Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name.
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type.
Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.
Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Â Requires a high privileged user with a developer role.
Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting.
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an Stored XSS issue with profile.
Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with editing/rendering user html content.
Pega Platform from 8.5.4 to 8.8.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.
Pega Platform before version 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the comment tags.
Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the "ActionStringID" function.
Pega Platform versions 8.1 to Infinity 23.1.0 are affected by an XSS issue with task creation
Pega Platform versions 8.1 to 8.8.2 are affected by an XSS issue with Pin description
Pega Platform versions 8.1 to Infinity 23.1.0 are affected by an XSS issue with ad-hoc case creation
Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header.
Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by a pyActivity=Data-TRACERSettings.pzStartTracerSession request to a PRAuth URI.
Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue.
An XSS issue was discovered in Designer Studio in Pegasystems Pega Platform 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2, 7.2.1, and 7.2.2. A user with developer credentials can insert malicious code (up to 64 characters) into a text field in Designer Studio, after establishing context. Designer Studio is the developer workbench for Pega Platform. That XSS payload will execute when other developers visit the affected pages.
Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search.
Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page; or the (3) pyTableName to the System database schema modification page.
Pega Platform versions 7.2.1 to Infinity 24.2.1 are affected by an XSS issue with Mashup
Pega Platform versions 8.4.3 to Infinity 24.2.1 are affected by an XSS issue with Mashup
The Richtext Editor in Pega Platform before 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability.
The a+HRD developed by aEnrich has a Stored Cross-Site Scripting vulnerability, allowing remote attackers with administrator privileges to inject persistent JavaScript codes that are executed in users' browsers upon page load.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in McAfee Database Security (DBSec) prior to 4.8.2 allows an administrator to embed JavaScript code when configuring the name of a database to be monitored. This would be triggered when any authorized user logs into the DBSec interface and opens the properties configuration page for this database.
A flaw has been found in PHPGurukul Curfew e-Pass Management System 1.0. Impacted is an unknown function of the file view-pass-detail.php. This manipulation of the argument Fullname/Category causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used.
An issue was discovered in VERMEG AgileReporter 21.3. Attackers can gain privileges via an XSS payload in an Add Comment action to the Activity log.
A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "publish_on_date" Parameter
A vulnerability was detected in PHPGurukul Curfew e-Pass Management System 1.0. This issue affects some unknown processing of the file edit-category-detail.php. The manipulation of the argument catname results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used.
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an admin user to inject malicious JavaScript into a website and the injected script gets executed when the user visits the compromised page.This vulnerability has low impact on confidentiality and integrity of the data. There is no impact on the availability of the application.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Administration ACL menu configuration modules) allows Stored XSS to users with high privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19.
A security flaw has been discovered in Willow CMS up to 1.4.0. This issue affects some unknown processing of the file /admin/articles/add of the component Add Post Page. The manipulation of the argument title/body results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be exploited.
A flaw has been found in PHPGurukul Curfew e-Pass Management System 1.0. The impacted element is an unknown function of the file admin-profile.php. Executing manipulation of the argument adminname/email can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used.
A vulnerability was identified in pojoin h3blog 1.0. The impacted element is an unknown function of the file /admin/cms/category/addtitle. The manipulation of the argument Title leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used.
The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (DSM extenstio configuration modules) allows Stored XSS to user with elevated privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.1, from 24.10.0 before 24.10.4, from 24.04.0 before 24.04.8.
A flaw has been found in qianfox FoxCMS up to 1.2.16. Affected by this vulnerability is the function add/edit of the file app/admin/controller/Product.php. This manipulation of the argument Title causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PHP-Fusion 9.03.60 allows XSS via the administration/site_links.php Add Site Link field.
A stored cross-site scripting (XSS) issue in the ForkCMS version 5.9.3 allows remote attackers to inject JavaScript via the "start_date" Parameter
A vulnerability has been found in 1000 Projects Bookstore Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file process_book_add.php of the component Add Book Page. The manipulation of the argument Book Name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
A security flaw has been discovered in projectworlds Expense Management System 1.0. This affects an unknown function of the file /public/admin/roles/create of the component Roles Page. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit has been released to the public and may be exploited.
A weakness has been identified in projectworlds Expense Management System 1.0. This impacts an unknown function of the file /public/admin/currencies/create of the component Currency Page. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited.
Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through ‘/<admin_directory>/index.php’, affecting the ‘link’ parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
In Nextcloud Contacts before 2.1.2, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.
Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site"
Combodo iTop is an open source web based IT Service Management tool. In affected versions there is a XSS vulnerability on "run query" page when logged as administrator. This has been resolved in versions 2.6.5 and 2.7.5.
A security vulnerability has been detected in projectworlds Expense Management System 1.0. Affected is an unknown function of the file /public/admin/expense_categories/create of the component Expense Categories Page. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the RabbitMQ management UI via the `rabbitmq_federation_management` plugin, its consumer tag was rendered without proper <script> tag sanitization. This potentially allows for JavaScript code execution in the context of the page. The user must be signed in and have elevated permissions (manage federation upstreams and policies) for this to occur. The vulnerability is patched in RabbitMQ 3.8.18. As a workaround, disable the `rabbitmq_federation_management` plugin and use [CLI tools](https://www.rabbitmq.com/cli.html) instead.