Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodeBard CodeBard's Patron Button and Widgets for Patreon plugin <= 2.1.8 versions.
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Cornel Raiu WP Search Analytics plugin <= 1.4.7 versions.
The YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Cross Site Scripting (XSS) vulnerability in username field in /WebContent/WEB-INF/lib/chatbox.jsp in wliang6 ChatEngine commit fded8e710ad59f816867ad47d7fc4862f6502f3e, allows attackers to execute arbitrary code.
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in I Thirteen Web Solution Video Grid plugin <= 1.21 versions.
Pagure before 5.6 allows XSS via the templates/blame.html blame view.
A security defect was identified in Foundry Frontend that enabled users to potentially conduct DOM XSS attacks if Foundry's CSP were to be bypassed. This defect was resolved with the release of Foundry Frontend 6.225.0.
Cross-site Scripting vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component) allows Reflected XSS.This issue affects Hitachi Ops Center Analyzer: from 10.9.1-00 before 10.9.2-00.
Cross Site Scripting vulnerability found in Exelysis Unified Communication Solutions (EUCS) v.1.0 allows a remote attacker to execute arbitrary code via the Username parameter of the eucsAdmin login form.
Cross Site Scripting (XSS) vulnerability in vogtmh cmaps (companymaps) 8.0 allows attackers to execute arbitrary code.
Cross-site Scripting (XSS) - Reflected in GitHub repository mkucej/i-librarian-free prior to 5.10.4.
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in FolioVision FV Flowplayer Video Player plugin <= 7.5.32.7212 versions.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Oliva Expertise Oliva Expertise EKS allows Cross-Site Scripting (XSS).This issue affects Oliva Expertise EKS: before 1.2.
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Alexey Golubnichenko AGP Font Awesome Collection plugin <= 3.2.4 versions.
Improper neutralization of input in Nagvis before version 1.9.47 which can lead to XSS
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8.
Cross Site Scripting vulnerability found in Vade Secure Gateway allows a remote attacker to execute arbitrary code via a crafted payload to the X-Rewrite-URL parameter.
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.14.
CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name.
Cross Site Scripting (XSS) vulnerability in Qbian61 forum-java, allows attackers to inject arbitrary web script or HTML via editing the article content in the "article editor" page.
XWiki Commons are technical libraries common to several other top level XWiki projects. It was possible to inject some code using the URL of authenticated endpoints. This problem has been patched on XWiki 13.10.11, 14.4.7 and 14.10.
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Phan Chuong IP Metaboxes plugin <= 2.1.1.
A vulnerability, which was classified as problematic, has been found in SourceCodester Students Online Internship Timesheet Syste 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=save_company. The manipulation of the argument name with the input <script>alert(document.cookie)</script> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-230204.
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Maxim Glazunov XML for Google Merchant Center plugin <= 3.0.1 versions.
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in I Thirteen Web Solution Email Subscription Popup plugin <= 1.2.16 versions.
In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't. The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 . To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables. Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs. Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+
Cross Site Scripting vulnerability found in Vade Secure Gateway allows a remote attacker to execute arbitrary code via the username, password, and language cookies parameter.
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Jon Christopher CMS Tree Page View plugin <= 1.6.7 versions.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nikola Loncar Easy Appointments allows Stored XSS.This issue affects Easy Appointments: from n/a through 3.10.7.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MagePeople Team WpBusTicketly plugin <= 5.2.5 versions.
A vulnerability, which was classified as problematic, was found in SourceCodester Local Service Search Engine Management System 1.0. This affects an unknown part of the file /admin/ajax.php?action=save_area of the component POST Parameter Handler. The manipulation of the argument area with the input <script>alert(document.cookie)</script> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-230349 was assigned to this vulnerability.
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Andy Moyle Church Admin plugin <= 3.7.5 versions.
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Muffingroup Betheme theme <= 26.7.5 versions.
A vulnerability was found in SourceCodester Online Jewelry Store 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file customer.php of the component POST Parameter Handler. The manipulation of the argument Custid leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-229820.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Softmed SelfPatron allows Reflected XSS.This issue affects SelfPatron : before 2.0.
baserCMS is a website development framework with WebAPI that runs on PHP8 and CakePHP4. There is a XSS Vulnerability in Favorites Feature to baserCMS. This issue has been patched in version 4.8.0.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wishfulthemes Raise Mag, Wishfulthemes Wishful Blog themes allows Reflected XSS.This issue affects Raise Mag: from n/a through 1.0.7; Wishful Blog: from n/a through 2.0.1.
Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized.
The FileManager in InfinitumIT DirectAdmin through v1.561 has XSS via CMD_FILE_MANAGER, CMD_SHOW_USER, and CMD_SHOW_RESELLER; an attacker can bypass the CSRF protection with this, and take over the administration panel.
Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.
Citrix SD-WAN Center 10.2.x before 10.2.1 and NetScaler SD-WAN Center 10.0.x before 10.0.7 allow XSS.
Some HTML elements, such as <title> and <textarea>, can contain literal angle brackets without treating them as markup. It is possible to pass a literal closing tag to .innerHTML on these elements, and subsequent content after that will be parsed as if it were outside the tag. This can lead to XSS if a site does not filter user input as strictly for these elements as it does for other elements. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG <text> tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. Version 3.5.4 patches the issue.]
Frappe is a full-stack web application framework. Prior to 14.99.14 and 15.94.0, an attacker could craft a malicious signup URL for a frappe site which could lead to an open redirect (or reflected XSS, depending on the crafted payload) when a user signs up. This vulnerability is fixed in 14.99.14 and 15.94.0.
In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3, an XSS issue has been found on the Application Launcher page.
Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryDeleted=`. Version 0.70.0 fixes the issue.
XSS exists on D-Link DWR-933 1.00(WW)B17 devices via cgi-bin/gui.cgi.
The MailPoet plugin before 3.23.2 for WordPress allows remote attackers to inject arbitrary web script or HTML using extra parameters in the URL (Reflective Server-Side XSS).
A reflected Cross-site scripting (XSS) vulnerability in HRworks V 1.16.1 allows remote attackers to inject arbitrary web script or HTML via the URL parameter to the Login component.
OpenCATS through 0.9.5-3 has multiple Cross-site Scripting (XSS) issues.