Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Premio Chaty (WordPress plugin) <= 2.8.3
Authenticated (admin user role) Stored Cross-Site Scripting (XSS) in WP-Appbox (WordPress plugin) <= 4.3.20.
bookstack is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Authenticated (author or higher role) Stored Cross-Site Scripting (XSS) vulnerability in Fatcat Apps Easy Pricing Tables plugin <= 3.1.2 at WordPress.
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the customer name field (stored).
Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in MyThemeShop WP Subscribe plugin <= 1.2.12 on WordPress.
Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /ogmprop?id= (reflected).
A Stored Cross Site Scripting (XSS) vunerability exists in Sourcecodeste Vehicle Parking Management System affected version 1.0 is via the add-vehicle.php endpoint.
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), versions - 4.1, 4.2, allows an attacker with a non-administrative user account that can edit certain web page properties, can modify how a browser processes particular page elements, leading to stored Cross Site Scripting. In certain situations, when a user accesses an affected web page element, the attacker will be able to access or modify metadata for which they are not authorized.
Biometric Shift Employee Management System has XSS via the criteria parameter in an index.php?user=competency_criteria request.
IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 contains an undisclosed vulnerability that would allow an authenticated user to obtain elevated privileges. IBM X-Force ID: 134919.
The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
Cross-site scripting vulnerability in Cybozu Garoon 4.10.3 to 5.0.1 allows attacker with administrator rights to inject an arbitrary script via unspecified vectors.
Cross Site Scripting (XSS) vulnerability in profile.php in phpgurukul Teacher Subject Allocation Management System 1.0 allows attackers to run arbitrary code via the 'adminname' and 'email' parameters.
yourls is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Stored Cross-Site Scripting (XSS) vulnerability in Alexander Ustimenko's Psychological tests & quizzes plugin <= 0.21.19 on WordPress possible for users with contributor or higher user rights.
IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 137037.
PHP Scripts Mall Single Theater Booking has XSS via the admin/viewtheatre.php theatreid parameter.
In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a "Calendar -> New Event" action.
Cross-site Scripting (XSS) vulnerability in Stylemix Directory Listings WordPress plugin – uListing allows Reflected XSS.This issue affects Directory Listings WordPress plugin – uListing: from n/a through 2.0.5.
Script injection in M-Files Admin versions before 22.2.11051.0, allows executing stored script in admin tool. M-Files Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is not remotely exploitable
The bulletin function of Flygo does not filter special characters while a new announcement is added. Remoter attackers can use the vulnerability with general user’s credential to inject JavaScript and execute stored XSS attacks.
Stored Cross-Site Scripting (XSS) vulnerability discovered in WordPress Comment Engine Pro plugin (versions <= 1.0), could be exploited by users with Editor or higher role.
Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /ogmlist?folder= (reflected).
Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered in WordPress Backup Migration plugin <= 1.1.5 versions.
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. When the API functions are enabled, the attacker can use API to update user nickname with XSS payload and achieve stored XSS. Users who view the articles published by the injected user will trigger the XSS.
Multiple persistent cross-site scripting (XSS) flaws were found in the way Aerogear handled certain user-supplied content. A remote attacker could use these flaws to compromise the application with specially crafted input.
app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster.
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the blacklist IP address (stored).
Progress Sitefinity 9.1 has XSS via file upload, because JavaScript code in an HTML file has the same origin as the application's own code. This is fixed in 10.1.
Cross-site scripting (XSS) vulnerability in the Cakifo theme 1.x before 1.6.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via crafted Exif data.
MapOS 3.1.11 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in /clientes/visualizar, which allows remote attackers to inject arbitrary web script or HTML via a crafted description parameter.
Authenticated (author or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Pricing Table (WordPress plugin) versions <= 1.5.2
Authenticated (subscriber or higher user role if allowed to access projects) Stored Cross-Site Scripting (XSS) vulnerability in weDevs WP Project Manager plugin <= 2.4.13 versions.
The wiki markup component of atlassian-renderer from version 8.0.0 before version 8.0.22 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in nested wiki markup.
Authenticated (editor or higher user role) Cross-Site Scripting (XSS) vulnerability in Web-Settler Testimonial Slider – Free Testimonials Slider Plugin (WordPress plugin) via parameters mpsp_posts_bg_color, mpsp_posts_description_color, mpsp_slide_nav_button_color.
IBM Jazz Reporting Service (JRS) 5.0 through 5.0.2 and 6.0 through 6.0.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 135523.
Multiple Authenticated Reflected Cross-Site Scripting (XSS) vulnerabilities in WordPress Awesome Support plugin (versions <= 6.0.6), vulnerable parameters (&id, &assignee).
A File upload vulnerability in RiteCMS 3.0 allows a local attacker to upload a SVG file with XSS content.
In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field in a Create Task List action.
wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.
IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 137038.
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Scott Reilly Get Custom Field Values plugin <= 4.0.1 versions.
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the line name (stored).
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via /ipblacklist?errorip= (reflected).
A stored cross-site scripting (XSS) vulnerability exists in FileBrowser < v2.16.0 that allows an authenticated user authorized to upload a malicious .svg file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger malicious OS commands on the server running the FileBrowser instance.
The yoast_seo (aka Yoast SEO) extension before 7.2.3 for TYPO3 allows XSS.
Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in ibericode's MC4WP plugin <= 4.8.6 at WordPress.
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the primary phone field (stored).