ShowDoc 2.4.1 has XSS via the lang parameter because install/database.php mishandles the $cur_lang value.
showdoc is vulnerable to URL Redirection to Untrusted Site
showdoc is vulnerable to URL Redirection to Untrusted Site
showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
server/index.php?s=/api/teamMember/save in ShowDoc 2.4.2 has a CSRF that can add members to a team.
ShowDoc v1.8.0 has XSS via a new page.
Stored XSS due to Unrestricted File Upload in GitHub repository star7th/showdoc prior to v2.10.4.
Stored XSS viva cshtm file upload in GitHub repository star7th/showdoc prior to v2.10.4.
Stored XSS viva .properties file upload in GitHub repository star7th/showdoc prior to 2.10.4.
Stored xss in showdoc through file upload in GitHub repository star7th/showdoc prior to 2.10.4.
There is a Unrestricted Upload of File vulnerability in ShowDoc v2.10.3 in GitHub repository star7th/showdoc prior to 2.10.4.
Stored XSS via file upload in GitHub repository star7th/showdoc prior to v2.10.4.
Unrestricted Upload of File with Dangerous Type in GitHub repository star7th/showdoc prior to 2.10.4.
Stored XSS via File Upload in GitHub repository star7th/showdoc prior to 2.10.4.
Stored XSS due to Unrestricted File Upload in GitHub repository star7th/showdoc prior to 2.10.4.
Stored XSS via File Upload in star7th/showdoc in star7th/showdoc in GitHub repository star7th/showdoc prior to 2.10.4.
Stored XSS viva .webmv file upload in GitHub repository star7th/showdoc prior to 2.10.4.
Stored XSS viva axd and cshtml file upload in star7th/showdoc in GitHub repository star7th/showdoc prior to v2.10.4.
Stored XSS viva .webma file upload in GitHub repository star7th/showdoc prior to 2.10.4.
Stored XSS via File Upload in GitHub repository star7th/showdoc prior to v.2.10.4.
Stored XSS via File Upload in star7th/showdoc in GitHub repository star7th/showdoc prior to 2.4.10.
Stored XSS due to Unrestricted File Upload in GitHub repository star7th/showdoc prior to v2.10.4.
Stored XSS viva .ofd file upload in GitHub repository star7th/showdoc prior to 2.10.4.
Cross-site Scripting (XSS) - Stored in GitHub repository star7th/showdoc prior to 2.10.2.
Unrestricted Upload of File with Dangerous Type in Packagist showdoc/showdoc prior to 2.10.2.
ShowDoc 2.8.3 ihas a file upload vulnerability, where attackers can use the vulnerability to obtain server permissions.
Cross-site Scripting (XSS) - Stored in GitHub repository star7th/showdoc prior to 2.10.2.
Unrestricted File Upload in ShowDoc v2.9.5 allows remote attackers to execute arbitrary code via the 'file_url' parameter in the component AdminUpdateController.class.php'.
iThemes Exchange before 1.12.0 for WordPress has XSS via add_query_arg() and remove_query_arg().
The neuvoo-jobroll plugin 2.0 for WordPress has neuvoo_location XSS.
Insufficient data validation in Omnibox in Google Chrome on Android prior to 129.0.6668.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (XSS) via a crafted set of UI gestures. (Chromium security severity: Medium)
The LH Copy Media File plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.08. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Agustin Berasategui AB Categories Search Widget allows Reflected XSS.This issue affects AB Categories Search Widget: from n/a through 0.2.5.
The PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer – DearFlip plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'pdf_source' parameter in all versions up to, and including, 2.3.32 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
The wp-google-map-plugin plugin before 2.3.7 for WordPress has XSS related to the add_query_arg() and remove_query_arg() functions.
WebKit in Safari in Apple Mac OS X 10.4.11 and 10.5.1, iPhone 1.0 through 1.1.2, and iPod touch 1.1 through 1.1.2 allows remote attackers to "navigate the subframes of any other page," which can be leveraged to conduct cross-site scripting (XSS) attacks and obtain sensitive information.
The WordPress Affiliates Plugin — SliceWP Affiliates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.20. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
The relevant plugin before 1.0.8 for WordPress has XSS.
A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected software. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
A vulnerability was found in Gouniverse GoLang CMS 1.4.0. It has been declared as problematic. This vulnerability affects the function PageRenderHtmlByAlias of the file FrontendHandler.go. The manipulation of the argument alias leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 1.4.1 is able to address this issue. The patch is identified as 3e661cdfb4beeb9fe2ad507cdb8104c0b17d072c. It is recommended to upgrade the affected component.
The two-factor-authentication plugin before 1.1.10 for WordPress has XSS in the admin area.
The WP Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters from 'timeline_obj' in all versions up to, and including, 10.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
2Checkout Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().
An issue was discovered in OpenTSDB 2.3.0. There is XSS in parameter 'type' to the /suggest URI.
The xpinner-lite plugin through 2.2 for WordPress has xpinner-lite.php XSS.
Stripe Add-on for iThemes Exchange before 1.2.0 for WordPress has XSS via add_query_arg() and remove_query_arg().
The simple-fields plugin before 1.4.11 for WordPress has XSS.
The BuddyPress Docs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.2.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
The contact-form-plugin plugin before 3.96 for WordPress has XSS.