Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in BlueGlass Jobs for WordPress plugin <= 2.5.10.2 versions.
Auth. (admin+) vulnerability in Second2none Service Area Postcode Checker plugin <= 2.0.8 versions.
Auth. Stored Cross-Site Scripting (XSS) vulnerability in Mr.Vibe vSlider Multi Image Slider for WordPress plugin <= 4.1.2 versions.
A vulnerability was found in SourceCodester Human Resource Information System 1.0. It has been classified as problematic. Affected is an unknown function of the file Superadmin_Dashboard/process/addbranches_process.php. The manipulation of the argument branches_name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259584.
The WordPress Jitsi Shortcode WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
The Loading Page with Loading Screen WordPress plugin before 1.0.83 does not escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in 9seeds.Com CPT – Speakers plugin <= 1.1 versions.
The AI Engine WordPress plugin before 1.6.83 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
Multiple cross-site scripting (XSS) vulnerabilities in the Back End in Joomla! 1.5.x before 1.5.20 allow remote authenticated users to inject arbitrary web script or HTML via administrator screens.
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Add a list" field under the "Import Emails" module.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Justin Saad Simple Tooltips plugin <= 2.1.4 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Alex Benfica Publish to Schedule plugin <= 4.5.4 versions.
Cross Site Scripting (XSS) vulnerability in UltimateKode Neo Billing - Accounting, Invoicing And CRM Software up to version 3.5 which allows remote attackers to inject arbitrary web script or HTML.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Noah Hearle, Design Extreme We’re Open! plugin <= 1.46 versions.
Jenkins Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user names shown in the configuration, resulting in a stored cross-site scripting vulnerability.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Denzel Chia | Phire Design Custom Login Page plugin <= 2.0 versions.
A reflected cross site scripting (XSS) vulnerability in /administration/theme.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Manage Theme" field.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in StreamWeasels Twitch Player plugin <= 2.1.0 versions.
NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) via the module "Shop."
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Thom Stark Eyes Only: User Access Shortcode plugin <= 1.8.2 versions.
A vulnerability was found in SourceCodester Library Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/edit_admin_details.php?id=admin. The manipulation of the argument Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
The Call Now Accessibility Button WordPress plugin before 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Jenkins ClearCase Release Plugin 0.3 and earlier does not escape the composite baseline in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WP-Buddy Google Analytics Opt-Out plugin <= 2.3.4 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Ajay D'Souza Top 10 – Popular posts plugin for WordPress plugin <= 3.2.4 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Tauhidul Alam Simple Portfolio Gallery plugin <= 0.1 versions.
Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stored Cross-site scripting (XSS) enable attackers that have access to backoffice to bring malicious content into a website or application. This vulnerability has been patched in version(s) 8.18.13, 10.8.4, 12.3.7, 13.1.1 by implementing IHtmlSanitizer.
Jenkins Active Choices Plugin 2.4 and earlier does not escape some return values of sandboxed scripts for Reactive Reference Parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
A stored cross site scripting (XSS) vulnerability in /administration/settings_registration.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Registration" field.
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface.
A stored XSS vulnerability was found in Datenstrom Yellow 0.7.3 via an "Edit page" action. NOTE: the vendor disputes the relevance of this report because an installation accessible to untrusted users is supposed to have parserSafeMode=1 in system/config/config.ini to prevent XSS
Cross Site Scripting (XSS) vulnerability exists in PbootCMS v1.3.7 via the title parameter in the mod function in SingleController.php.
A flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that CSP (Content Security Policy) prevents exploitation of this XSS however not all browsers support CSP.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in jinit9906 Shipyaari Shipping Management plugin <= 1.0 versions.
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Samuel Marshall JCH Optimize plugin <= 3.2.2 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in psicosi448 wp2syslog plugin <= 1.0.5 versions.
Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission.
Persistent Cross-Site scripting vulnerability in Micro Focus Application Performance Management product, affecting versions 9.40, 9.50 and 9.51. The vulnerability could allow persistent XSS attack.
The House Manager WordPress plugin through 1.0.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Cross Site Scripting (XSS) vulnerability exists in Subrion CMS 4.2.2 when adding a blog and then editing an image file.
_layouts/Upload.aspx in the Documents module in Microsoft SharePoint before 2010 uses URLs with the same hostname and port number for a web site's primary files and individual users' uploaded files (aka attachments), which allows remote authenticated users to leverage same-origin relationships and conduct cross-site scripting (XSS) attacks by uploading TXT files, a related issue to CVE-2008-5026. NOTE: the vendor disputes the significance of this issue, because cross-domain isolation can be implemented when needed.
Jenkins Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
The Buy Me a Coffee WordPress plugin before 3.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Rigorous & Factory Pattern Dovetail plugin <= 1.2.13 versions.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Bon Plan Gratos Sticky Ad Bar plugin <= 1.3.1 versions.
Cross Site Scripting (XSS) vulnerabiity exists in LavaLite CMS 5.8.0 via the Menu Blocks feature, which can be bypassed by using HTML event handlers, such as "ontoggle,".
WebPort-v1.19.17121 is affected by Cross Site Scripting (XSS) on the "connections" feature.
Cross-site scripting (XSS) vulnerability in Wiki Server in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote authenticated users to inject arbitrary web script or HTML via crafted Wiki content, related to lack of a charset field.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Podlove Podlove Subscribe button plugin <= 1.3.7 versions.