.4.1.66, R7900P before 1.4.1.66, R8000P before 1.4.1.66, RAX15 before 1.0.2.82, RAX20 before 1.0.2.82, RAX200 before 1.0.3.106, RAX45 before 1.0.2.72, RAX50 before 1.0.2.72, RAX75 before 1.0.3.106, and RAX80 before 1.0.3.106.
An issue was discovered in Creme CRM 1.6.12. The salesman creation page is affected by 10 stored cross-site scripting vulnerabilities involving the firstname, lastname, billing_address-address, billing_address-zipcode, billing_address-city, billing_address-department, shipping_address-address, shipping_address-zipcode, shipping_address-city, and shipping_address-department parameters.
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder plugin <= 3.19.14 versions.
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to a Stored DOM-Based Cross-Site Scripting via the plugin's Flash Sale Countdown module in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. Affected by this issue is the function doAppList/appCommandAnalysis of the file src/main/java/com/sohu/cache/web/controller/AppController.java. Performing manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
ProjectPier 0.8.8 has stored XSS
Cross-site scripting (XSS) vulnerability in backend/pages/modify.php in BlackCatCMS 1.3 allows remote authenticated users with the Admin role to inject arbitrary web script or HTML via the search panel.
An XSS issue was discovered in COINS Construction Cloud 11.12. Due to insufficient neutralization of user input in the description of a task, it is possible to store malicious JavaScript code in the task description. This is later executed when it is reflected back to the user.